Fortinet black logo

EMS Administration Guide

Home FortiClient 7.2.1 EMS Administration Guide
7.2.1
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.9
6.4.8
6.4.7
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0
6.2.9
6.2.8
6.2.7
6.2.6
6.2.4
6.2.3
6.2.2
6.2.1
6.2.0
6.0.8
6.0.6
6.0.5
6.0.4
6.0.3
6.0.2
6.0.1
6.0.0

Add FortiPAM agent to SSOMA

Add FortiPAM agent to SSOMA

You must separately purchase FortiClient single sign on mobility agent (SSOMA) licenses for use of SSO features with FortiAuthenticator. Most key private access management (PAM) features require the FortiClient PAM agent. FortiClient supports installing SSOMA and FortiPAM agent on the same device.

You can use the following methods to install FortiPAM and SSOMA on the same device. You can also use these same methods to upgrade an existing SSOMA-only or FortiPAM-only endpoint to include both features:

  • Method 1: Install FortiPAM, export and edit the configuration file to include the SSOMA configuration, and reimport the configuration file.
  • Method 2: Install and run the SSO configuration tool file to create new installer files, and run the installers to install or upgrade the FortiClient PAM agent.
To use Method 1:
  1. Install FortiPAM using an installer.
  2. In Command Prompt, go to the FortiClient directory.
  3. Export the configuration file using the following command: FCConfig.exe -o export -f C:\config.conf -p 11111111
  4. Edit the configuration file and add the SSOMA configuration. Confirm that the FortiPAM default port is configured as 9191. The following provides an example:
    <forticlient_configuration>
     <fssoma>
              <enabled>1</enabled>
              <serveraddress>fac0824.test.local:8001</serveraddress>
              <presharedkey>
             <![CDATA[Fortinet123!]]>
             </presharedkey>
             <address_category>0</address_category>
      </fssoma>
      <pam>
           <enabled>1</enabled>
           <default_port>9191</default_port>
      </pam>
</forticlient_configuration>
  5. Save the configuration file.
  6. In Command Prompt, go to the FortiClient directory.
  7. Import the configuration file using the following command: FCConfig.exe -o import -f C:\config.conf -p 11111111
  8. Verify the configuration:
    1. Log in to the endpoint as a domain user.
    2. In FortiAuthenticator, go to Monitor > SSO > SSO Sessions to confirm whether the SSOMA session is functioning.

    3. In FortiPAM, confirm that you can access a secret created in FortiPAM.

To use Method 2:
  1. Acquire and unzip the FortiClientSSOConfigurationTool_7.2.1.XXXX.zip file.
  2. Run the FortiClientSSOConfigurator.
  3. In the Single Sign-On Mobility Agent Settings dialog, configure SSOMA as per your deployment.
  4. Enable Include PAM.
  5. In the PAM Port field, enter 9191. Click Next. This creates a new folder, which includes x64 and x86 bit installer files.
  6. Open Command Prompt as an administrator, and run the following command to run the installer: msiexec /i FortiClientSSO.msi TRANSFORMS=FortiClientSSO.mst\
  7. Verify the configuration:
    1. Log in to the endpoint as a domain user.
    2. In FortiAuthenticator, go to Monitor > SSO > SSO Sessions to confirm whether the SSOMA session is functioning.

    3. In FortiPAM, confirm that you can access a secret created in FortiPAM.

Previous
Next

Add FortiPAM agent to SSOMA

You must separately purchase FortiClient single sign on mobility agent (SSOMA) licenses for use of SSO features with FortiAuthenticator. Most key private access management (PAM) features require the FortiClient PAM agent. FortiClient supports installing SSOMA and FortiPAM agent on the same device.

You can use the following methods to install FortiPAM and SSOMA on the same device. You can also use these same methods to upgrade an existing SSOMA-only or FortiPAM-only endpoint to include both features:

  • Method 1: Install FortiPAM, export and edit the configuration file to include the SSOMA configuration, and reimport the configuration file.
  • Method 2: Install and run the SSO configuration tool file to create new installer files, and run the installers to install or upgrade the FortiClient PAM agent.
To use Method 1:
  1. Install FortiPAM using an installer.
  2. In Command Prompt, go to the FortiClient directory.
  3. Export the configuration file using the following command: FCConfig.exe -o export -f C:\config.conf -p 11111111
  4. Edit the configuration file and add the SSOMA configuration. Confirm that the FortiPAM default port is configured as 9191. The following provides an example:
    <forticlient_configuration>
     <fssoma>
              <enabled>1</enabled>
              <serveraddress>fac0824.test.local:8001</serveraddress>
              <presharedkey>
             <![CDATA[Fortinet123!]]>
             </presharedkey>
             <address_category>0</address_category>
      </fssoma>
      <pam>
           <enabled>1</enabled>
           <default_port>9191</default_port>
      </pam>
</forticlient_configuration>
  5. Save the configuration file.
  6. In Command Prompt, go to the FortiClient directory.
  7. Import the configuration file using the following command: FCConfig.exe -o import -f C:\config.conf -p 11111111
  8. Verify the configuration:
    1. Log in to the endpoint as a domain user.
    2. In FortiAuthenticator, go to Monitor > SSO > SSO Sessions to confirm whether the SSOMA session is functioning.

    3. In FortiPAM, confirm that you can access a secret created in FortiPAM.

To use Method 2:
  1. Acquire and unzip the FortiClientSSOConfigurationTool_7.2.1.XXXX.zip file.
  2. Run the FortiClientSSOConfigurator.
  3. In the Single Sign-On Mobility Agent Settings dialog, configure SSOMA as per your deployment.
  4. Enable Include PAM.
  5. In the PAM Port field, enter 9191. Click Next. This creates a new folder, which includes x64 and x86 bit installer files.
  6. Open Command Prompt as an administrator, and run the following command to run the installer: msiexec /i FortiClientSSO.msi TRANSFORMS=FortiClientSSO.mst\
  7. Verify the configuration:
    1. Log in to the endpoint as a domain user.
    2. In FortiAuthenticator, go to Monitor > SSO > SSO Sessions to confirm whether the SSOMA session is functioning.

    3. In FortiPAM, confirm that you can access a secret created in FortiPAM.

Previous
Next