SSO servers
Novell and Microsoft Windows networks provide user authentication based on directory services: eDirectory for Novell, Active Directory for Windows. Users can log on at any computer in the domain and have access to resources as defined in their user account. The Fortinet Single Sign On (FSSO) agent enables FortiGate units to authenticate these network users for security policy or VPN access without asking them again for their username and password.
When a user logs in to the Windows or Novell domain, the FSSO agent sends to the FortiGate unit the user’s IP address and the names of the user groups to which the user belongs. The FortiGate unit uses this information to maintain a copy of the domain controller user group database. Because the domain controller authenticates users, the FortiGate unit does not perform authentication. It recognizes group members by their IP address.
In the FortiOS FSSO configuration, you specify the server where the FSSO Collector agent is installed. The Collector agent retrieves the names of the Novell or Active Directory user groups from the domain controllers on the domains, and then the FortiGate unit gets them from the Collector agent. You cannot use these groups directly. You must define FSSO type user groups on your FortiGate unit and then add the Novell or Active Directory user groups to them. The FSSO user groups that you created are used in security policies and VPN configurations to provide access to different services and resources.
FortiAuthenticator servers can replace the Collector agent when FSSO is using polling mode. The benefits of this is that FortiAuthenticator is a stand-alone server that has the necessary FSSO software pre-installed. For more information, see the FortiAuthenticator Administration Guide.
Single Sign-on Agent configuration settings
The following are SSO configuration settings in User & Device > Single Sign-On.
SSO servers
SSO Server List
Lists all the collector agents’ lists that you have configured. On this page, you can create, edit or delete FSSO agents. There are different types of FSSO agents, each with its own settings.
You can create a redundant configuration on your unit if you install a collector agent on two or more domain controllers. If the current (or first) collector agent fails, the Fortinet unit switches to the next one in its list of up to five collector agents.
Create New | Creates a new agent. When you select Create New, you are automatically redirected to the New page. |
Edit | Modifies the settings for the selected SSO server.
To remove multiple entries from the list, for each servers you want removed, select the check box and then select Delete. To remove all agents from the list, on the FSSO Agent page, select the check box at the top of the check box column and then select Delete. |
Delete | Removes an agent from the list on the page. |
Settings when Type is Poll Active Directory Server | |
Server IP/Name The IP address of the domain controller (DC). | |
User The user ID used to access the domain controller. | |
Password Enter the password for the account used to access the DC. | |
LDAP Server Select the check box and select an LDAP server to access the Directory Service. | |
Enable Polling Enable to allow the FortiGate unit to poll this DC. | |
Users/Groups A list of user and user group names retrieved from the DC. | |
Settings when Type is Fortinet Single Sign On Agent | |
Name Enter a name for the SSO server. | |
Primary Agent
IP/Name Enter the IP address or name of the Directory Service server where this SSO agent is installed. The maximum number of characters is 63. Secondary Agent IP/Name |
Settings when Type is Fortinet Single Sign On Agent |
Password Enter the password for the collector agent. This is required only if you configured your Fortinet Single Sign On Agent collector agent to require authenticated access. |
LDAP Server Select the check box and select an LDAP server to access the Directory Service. |
More FSSO Select to add up to three additional SSO agents.
agents |
Users/Groups A list of user and user group names retrieved from the server. |
Settings when Type is RADIUS Single Sign On Agent |
Use RADIUS Enable
Shared Secret |
Shared Secret Enter the RADIUS server shared secret. |
Send RADIUS Enable.
Responses |