SSO servers

Novell and Microsoft Windows networks provide user authentication based on directory services: eDirectory for Novell, Active Directory for Windows. Users can log on at any computer in the domain and have access to resources as defined in their user account. The Fortinet Single Sign On (FSSO) agent enables FortiGate units to authenticate these network users for security policy or VPN access without asking them again for their username and password.

When a user logs in to the Windows or Novell domain, the FSSO agent sends to the FortiGate unit the user’s IP address and the names of the user groups to which the user belongs. The FortiGate unit uses this information to maintain a copy of the domain controller user group database. Because the domain controller authenticates users, the FortiGate unit does not perform authentication. It recognizes group members by their IP address.

In the FortiOS FSSO configuration, you specify the server where the FSSO Collector agent is installed. The Collector agent retrieves the names of the Novell or Active Directory user groups from the domain controllers on the domains, and then the FortiGate unit gets them from the Collector agent. You cannot use these groups directly. You must define FSSO type user groups on your FortiGate unit and then add the Novell or Active Directory user groups to them. The FSSO user groups that you created are used in security policies and VPN configurations to provide access to different services and resources.

FortiAuthenticator servers can replace the Collector agent when FSSO is using polling mode. The benefits of this is that FortiAuthenticator is a stand-alone server that has the necessary FSSO software pre-installed. For more information, see the FortiAuthenticator Administration Guide.

Single Sign-on Agent configuration settings

The following are SSO configuration settings in User & Device > Single Sign-On.

SSO servers

SSO Server List

Lists all the collector agents’ lists that you have configured. On this page, you can create, edit or delete FSSO agents. There are different types of FSSO agents, each with its own settings.

You can create a redundant configuration on your unit if you install a collector agent on two or more domain controllers. If the current (or first) collector agent fails, the Fortinet unit switches to the next one in its list of up to five collector agents.

Create New Creates a new agent. When you select Create New, you are automatically redirected to the New page.
Edit Modifies the settings for the selected SSO server.

To remove multiple entries from the list, for each servers you want removed, select the check box and then select Delete.

To remove all agents from the list, on the FSSO Agent page, select the check box at the top of the check box column and then select Delete.

Delete Removes an agent from the list on the page.
Settings when Type is Poll Active Directory Server
Server IP/Name         The IP address of the domain controller (DC).
User                         The user ID used to access the domain controller.
Password                Enter the password for the account used to access the DC.
LDAP Server           Select the check box and select an LDAP server to access the Directory Service.
Enable Polling          Enable to allow the FortiGate unit to poll this DC.
Users/Groups          A list of user and user group names retrieved from the DC.
Settings when Type is Fortinet Single Sign On Agent
Name                       Enter a name for the SSO server.
Primary Agent

IP/Name

Enter the IP address or name of the Directory Service server where this SSO agent is installed. The maximum number of characters is 63.

Secondary Agent

IP/Name

 

Settings when Type is Fortinet Single Sign On Agent
Password                Enter the password for the collector agent. This is required only if you configured your Fortinet Single Sign On Agent collector agent to require authenticated access.
LDAP Server          Select the check box and select an LDAP server to access the Directory Service.
More FSSO              Select to add up to three additional SSO agents.

agents

Users/Groups         A list of user and user group names retrieved from the server.
Settings when Type is RADIUS Single Sign On Agent
Use RADIUS             Enable

Shared Secret

Shared Secret         Enter the RADIUS server shared secret.
Send RADIUS          Enable.

Responses

This entry was posted in FortiGate, FortiOS 5.6 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.