This section provides a summary of how FSSO works with FortiGate and FortiManager. FSSO, through agents installed on the network, monitors user logons and passes that information to the FortiGate unit. FSSO can also pass the information to FortiManager, which then passes it to a managed FortiGate. When a user logs on at a workstation in a monitored domain, FSSO:
- Detects the logon event and records the workstation name, domain, and user
- Resolves the workstation name to an IP address
- Determines which user groups the user belongs to
- Sends the user logon information, including IP address and groups list, and AD group information to the FortiGate or FortiManager unit
- Creates one or more log entries on the FortiGate or FortiManager unit for this logon event as appropriate
When the user tries to access network resources, the FortiGate unit selects the appropriate security policy for the destination. If the user belongs to one of the permitted user groups associated with that policy, the connection is allowed. Otherwise the connection is denied. With user information such as IP address and user group memberships from the network, you can allow authenticated network access to users who belong to the appropriate user groups without requesting their credentials again. The benefit is users can log in once when connecting to the internal network behind the FortiGate and be automatically logged into servers and services that support Single Sign-On (SSO).
The following types of data are sent from FSSO to FortiGate/FortiManager:
- AD group information: configuration data provided by Collector to FortiGate or FortiManager. FortiGate or FortiManager use the data to build local configuration.
- Logon/logoff event information: dynamic, real-time information the FortiGate learns and uses to dynamically match against policies and set up connections internally so the user is known without prompting them to log on again.
For more information on FSSO, see the FortiOS documentation at docs.fortinet.com.