Fortinet black logo

Administration Guide

Portal services

Portal services

The SSO portal supports a logon widget that you can embed in any web page. Typically, an organization would embed the widget on its home page.

The SSO portal sets a cookie on the user’s browser. When the user browses to a page containing the login widget, FortiAuthenticator recognizes the user and updates its database if the user’s IP address has changed. The user will not need to re-authenticate until the login timeout expires, which can be up to 30 days. To log out of FSSO immediately, the user can select the Logout button in the widget.

The SSO portal supports multiple authentication methods including manual authentication, embeddable widgets, and Kerberos authentication.

To configure portal services, go to Fortinet SSO Methods > SSO > Portal Services.

The following settings can be configured:

User Portal

Select Enable SSO on self-service portals to use self-service portals as SSO login portal.

Self-service portal policies

Select self-service portal policies from the Self-service portal policies search box.

Select Enable SSO on legacy self-service portal to use legacy self-service portals as SSO login portal.

Enable SSO on legacy self-service portal toggle is only available if the legacy self-service portal is enabled in System > Administration > Features.

Realms

Add realms to which the client will be associated. See RADIUS service.

  • Select a realm from the dropdown menu in the Realm column.
  • Select whether or not to allow local users to override remote users for the selected realm.
  • Select whether or not to use Windows AD domain authentication.
  • Edit and filter users based on the groups they are in.
  • If necessary, add more realms to the list.
  • Select the realm that will be the default realm for this client.

Embeddable login widget

Use this code to embed the login widget onto your site. The code in the field cannot be manually edited.

Login widget demo

A demo of what the login widget will look like on your site.

Login timeout Set the maximum number of minutes a user is allowed to stay logged in before they are automatically logged out from SSO, between 1-10080 (maximum of one week, set by default).
Maximum delay when redirecting to an external URL Set the delay in seconds that occurs when redirecting to an external URL, between 1-10 seconds, with a default of 7 seconds.
Kerberos User Portal Select Enable Kerberos login for SSO to enable Kerberos log in for SSO. See Kerberos for more information.
Import keytab and enable

Select to open the Import Keytab window where you can import a keytab from your computer.

A keytab must be imported to enable Kerberos log in for SSO.

Kerberos Principal View the Kerberos principal.
SAML Portal Select Enable SAML portal to enable SAML Portal log in for SSO.
SSO Web Service Select Enable SSO Web Service to use the web service to log users in and out.
SSO user type Specify the type of user that the client will provide: external, local, or remote (LDAP server must be selected from the dropdown menu).

Kerberos

Kerberos authentication allows the FortiAuthenticator to identify connecting users through a Kerberos exchange after a redirect from a FortiGate device.

A keytab file that describes your Kerberos infrastructure is required. To generate this file, you can use a ktpass utility. The following code can be used in a batch file to simplify the keytab file creation:

set OUTFILE=FortiAuthenticator.keytab

set USERNAME=FortiAuthenticator@corp.example.com

set PRINC=HTTP/FortiAuthenticator.corp.example.com@CORP.EXAMPLE.COM

set CRYPTO=all

set PASSWD=Pa$$p0rt

set PTYPE=KRB5_NT_PRINCIPAL

ktpass -out %OUTFILE% -pass %PASSWD% -mapuser %USERNAME% -princ %PRINC% -crypto %CRYPTO% -ptype %PTYPE%

The FortiGate device can be configured to redirect unauthenticated users to the FortiAuthenticator, however the Kerberos authentication URL is different than the standard login URL. The Custom Message HTML for the Login Page HTML Redirect for Kerberos is as follows:

<!DOCTYPE HTML>

<html lang="en-US">

<head>

<meta charset="UTF-8">

<meta http-equiv="refresh" content="1;url=http://<FortiAuthenticator-fqdn>/login/kerb-auth?user_continue_url=%%PROTURI%%">

<script type="text/javascript">

window.location.href = http://<FortiAuthenticator-fqdn>/login/kerb-auth?user_continue_url=%%PROTURI%%

</script>

<title>

Page Redirection

</title>

</head>

<body>

If you are not redirected automatically, click on the link

<a href='http://<FortiAuthenticator-fqdn>/login/kerb-auth?user_continue_url=%%PROTURI%%'>

http://<FortiAuthenticator-fqdn>/login/kerb-auth?user_continue_url= %%PROTURI%%

</a>

</body>

</html>

Portal services

The SSO portal supports a logon widget that you can embed in any web page. Typically, an organization would embed the widget on its home page.

