Fortinet Single Sign On – FortiAuthenticator 4.0

Fine-grained controls

The Fine-grained Controls menu provides options to include or exclude a user or group from SSO, and set the maximum number of concurrent sessions that a user or group can have.

To adjust the controls, go to Fortinet SSO Methods > SSO > Fine-grained Controls.

The following options are available:

Edit Edit the selected user’s or group’s settings.
Clear Configuration Clear the SSO configuration for the selected users or groups.
Exclude from SSO Select a user or users, then select Exclude from SSO to exclude them from SSO.
Include in SSO Select a user or users, then select Include in SSO to include the selected users in SSO.
SSO Type Select the SSO type to view from the drop-down list. The options are: Local Users, Local Groups, SSO Users, and SSO Groups.
SSO Name The users’ or groups’ names. Select the column title to sort the list by this column.
Maximum Concurrent Sessions The maximum concurrent sessions allowed for the user or group. This number cannot be greater than five.
Excluded from SSO If the user or group is excluded from SSO, a red circle with a line will be displayed.

To edit an SSO user or group:

  1. In the Fine-grained Controls window, select the SSO user or group that is being edited then select Edit. The Edit SSO Item window opens.
  2. Enter the maximum number of concurrent SSO logon sessions per user that the user or group is allowed to have. Enter 0 for unlimited. The number must be equal to or less than five.
  3. If the SSO item is a user, select Exclude from SSO to exclude the user from SSO.
  4. Select OK to apply the changes.

SSO users and groups

SSO users and groups

To manage SSO users and groups, go to Fortinet SSO Methods > SSO > SSO Users or Fortinet SSO Methods > SSO > SSO Groups.

The following options are available:

Create New Select to create a new user or group.

In the Create New SSO User or Create New SSO Group window, enter a name for the user or group, then select OK.

Import Import SSO users or groups from a remote LDAP server.
Delete Delete the selected users or groups.
Edit Edit the selected user or group.
Name The SSO user or group names.

FortiAuthenticator SSO user groups cannot be used directly in a security policy on a FortiGate device. An FSSO user group must be created on the FortiGate unit, then the FortiAuthenticator SSO groups must be added to it. FortiGate FSSO user groups are available for selection in identity-based security policies. See the FortiOS Handbook for more information.

To import SSO users or groups:

  1. In the SSO Users or SSO Groups list, select Import.
  2. In the Import SSO Users or Import SSO Groups window, select a remote LDAP server from the Remote LDAP Server drop-down list, then select Browse.

The Import SSO Users or Import SSO Groups window opens in a new browser window.

Domain controllers

  1. Optionally, enter a Filter string to reduce the number of entries returned, and then select Apply, or select Clear to clear the filters.

For example, uid=j* returns only user IDs beginning with “j”.

  1. The default configuration imports the attributes commonly associated with Microsoft Active Directory LDAP implementations. Select Configure userattributes to edit the remote LDAP user mapping attributes. Selecting the field, FirstName for example, presents a list of attributes which have been detected and can be selected. This list is not exhaustive and additional, non-displayed attributes may be available for import.

Consult your LDAP administrator for a list of available attributes.

  1. Select the entries you want to import.
  2. Optionally, select an organization from the Organization drop-down to associated the imported users with a specific organization. See Organizations on page 70.
  3. Select OK to import the users or groups.

Domain controllers

If Active Directory will be used to ascertain group information, the FortiAuthenticator unit must be configured to communicate with the domain controller.

A domain controller entry can be disabled without deleting its configuration. This can be useful when performing testing and troubleshooting, or when moving controllers within your network.

To add a domain controller:

  1. Go to Fortinet SSO Methods > SSO > Domain Controllers.
  2. Select Create New to open the Create New Domain Controller

RADIUS accounting

  1. Enter the following information:
NetBIOS Name Enter the name of the Domain Controller as it appears in NetBIOS.
Display Name This is a unique name to easily identify this Domain Controller.
Network Address Enter the network IPv4 address of the controller.
Account Enter the account name used to access logon events. This account should have administrator rights.
Password Enter the password for the above account.
Priority You can define two (or more) Domain Controllers for the same domain. Each can be designated Primary or Secondary. The Primary unit is accessed first.
Disable Disable the domain controller without losing any of its settings.
Secure Connection  
Enable Enable secure connection.
Protocol Select a secure connection protocol, either LDAPS or STARTTLS.
CA certificate Select a certificate from the drop-down list.
  1. Select OK.

By default, FortiAuthenticator uses auto-discovery of Domain Controllers. If you want to restrict operation to the configured domain controllers only, go to Fortinet SSO Methods > SSO > General and select Restrict autodiscovered domain controllers to configured domain controllers. See General settings on page 106.

RADIUS accounting

If required, SSO can be based on RADIUS accounting records. The FortiAuthenticator receives RADIUS accounting packets from a carrier RADIUS server or network device, such as a wireless controller, collects RADIUS accounting

additional group information, and then inserts it into FSSO to be used by multiple FortiGate or FortiCache devices for identity based policies.

The FortiAuthenticator must be configured as a RADIUS accounting client to the RADIUS server.

To view the RADIUS accounting SSO client list, go to Fortinet SSO Methods > SSO > RADIUS Accounting.

To configure and enable a RADIUS accounting client:

  1. From the RADIUS accounting SSO client list, select Create New. The Create New RADIUS Accounting SSO Client window opens.
  2. Enter the following information:
Name Enter a name in the Name field to identify the RADIUS accounting client on the FortiAuthenticator.
Client name/IP Enter the RADIUS accounting client’s FQDN or IP address.
Secret Enter the RADIUS accounting client’s preshared key.
Description Optionally, enter a description of the client.
SSO user type Specify the type of user that the client will provide: external, local, or remote (LDAP server must be selected from the drop-down list).
Radius Attributes If required, customize the username, client IP, and user group RADIUS attributes to match the ones used in the incoming RADIUS accounting records. See RADIUS attributes on page 72.
  1. Select OK to apply the changes.
  2. Enable RADIUS accounting SSO clients by going to Fortinet SSO Methods > SSO > General and selecting Enable RADIUS Accounting SSO clients. See General settings on page 106.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.