The FortiClient Single Sign-On (SSO) mobility agent is a client that updates FortiAuthenticator with user logon and network information. FortiAuthenticator listens on a configurable TCP port. FortiClient connects to FortiAuthenticator using TLS/SSL with two-way certificate authentication. FortiClient sends a logon packet to FortiAuthenticator, which replies with an acknowledgment packet.
FortiClient/FortiAuthenticator communication requires the following:
- The IP address should be unique in the entire network.
- FortiAuthenticator should be accessible from clients in all locations.
- All FortiGates should be able to access FortiAuthenticator.
FortiClient Single Sign-On mobility agent requires FortiAuthenticator running 2.0.0 or later, or 3.0.0 or later. Enter the FortiAuthenticator server IP address, port number, and the preshared key configured on FortiAuthenticator.
- In FortiClient, go to Settings.
- Expand the Advanced section and select Enable Single Sign-On mobility agent.
- Enter the FortiAuthenticator server address and the preshared key.
- Click Save.
- In FortiAuthenticator, select Fortinet SSO Methods > SSO > General. The Edit SSO Configuration page opens.
- Select Enable FortiClient SSO Mobility Agent Service and enter a TCP port value for the listening port.
- Select Enable authentication and enter a secret key or password.
- Select OK to save the setting.
- Select System > Network > Interfaces. Select the interface and select Edit from the toolbar. The Edit Network Interface window opens.
- Select the checkbox to enable FortiClient FSSO.
- Click OK to save the setting.
To enable the FortiClient SSO mobility agent service on FortiAuthenticator, you must first apply the applicable FortiClient license for FortiAuthenticator. See the FortiAuthenticator Administration Guide.
For information on purchasing a FortiClient license for FortiAuthenticator, contact your authorized Fortinet reseller.