FSSO – Fortinet Single Sign-On

FSSO – Fortinet Single Sign-On

Fortinet Single Sign-On (FSSO), formerly known as FortiGate Server Authentication Extension (FSAE), is the authentication protocol by which users can transparently authenticate to FortiGate, FortiAuthenticator, and FortiCache devices. The FortiAuthenticator unit identifies users based on their authentication from a different system, and can be authenticated via numerous methods:

  • Users can authenticate through a web portal and a set of embeddable widgets. l Users with FortiClient Endpoint Security installed can be automatically authenticated through the FortiClient SSO Mobility Agent.
  • Users authenticating against Active Directory can be automatically authenticated. l RADIUS Accounting packets can be used to trigger an FSSO authentication. l Users can be identified through the FortiAuthenticator API. This is useful for integration with third-party systems.

Below are the TCP/UDP ports used by the multiple FSSO modes:

Purpose Protocol/Port
LDAP group membership lookup (Global Catalog) TCP/3268
LDAP domain controller discovery and group membership lookup TCP/389
DC Agent keepalive and push logon info to CA UDP/8002
CA keepalive and push logon info to Fortigate TCP/8000
NTLM TCP/8000
CA DNS UDP/53
Workstation check, polling mode (preferred method) TCP/445
Workstation check, polling mode (fallback method) TCP/135, TCP/139, UDP/137
Remote access to logon events TCP/445
Group lookup using LDAP TCP/389
Group lookup using LDAP with global catalog TCP/3268
Group lookup using LDAPS TCP/636
Resolve FSSO server name UDP/53

FSSO – Fortinet Single Sign-On

Configuring the FortiAuthenticator

The FortiAuthenticator unit can be integrated with external network authentication systems, such as RADIUS, LDAP, Windows AD, and FortiClients to poll user logon information and send it to the FortiGate unit.

To configure FortiAuthenticator polling:

  1. Go to Fortinet SSO Methods > SSO > General.
  2. In the FortiGate section, leave Listening port set to 8000, unless your network requires you to change this. The FortiGate unit must allow traffic on this port to pass through the firewall. Optionally, you can set the Login expiry time (default is 480 minutes, or eight hours). This is the length of time users can remain logged in before the system logs them off automatically.
  3. Select Enable authentication and enter the Secret key. Be sure to use the same secret key when configuring the FSSO Agent on FortiGate units.
  4. In the Fortinet Single Sign-On (FSSO) section, enter the following information:
Enable Windows event log polling (e.g. domain controllers/Exchange

servers)

Select for integration with Windows Active Directory
Enable RADIUS

Accounting SSO clients

Select if you want to use a Remote RADIUS server.
Enable Syslog SSO Select for integration with Syslog server.
Enable FortiClient SSO Mobility Agent Service Once enabled, also select Enable authentication to enable SSO by clients running FortiClient Endpoint Security.

Enter the Secret key. Be sure to use the same secret key in the FortiClient Single Sign-On Mobility Agent settings.

  1. Select OK.

For more detailed information for each available setting, see the FortiAuthenticator Administration Guide.

Configuring the FortiGate

The FortiAuthenticator unit needs to be added to the FortiGate as an SSO agent that will provide user logon information.

To add a FortiAuthenticator unit as SSO agent:

  1. Go to User & Device > Single Sign-On and select Create New.
  2. Set Type to Fortinet Single-Sign-On Agent, and enter a Name.
  3. In Primary Agent IP/Name, enter the IP address of the FortiAuthenticator unit or a name.
  4. In Password, enter the same secret key defined earlier on the FortiAuthenticator (under Fortinet SSO Methods > SSO > General).

 

FSSO – Fortinet Single Sign-On

  1. You may also specify Users/Groups from the dropdown menu.
  2. Select OK.

In a few minutes, the FortiGate unit receives a list of user groups from the FortiAuthenticator unit. When you open the server, you can see the list of groups. You can use the groups in identity-based security policies.

FSSO user groups

You can only use FortiAuthenticator SSO user groups directly in identity-based security policies. You must create an FSSO user group, then add FortiAuthenticator SSO user groups to it. These FortiGate FSSO user groups will then become available for selection in identity-based security policies.

To create an FSSO user group:

  1. Go to User & Device > User Groups and select Create New.
  2. Enter a Name for the group.
  3. Set Type to Fortinet Single Sign-On (FSSO).
  4. Add Members. The groups available to add as members are SSO groups provided by SSO agents.
  5. Select OK.

Configuring the FortiClient SSO Mobility Agent

In order for the user to successfully set up the SSO Mobility Agent in FortiClient, they must know the FortiAuthenticator IP address and pre-shared key/secret.

To configure FortiClient SSO Mobility Agent:

  1. In FortiClient, go to File > Settings.
  2. Under Advanced, select Enable Single Sign-On mobility agent.
  3. In Server address, enter the IP address of the FortiAuthenticator.
  4. In Customize port, enter the listening port number specified on the FortiAuthenticator unit. You can omit the port number if it is 8005.
  5. Enter the Pre-shared key.
  6. Select OK.

For more detailed FSSO configurations, including with Windows AD, Citrix, Novell eDirectory, and more, see the Authentication guide.

CLI Syntax

The following section contains commands to control FSSO.

user/fsso

The following command will set the server address, port, and password for multiple FSSO agents.

config user fsso edit <name_str> set name <string> set [server | server2 | server3 | server4 | server5] <string> set [port | port2 | port3 | port4 | port5] <integer>

set [password | password2 | password3 | password4 | password5] <password> end

FSSO – Fortinet Single Sign-On

user/fsso-polling

The following command will set the Active Directory server port.

config user fsso-polling edit <name_str> set port <integer> end

This entry was posted in FortiGate, FortiOS on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.