Fortinet black logo

Administration Guide

Home FortiAuthenticator 6.5.4 Administration Guide
6.5.4
6.6.1
6.6.0
6.5.4
6.5.3
6.5.2
6.5.1
6.5.0
6.4.9
6.4.8
6.4.7
6.4.6
6.4.5
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0
6.3.4
6.3.3
6.3.2
6.3.1
6.3.0
6.2.2
6.2.1
6.2.0
6.1.3
6.1.2
6.1.1
6.1.0
6.0.8
6.0.7
6.0.6
6.0.5
6.0.4
6.0.3
6.0.2
6.0.1
6.0.0
5.5.0
5.4.0
5.3.0
5.2.0
5.1.0
5.0.0
4.3.0
4.2.1
4.2.0

FortiGate filtering

FortiGate filtering

If you are providing FSSO to only certain groups on a remote LDAP server, you can filter the polling information so that it includes only those groups, or organizational units (OU).

To view a list of the FortiGate group filters, go to Fortinet SSO Methods > SSO > FortiGate Filtering.

To create a new filter:
  1. From the FortiGate filters select Create New.

    2. The Create New FortiGate Filter window opens.

  2. Enter the following information:
    NameEnter a name in the Name field to identify the filter.
    FortiGate name/IPEnter the FortiGate unit’s FQDN or IP address.
    DescriptionOptionally, enter a description of the filter.
    IP Filtering

    Select to enable IP filtering for this service and from the dropdown, select IP filtering rules.

    Note: If you have not yet configured IP filtering rules, you can create them in Fortinet SSO Methods > SSO > IP Filtering Rules (see IP filtering rules for more information).

    Domain Grouping Filtering

    Select to enable forwarding FSSO information for users from only the selected domain groupings.

    See Domain groupings for more information.

    Fortinet Single Sign-On (FSSO)

    Select to enable forwarding FSSO information for users from only the specific subset of users, groups, or containers.

    Select from the following options:

    • Add Filtering Object: Enter the name and select an object type from the following:

      • Group: Specifies the DN of a group. All users who are members of that group must be included in SSO.

      • Group container: Specifies the DN of an LDAP container, e.g. OU. All users who are members of a group under that container or one of its sub-containers must be included in SSO.

      • User: Specifies the DN of a user. This user must be included in SSO.

      • User container: Specifies the DN of an LDAP container, e.g. OU. All users who are under that container or one of its sub-containers must be included in SSO.

      • User and group container: Specifies the DN of an LDAP container, e.g. OU. It is the union of the user and the group containers.

    • Import from LDAP server:

      In the Import Remote LDAP Objects window:

      1. Enable Exclude users to exclude users from the FortiGate filter.
      2. From the Remote LDAP server dropdown, select an LDAP server.
      3. Click OK.

    • Select from SSO users/groups:

      In Select SSO Objects:

      1. From SSO Groups, select groups from the Available Groups list and move them to the Chosen Groups list.
      2. From SSO Users, select groups and move them to the Chosen Users list.
      3. Click Save.

    • Import from Azure AD:

      In Select Azure Groups:

      1. From the OAuth server dropdown, select an OAuth server.
      2. From Azure Groups, select groups from the Available Azure Groups list and move them to the Chosen Azure Groups list.
      3. Click Save.

        This allows you to import native Azure AD groups.

  3. Select Save to create the new FortiGate group filter.
Previous
Next

FortiGate filtering

If you are providing FSSO to only certain groups on a remote LDAP server, you can filter the polling information so that it includes only those groups, or organizational units (OU).

To view a list of the FortiGate group filters, go to Fortinet SSO Methods > SSO > FortiGate Filtering.

To create a new filter:
  1. From the FortiGate filters select Create New.

    2. The Create New FortiGate Filter window opens.

  2. Enter the following information:
    NameEnter a name in the Name field to identify the filter.
    FortiGate name/IPEnter the FortiGate unit’s FQDN or IP address.
    DescriptionOptionally, enter a description of the filter.
    IP Filtering

    Select to enable IP filtering for this service and from the dropdown, select IP filtering rules.

    Note: If you have not yet configured IP filtering rules, you can create them in Fortinet SSO Methods > SSO > IP Filtering Rules (see IP filtering rules for more information).

    Domain Grouping Filtering

    Select to enable forwarding FSSO information for users from only the selected domain groupings.

    See Domain groupings for more information.

    Fortinet Single Sign-On (FSSO)

    Select to enable forwarding FSSO information for users from only the specific subset of users, groups, or containers.

    Select from the following options:

    • Add Filtering Object: Enter the name and select an object type from the following:

      • Group: Specifies the DN of a group. All users who are members of that group must be included in SSO.

      • Group container: Specifies the DN of an LDAP container, e.g. OU. All users who are members of a group under that container or one of its sub-containers must be included in SSO.

      • User: Specifies the DN of a user. This user must be included in SSO.

      • User container: Specifies the DN of an LDAP container, e.g. OU. All users who are under that container or one of its sub-containers must be included in SSO.

      • User and group container: Specifies the DN of an LDAP container, e.g. OU. It is the union of the user and the group containers.

    • Import from LDAP server:

      In the Import Remote LDAP Objects window:

      1. Enable Exclude users to exclude users from the FortiGate filter.
      2. From the Remote LDAP server dropdown, select an LDAP server.
      3. Click OK.

    • Select from SSO users/groups:

      In Select SSO Objects:

      1. From SSO Groups, select groups from the Available Groups list and move them to the Chosen Groups list.
      2. From SSO Users, select groups and move them to the Chosen Users list.
      3. Click Save.

    • Import from Azure AD:

      In Select Azure Groups:

      1. From the OAuth server dropdown, select an OAuth server.
      2. From Azure Groups, select groups from the Available Azure Groups list and move them to the Chosen Azure Groups list.
      3. Click Save.

        This allows you to import native Azure AD groups.

  3. Select Save to create the new FortiGate group filter.
Previous
Next