Fortinet black logo

FSSO - Fortinet Single Sign-On

6.0.0
Copy Link
Copy Doc ID ea42bedb-a99b-11e9-81a4-00505692583a:674742
Download PDF

FSSO - Fortinet Single Sign-On

Fortinet Single Sign-On (FSSO), formerly known as FortiGate Server Authentication Extension (FSAE), is the authentication protocol by which users can transparently authenticate to FortiGate, FortiAuthenticator, and FortiCache devices. The FortiAuthenticator unit identifies users based on their authentication from a different system, and can be authenticated via numerous methods:

  • Users can authenticate through a web portal and a set of embeddable widgets.
  • Users with FortiClient Endpoint Security installed can be automatically authenticated through the FortiClient SSO Mobility Agent.
  • Users authenticating against Active Directory can be automatically authenticated.
  • RADIUS Accounting packets can be used to trigger an FSSO authentication.
  • Users can be identified through the FortiAuthenticator API. This is useful for integration with third-party systems.

Below are the TCP/UDP ports used by the multiple FSSO modes:

Purpose Protocol/Port
LDAP group membership lookup (Global Catalog) TCP/3268
LDAP domain controller discovery and group membership lookup TCP/389
DC Agent keepalive and push logon info to CA UDP/8002
CA keepalive and push logon info to FortiGate TCP/8000
NTLM TCP/8000
CA DNS UDP/53
Workstation check, polling mode (preferred method) TCP/445
Workstation check, polling mode (fallback method) TCP/135, TCP/139, UDP/137
Remote access to logon events TCP/445
Group lookup using LDAP TCP/389
Group lookup using LDAP with global catalog TCP/3268
Group lookup using LDAPS TCP/636
Resolve FSSO server name UDP/53

Configuring the FortiAuthenticator

The FortiAuthenticator unit can be integrated with external network authentication systems, such as RADIUS, LDAP, Windows AD, and FortiClients to poll user logon information and send it to the FortiGate unit.

To configure FortiAuthenticator polling:
  1. Go to Fortinet SSO Methods > SSO > General.
  2. In the FortiGate section, leave Listening port set to 8000, unless your network requires you to change this. The FortiGate unit must allow traffic on this port to pass through the firewall. Optionally, you can set the Login expiry time (default is 480 minutes, or eight hours). This is the length of time users can remain logged in before the system logs them off automatically.
  3. Select Enable authentication and enter the Secret key. Be sure to use the same secret key when configuring the FSSO Agent on FortiGate units.
  4. In the Fortinet Single Sign-On (FSSO) section, enter the following information:
Enable Windows event log polling (e.g. domain controllers/Exchange servers) Select for integration with Windows Active Directory
Enable RADIUS Accounting SSO clients Select if you want to use a Remote RADIUS server.
Enable Syslog SSO Select for integration with Syslog server.
Enable FortiClient SSO Mobility Agent Service

Once enabled, also select Enable authentication to enable SSO by clients running FortiClient Endpoint Security.

Enter the Secret key. Be sure to use the same secret key in the FortiClient Single Sign-On Mobility Agent settings.

  1. Select OK.

Configuring the FortiGate

The FortiAuthenticator unit needs to be added to the FortiGate as an SSO agent that will provide user logon information.

To add a FortiAuthenticator unit as SSO agent:
  1. Go to Security Fabric > Fabric Connectors and select Create New.
  2. Under SSO/Identity, select Fortinet Single-Sign-On Agent.
  3. Enter a Name, set Primary FSSO Agent either to the IP address of the FortiAuthenticator unit or a name, and enter a Password.
  4. Set Collector Agent AD access mode to either Standard, where you can specify Users/Groups, or Advanced, where you can specify an LDAP Server.
  5. Select OK.

The FortiGate unit receives a list of user groups from the FortiAuthenticator unit or LDAP server. When you open the server, you can see the list of groups. You can use the groups in identity-based security policies.

FSSO user groups

You can only use FortiAuthenticator SSO user groups directly in identity-based security policies. You must create an FSSO user group, then add FortiAuthenticator SSO user groups to it. These FortiGate FSSO user groups will then become available for selection in identity-based security policies.

To create an FSSO user group:
  1. Go to User & Device > User Groups and select Create New.
  2. Enter a Name for the group.
  3. Set Type to Fortinet Single Sign-On (FSSO).
  4. Add Members. The groups available to add as members are SSO groups provided by SSO agents.
  5. Select OK.

Configuring the FortiClient SSO Mobility Agent

In order for the user to successfully set up the SSO Mobility Agent in FortiClient, they must know the FortiAuthenticator IP address and pre-shared key/secret.

To configure FortiClient SSO Mobility Agent:
  1. In FortiClient, go to File > Settings.
  2. Under Advanced, select Enable Single Sign-On mobility agent.
  3. In Server address, enter the IP address of the FortiAuthenticator.
  4. In Customize port, enter the listening port number specified on the FortiAuthenticator unit. You can omit the port number if it is 8005.
  5. Enter the Pre-shared key.
  6. Select OK.