The SSO portal sets a cookie on the user’s browser. When the user browses to a page containing the login widget, FortiAuthenticator recognizes the user and updates its database if the user’s IP address has changed. The user will not need to re-authenticate until the login timeout expires, which can be up to 30 days. To log out of FSSO immediately, the user can select the Logout button in the widget.

The SSO portal supports multiple authentication methods including manual authentication, embeddable widgets, and Kerberos authentication.

To configure portal services, go to Fortinet SSO Methods > SSO > Portal Services.

The following settings can be configured:

User Portal

Select Enable SSO on self-service portals to use self-service portals as SSO login portal.

Self-service portal policies

Select self-service portal policies from the Self-service portal policies search box.

Select Enable SSO on legacy self-service portal to use legacy self-service portals as SSO login portal.

Enable SSO on legacy self-service portal toggle is only available if the legacy self-service portal is enabled in System > Administration > Features.

Realms

Add realms to which the client will be associated. See RADIUS service.

  • Select a realm from the dropdown menu in the Realm column.
  • Select whether or not to allow local users to override remote users for the selected realm.
  • Select whether or not to use Windows AD domain authentication.
  • Edit and filter users based on the groups they are in.
  • If necessary, add more realms to the list.
  • Select the realm that will be the default realm for this client.

Embeddable login widget

Use this code to embed the login widget onto your site. The code in the field cannot be manually edited.

Login widget demo

A demo of what the login widget will look like on your site.

Login timeout Set the maximum number of minutes a user is allowed to stay logged in before they are automatically logged out from SSO, between 1-10080 (maximum of one week, set by default).
Maximum delay when redirecting to an external URL Set the delay in seconds that occurs when redirecting to an external URL, between 1-10 seconds, with a default of 7 seconds.
Kerberos User Portal Select Enable Kerberos login for SSO to enable Kerberos log in for SSO. See Kerberos for more information.
Import keytab and enable

Select to open the Import Keytab window where you can import a keytab from your computer.

A keytab must be imported to enable Kerberos log in for SSO.

Kerberos Principal View the Kerberos principal.
SAML Portal Select Enable SAML portal to enable SAML Portal log in for SSO.
SSO Web Service Select Enable SSO Web Service to use the web service to log users in and out.
SSO user type Specify the type of user that the client will provide: external, local, or remote (LDAP server must be selected from the dropdown menu).

Kerberos

Kerberos authentication allows the FortiAuthenticator to identify connecting users through a Kerberos exchange after a redirect from a FortiGate device.

A keytab file that describes your Kerberos infrastructure is required. To generate this file, you can use a ktpass utility. The following code can be used in a batch file to simplify the keytab file creation:

set OUTFILE=FortiAuthenticator.keytab

set USERNAME=FortiAuthenticator@corp.example.com

set PRINC=HTTP/FortiAuthenticator.corp.example.com@CORP.EXAMPLE.COM

set CRYPTO=all

set PASSWD=Pa$$p0rt

set PTYPE=KRB5_NT_PRINCIPAL

ktpass -out %OUTFILE% -pass %PASSWD% -mapuser %USERNAME% -princ %PRINC% -crypto %CRYPTO% -ptype %PTYPE%

The FortiGate device can be configured to redirect unauthenticated users to the FortiAuthenticator, however the Kerberos authentication URL is different than the standard login URL. The Custom Message HTML for the Login Page HTML Redirect for Kerberos is as follows:

<!DOCTYPE HTML>

<html lang="en-US">

<head>

<meta charset="UTF-8">

<meta http-equiv="refresh" content="1;url=http://<FortiAuthenticator-fqdn>/login/kerb-auth?user_continue_url=%%PROTURI%%">

<script type="text/javascript">

window.location.href = http://<FortiAuthenticator-fqdn>/login/kerb-auth?user_continue_url=%%PROTURI%%

</script>

<title>

Page Redirection

</title>

</head>

<body>

If you are not redirected automatically, click on the link

<a href='http://<FortiAuthenticator-fqdn>/login/kerb-auth?user_continue_url=%%PROTURI%%'>

http://<FortiAuthenticator-fqdn>/login/kerb-auth?user_continue_url= %%PROTURI%%

</a>

</body>

</html>