Configuring FortiGate units for FSSO
Each FortiGate unit that will use FortiAuthenticator to provide Single Sign-On authentication must be configured to use the FortiAuthenticator unit as an SSO server.
To configure Single Sign-On authentication on the FortiGate unit:
- On the FortiGate unit, go to User & Device > Authentication > Single Sign-On and select Create New.
- In the Type field, select Fortinet Single-Sign-On Agent.
- Enter a name for the FortiAuthenticator unit in the Name
- In the Primary Agent IP/Name field, enter the IP address of the FortiAuthenticator unit.
- In the Password field, enter the secret key that you defined for the FortiAuthenticator unit. See Enable authentication on page 106.
- Select OK.
In a few minutes, the FortiGate unit receives a list of user groups from the FortiAuthenticator unit. When you open the server, you can see the list of groups. The groups can be used in identity-based security policies.
Portal services
Portal services
The SSO portal supports a logon widget that you can embed in any web page. Typically, an organization would embed the widget on its home page.
The SSO portal sets a cookie on the user’s browser. When the user browses to a page containing the login widget, the FortiAuthenticator unit recognizes the user and updates its database if the user’s IP address has changed. The user will not need to re-authenticate until the login timeout expires, which can be up to 30 days. To log out of FSSO immediately, the user can select the Logout button in the widget.
The SSO portal supports multiple authentication methods including manual authentication, embeddable widgets, and Kerberos authentication.
To configure portal services, go to Fortinet SSO Methods > SSO > Portal Services.
The following settings can be configured:
| User Portal | Select Enable SSO login portal to enable the SSO login portal. |
| Username input format | Select one of the following three username input formats:
l username@realm l realm\username l realm/username. |
| Realms | Add realms to which the client will be associated. See Realms on page 94. l Select a realm from the drop-down list in the Realm column.
l Select whether or not to allow local users to override remote users for the selected realm. l Select whether or not to use Windows AD domain authentication. l Edit the group filter as needed. That is, filter users based on the groups they are in. l If necessary, add more realms to the list. l Select the realm that will be the default realm for this client. |
| Login timeout | Set the maximum number of days a user is allowed to stay logged in before being logged out automatically from SSO, from 1 to 30 days. Default of 7 days. |
| Delay when redirecting to an external URL | Set the delay that occurs when redirecting to an external URL, from 1 to 10 seconds, with a default of 7 seconds. |
| Embeddable login widget | Use this code to embed the login widget onto your site. The code cannot be edited manually in this field. |
| Login widget demo | A demo of what the login widget will look like on your site. |
Portal services
| Kerberos User Portal | Select Enable Kerberos login forSSO to enable kerberos log in for SSO. See Kerberos on page 111 for more information. |
| Import Keytab | Select to open the Import Keytab window where you can import a keytab from your computer.
A keytab must be imported for Kerberos log in for SSO to be enabled. |
| Kerberos Principal | Enter the Kerberos principal. |
| SSO Web Service | Select Enable SSO Web Service to use the web service to log users in and out. |
| SSO user type | Specify the type of user that the client will provide: external, local, or remote (LDAP server must be selected from the drop-down list). |
Kerberos
Kerberos authentication allows the FortiAuthenticator to identify connecting users through a Kerberos exchange after a redirect from a FortiGate device.
A keytab file that describes your Kerberos infrastructure is required. To generate this file, you can use a ktpass utility. The following code can be used in a batch file to simplify the keytab file creation:
set OUTFILE=fac.keytab set USERNAME=fac@corp.example.com
set PRINC=HTTP/fac.corp.example.com@CORP.EXAMPLE.COM set CRYPTO=all
set PASSWD=Pa$$p0rt set PTYPE=KRB5_NT_PRINCIPAL
ktpass -out %OUTFILE% -pass %PASSWD% -mapuser %USERNAME% -princ %PRINC% -crypto %CRYPTO% ptype %PTYPE%
The FortiGate device can be configured to redirect unauthenticated users to the FortiAuthenticator, however the Kerberos authentication URL is different than the standard login URL. The Custom Message HTML for the Login Page HTML Redirect for Kerberos is as follows:
<!DOCTYPE HTML>
<html lang=”en-US”>
<head>
<meta charset=”UTF-8″>
<meta http-equiv=”refresh” content=”1;url=http://<fac-fqdn>/login/kerb-auth?user_ continue_url=%%PROTURI%%”>
<script type=”text/javascript”> window.location.href = http://<fac-fqdn>/login/kerb-auth?user_continue_ url=%%PROTURI%%
</script>
<title>
Page Redirection
</title> </head>
111
Fine-grained controls
<body>
If you are not redirected automatically, click on the link
<a href=’http://<fac-fqdn>/login/kerb-auth?user_continue_url=%%PROTURI%%’> http://<fac-fqdn>/login/kerb-auth?user_continue_url= %%PROTURI%% </a>
</body>
</html>
Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!