Single Sign-On using a FortiAuthenticator unit
If you use a FortiAuthenticator unit in your network as a single sign-on agent,
- Users can authenticate through a web portal on the FortiAuthenticator unit.
- Users with FortiClient Endpoint Security installed can be automatically authenticated by the FortiAuthenticator unit through the FortiClient SSO Mobility Agent.
The FortiAuthenticator unit can integrate with external network authentication systems such as RADIUS and LDAP to gather user logon information and send it to the FortiGate unit.
User’s view of FortiAuthenticator SSO authentication
There are two different ways users can authenticate through a FortiAuthenticator unit.
Users without FortiClient Endpoint Security – SSO widget
To log onto the network, the user accesses the organization’s web page with a web browser. Embedded on that page is a simple logon widget, like this:
User not logged in. Click Login to go to the FortiAuthenticator login page. |
User logged in. Name displayed. Logout button available. |
The SSO widget sets a cookie on the user’s browser. When the user browses to a page containing the login widget, the FortiAuthenticator unit recognizes the user and updates its database if the user’s IP address has changed. The user will not need to re-authenticate until the login timeout expires, which can be up to 30 days.
Users with FortiClient Endpoint Security – FortiClient SSO Mobility Agent
The user simply accesses resources and all authentication is performed transparently with no request for credentials. IP address changes, such as those due to WiFi roaming, are automatically sent to the
FortiAuthenticator unit. When the user logs off or otherwise disconnects from the network, the FortiAuthenticator unit is aware of this and deauthenticates the user.
The FortiClient SSO Mobility Agent, a feature of FortiClient Endpoint Security v5.0, must be configured to communicate with the appropriate FortiAuthenticator unit. After that, the agent automatically provides user name and IP address information to the FortiAuthenticator unit for transparent authentication.
Administrator’s view of FortiAuthenticator SSO authentication
You can configure either or both of these authentication types on your network.
using a FortiAuthenticator unit
SSO widget |
Configuring the FortiAuthenticator unit |
You need to configure the Single Sign-On portal on the FortiAuthenticator unit. Go to Fortinet SSO Methods > SSO > Portal Services to do this. Copy the Embeddable login widget code for use on your organization’s home page. Identity-based security policies on the FortiGate unit determine which users or groups of users can access which network resources.
FortiClient SSO Mobility Agent
Your users must be running at least FortiClient Endpoint Security v5.0 to make use of this type of authentication.
On the FortiAuthenticator unit, you need to select Enable FortiClient SSO Mobility Agent Service, optionally select Enable Authentication and choose a Secret key. Go to Fortinet SSO Methods > SSO > General. You need to provide your users the FortiAuthenticator IP address and secret key so that they can configure the FortiClient SSO Mobility Agent on their computers. See Configuring the FortiGate unit on page 131.