Fortinet black logo

Administration Guide

SSO users and groups

SSO users and groups

To manage SSO users and groups, go to Fortinet SSO Methods > SSO > SSO Users or SSO Groups.

The following options are available:

Create New

Select to create a new user or group.

In the Create New SSO User or Create New SSO Group window, enter a name for the user or group, then select OK.

Import Import SSO users or groups from a remote LDAP server.
Delete Delete the selected users or groups.
Edit Edit the selected user or group.
Name The SSO user or group names.
Created/Imported Displays whether or not the user or user group was created or imported.

FortiAuthenticator SSO user groups cannot be used directly in a security policy on a FortiGate device. An FSSO user group must be created on the FortiGate unit, then the FortiAuthenticator SSO groups must be added to it. FortiGate FSSO user groups are available for selection in identity-based security policies. See the FortiOS Handbook for more information.

To import SSO users or groups:
  1. In the SSO Users or SSO Groups list, select Import.
    • In the Import SSO Users or Import SSO Groups window, select whether to import the DN or Username, and select a remote LDAP server from the Remote LDAP Server dropdown menu, then select Browse.
    • In the Import SSO Groups window, select a remote LDAP server from the Remote LDAP Server dropdown menu and select Browse. Alternatively, select Azure ADFS and specify the Graph API Service Root, Client ID, and Client key.
    An LDAP server must already be configured to select it in the dropdown menu. See LDAP service for more information on adding a remote LDAP server.
  2. The Import SSO Users or Import SSO Groups window opens in a new browser window.

  3. Optionally, edit the Distinguished name. This field is automatically filled when you select a remote LDAP server from the Remote LDAP Server dropdown.
  4. Optionally, enter a Filter string to reduce the number of entries returned, and then select Apply, or select Clear to clear the filters.
  5. For example, uid=j* returns only user IDs beginning with “j”.

  6. The default configuration imports the attributes commonly associated with Microsoft Active Directory LDAP implementations. Select User attributes to edit the remote LDAP user mapping attributes.
  7. Selecting the field, FirstName for example, presents a list of attributes which have been detected and can be selected. This list is not exhaustive; other non-displayed attributes may be available for import. Consult your LDAP administrator for a list of available attributes.

  8. Select the entries you want to import.
  9. Optionally, select a logo from the FortiToken Logo dropdown menu to associate the imported users with the specified logo. This logo is displayed beside the one-time password in FortiToken. See FortiTokens for more information.
  10. Optionally, select an IAM account from the IAM Account dropdown to associate the imported users with the specified IAM account. See Identity and Account Management (IAM).
  11. Select OK to import the users or groups.

SSO users and groups

To manage SSO users and groups, go to Fortinet SSO Methods > SSO > SSO Users or SSO Groups.

The following options are available:

Create New

Select to create a new user or group.

In the Create New SSO User or Create New SSO Group window, enter a name for the user or group, then select OK.

Import Import SSO users or groups from a remote LDAP server.
Delete Delete the selected users or groups.
Edit Edit the selected user or group.
Name The SSO user or group names.
Created/Imported Displays whether or not the user or user group was created or imported.

FortiAuthenticator SSO user groups cannot be used directly in a security policy on a FortiGate device. An FSSO user group must be created on the FortiGate unit, then the FortiAuthenticator SSO groups must be added to it. FortiGate FSSO user groups are available for selection in identity-based security policies. See the FortiOS Handbook for more information.

To import SSO users or groups:
  1. In the SSO Users or SSO Groups list, select Import.
    • In the Import SSO Users or Import SSO Groups window, select whether to import the DN or Username, and select a remote LDAP server from the Remote LDAP Server dropdown menu, then select Browse.
    • In the Import SSO Groups window, select a remote LDAP server from the Remote LDAP Server dropdown menu and select Browse. Alternatively, select Azure ADFS and specify the Graph API Service Root, Client ID, and Client key.
    An LDAP server must already be configured to select it in the dropdown menu. See LDAP service for more information on adding a remote LDAP server.
  2. The Import SSO Users or Import SSO Groups window opens in a new browser window.

  3. Optionally, edit the Distinguished name. This field is automatically filled when you select a remote LDAP server from the Remote LDAP Server dropdown.
  4. Optionally, enter a Filter string to reduce the number of entries returned, and then select Apply, or select Clear to clear the filters.
  5. For example, uid=j* returns only user IDs beginning with “j”.

  6. The default configuration imports the attributes commonly associated with Microsoft Active Directory LDAP implementations. Select User attributes to edit the remote LDAP user mapping attributes.
  7. Selecting the field, FirstName for example, presents a list of attributes which have been detected and can be selected. This list is not exhaustive; other non-displayed attributes may be available for import. Consult your LDAP administrator for a list of available attributes.

  8. Select the entries you want to import.
  9. Optionally, select a logo from the FortiToken Logo dropdown menu to associate the imported users with the specified logo. This logo is displayed beside the one-time password in FortiToken. See FortiTokens for more information.
  10. Optionally, select an IAM account from the IAM Account dropdown to associate the imported users with the specified IAM account. See Identity and Account Management (IAM).
  11. Select OK to import the users or groups.