Configuring FSSO Advanced Settings

Configuring FSSO on FortiGate units


To configure your FortiGate unit to operate with agent-based FSSO, you

  • Configure any access to LDAP servers that might be necessary. Skip this step if you are using FSSO Standard mode. See Configuring LDAP server access on page 586.
  • Specify the Collector agent or Novell eDirectory agent that will provide user logon information. See Specifying your Collector agents or Novell eDirectory agents on page 588.
  • Add Active Directory user groups to FortiGate user groups. See Creating Fortinet Single Sign-On (FSSO) user groups on page 589.
  • Create security policies for FSSO-authenticated groups. See Creating security policies on page 590.
  • Optionally, specify a guest security policy to allow guest access. See Enabling guest access through FSSO security policies on page 591.


Configuring LDAP server access

LDAP access is required if your network has a Novell eDirectory agent or a Collector agent using Windows Advanced AD access mode. If you are using FSSO Standard mode, go to Specifying your Collector agents or Novell eDirectory agents on page 588.

1. Go to User & Device > Authentication > LDAP Servers and select Create New.

2. Enter the Server IP/Name and Server Port (default 389).

3. In the Common Name Identifier field, enter sAMAccountName.The default common name identifier is cn.

This is correct for most LDAP servers. However some servers use other identifiers such as uid.

4. In the Distinguished Name field, enter your organization distinguished name. In this example, Distinguished

Name is dc=techdoc,dc=local

5. Select Fetch DN, this will fetch the Windows AD directory.

6. Set Bind Type to Regular.

7. In the User DN field, enter the administrative account name that you created for FSSO.

For example, if the account is administrator, enter “administrator@techdoc.local”.

8. Enter the administrative account password in the Password field.

9. Optionally select Secure Connection.

  • In the Protocol field, select LDAPS or STARTTLS.
  • In the Certificate field, select the appropriate certificate for authentication. Note that you need to configure the Windows AD for secure connection accordingly.

10. Select OK.

11. Test your configuration by selecting the Test button. A successful message confirming the right settings appears.


To configure LDAP for FSSO – CLI example:

config user ldap edit LDAP

set server

set cnid sAMAccountName

set dn dc=techdoc,dc=local set type regular

set username administrator@techdoc.local set password <your_password>

next end


Specifying your Collector agents or Novell eDirectory agents

You need to configure the FortiGate unit to access at least one Collector agent or Novell eDirectory agent. You can specify up to five servers on which you have installed a Collector or eDirectory agent. The FortiGate unit accesses these servers in the order that they appear in the list. If a server becomes unavailable, the next one in the list is tried.


To specify Collector agents – web-based manager:

1. Go to User & Device > Authentication > Single Sign-On and select Create New.

2. In Type, select Fortinet Single-Sign-On Agent.

3. Enter a Name for the Windows AD server. This name appears in the list of Windows AD servers when you create user groups.

4. Enter the following information for each of up to five collector agents and select OK:


Agent IP/Name                           Enter the IP address or the name of the server where this agent is installed.

Maximum name length is 63 characters.

If the TCP port used for FSSO is not the default, 8000, you can change the setting in the CLI using the config user fsso command.

See Configuring Collector agent settings on page 567.


Password                                   Enter the password for the Collector agent or eDirectory agent. For the Col- lector agent, this is required only if you configured the agent to require authenticated access.

5. For Novell eDirectory or Windows AD with Collector agent in Advanced AD access mode select the LDAP Server

you configured previously. See Configuring LDAP server access on page 586.

6. In Users/Groups, select the Users or Groups or Organizational Units tab and then select the users or groups or OU that you want to monitor.

7. Select OK.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.