CLI syntax

The following section contains commands to control FSSO.

user fsso

The following command will set the server address, port, and password for multiple FSSO agents.

config user fsso

edit <name_str>

set name <string>

set [server | server2 | server3 | server4 | server5] <string>

set [port | port2 | port3 | port4 | port5] <integer>

set [password | password2 | password3 | password4 | password5] <password>

end

user fsso-polling

The following command will set the Active Directory server port.

config user fsso-polling

edit <name_str>

set port <integer>

end

FSSO - Fortinet Single Sign-On

Fortinet Single Sign-On (FSSO), formerly known as FortiGate Server Authentication Extension (FSAE), is the authentication protocol by which users can transparently authenticate to FortiGate, FortiAuthenticator, and FortiCache devices. The FortiAuthenticator unit identifies users based on their authentication from a different system, and can be authenticated via numerous methods:

  • Users can authenticate through a web portal and a set of embeddable widgets.
  • Users with FortiClient Endpoint Security installed can be automatically authenticated through the FortiClient SSO Mobility Agent.
  • Users authenticating against Active Directory can be automatically authenticated.
  • RADIUS Accounting packets can be used to trigger an FSSO authentication.
  • Users can be identified through the FortiAuthenticator API. This is useful for integration with third-party systems.

Below are the TCP/UDP ports used by the multiple FSSO modes:

Purpose Protocol/Port
LDAP group membership lookup (Global Catalog) TCP/3268
LDAP domain controller discovery and group membership lookup TCP/389
DC Agent keepalive and push logon info to CA UDP/8002
CA keepalive and push logon info to FortiGate TCP/8000
NTLM TCP/8000
CA DNS UDP/53
Workstation check, polling mode (preferred method) TCP/445
Workstation check, polling mode (fallback method) TCP/135, TCP/139, UDP/137
Remote access to logon events TCP/445
Group lookup using LDAP TCP/389
Group lookup using LDAP with global catalog TCP/3268
Group lookup using LDAPS TCP/636
Resolve FSSO server name UDP/53

Configuring the FortiAuthenticator

The FortiAuthenticator unit can be integrated with external network authentication systems, such as RADIUS, LDAP, Windows AD, and FortiClients to poll user logon information and send it to the FortiGate unit.

To configure FortiAuthenticator polling:
  1. Go to Fortinet SSO Methods > SSO > General.
  2. In the FortiGate section, leave Listening port set to 8000, unless your network requires you to change this. The FortiGate unit must allow traffic on this port to pass through the firewall. Optionally, you can set the Login expiry time (default is 480 minutes, or eight hours). This is the length of time users can remain logged in before the system logs them off automatically.
  3. Select Enable authentication and enter the Secret key. Be sure to use the same secret key when configuring the FSSO Agent on FortiGate units.
  4. In the Fortinet Single Sign-On (FSSO) section, enter the following information:
Enable Windows event log polling (e.g. domain controllers/Exchange servers) Select for integration with Windows Active Directory
Enable RADIUS Accounting SSO clients Select if you want to use a Remote RADIUS server.
Enable Syslog SSO Select for integration with Syslog server.
Enable FortiClient SSO Mobility Agent Service

Once enabled, also select Enable authentication to enable SSO by clients running FortiClient Endpoint Security.

Enter the Secret key. Be sure to use the same secret key in the FortiClient Single Sign-On Mobility Agent settings.

  1. Select OK.

Configuring the FortiGate

The FortiAuthenticator unit needs to be added to the FortiGate as an SSO agent that will provide user logon information.

To add a FortiAuthenticator unit as SSO agent:
  1. Go to Security Fabric > Fabric Connectors and select Create New.
  2. Under SSO/Identity, select Fortinet Single-Sign-On Agent.
  3. Enter a Name, set Primary FSSO Agent either to the IP address of the FortiAuthenticator unit or a name, and enter a Password.
  4. Set Collector Agent AD access mode to either Standard, where you can specify Users/Groups, or Advanced, where you can specify an LDAP Server.
  5. Select OK.

The FortiGate unit receives a list of user groups from the FortiAuthenticator unit or LDAP server. When you open the server, you can see the list of groups. You can use the groups in identity-based security policies.

FSSO user groups

You can only use FortiAuthenticator SSO user groups directly in identity-based security policies. You must create an FSSO user group, then add FortiAuthenticator SSO user groups to it. These FortiGate FSSO user groups will then become available for selection in identity-based security policies.

To create an FSSO user group:
  1. Go to User & Device > User Groups and select Create New.
  2. Enter a Name for the group.
  3. Set Type to Fortinet Single Sign-On (FSSO).
  4. Add Members. The groups available to add as members are SSO groups provided by SSO agents.
  5. Select OK.

Configuring the FortiClient SSO Mobility Agent

In order for the user to successfully set up the SSO Mobility Agent in FortiClient, they must know the FortiAuthenticator IP address and pre-shared key/secret.

To configure FortiClient SSO Mobility Agent:
  1. In FortiClient, go to File > Settings.
  2. Under Advanced, select Enable Single Sign-On mobility agent.
  3. In Server address, enter the IP address of the FortiAuthenticator.
  4. In Customize port, enter the listening port number specified on the FortiAuthenticator unit. You can omit the port number if it is 8005.
  5. Enter the Pre-shared key.
  6. Select OK.

CLI syntax

The following section contains commands to control FSSO.

user fsso

The following command will set the server address, port, and password for multiple FSSO agents.

config user fsso

edit <name_str>

set name <string>

set [server | server2 | server3 | server4 | server5] <string>

set [port | port2 | port3 | port4 | port5] <integer>

set [password | password2 | password3 | password4 | password5] <password>

end

user fsso-polling

The following command will set the Active Directory server port.

config user fsso-polling

edit <name_str>

set port <integer>

end