General settings

The FortiAuthenticator unit listens for requests from authentication clients and can poll Windows Active Directory servers.

To configure FortiAuthenticator FSSO polling:
  1. Go to Fortinet SSO Methods > SSO > General to open the Edit SSO Configuration window. The Edit SSO Configuration window contains sections for FortiGate, FSSO, and user group membership.

  2. In the FortiGate section, configure the following settings:
    3. Listening port Leave at 8000 unless your network requires you to change this. Ensure this port is allowed through the firewall.
    Enable authentication Select to enable authentication, then enter a secret key, or password, in the Secret key field.
    Login Expiry The length of time, in minutes, that users can remain logged in before the system logs them off automatically. The default is 480 minutes (8 hours).
    Extend user session beyond logoff by The length of time, in seconds, that a user session is extended after the user logs off, from 0 (default) to 3600 seconds.
    Enable NTLM authentication Select to enable NTLM authentication, then enter the NETBIOS or DNS name of the domain that the login user belongs to in the User domain field.
  3. In the Fortinet Single Sign-On (FSSO) section, configure the following:
    4. Maximum concurrent user sessions Enter the maximum number of concurrent FSSO login sessions a user is allowed to have. Use 0 for unlimited.
    Select Configure Per User/Group to configure the maximum number of concurrent sessions for each user or group. See Fine-grained controls.
    Log Level Select one of Debug, Info, Warning, or Error as the minimum severity level of events to log from the drop-down list.
    Select Download all logs to download all FSSO logs to your management computer.
    Enable Windows Active Directory domain controller polling Select to enable Windows AD polling.
    Select to enable polling additional logon events, including from devices using Kerberos authentication or from Mac OS X systems, and from event IDs 672, 680, 4776, and 4768.
      Enable polling additional logon events When additional active directory logon event IDs is enabled, event IDs 528, 540, and 4624 are also polled. These event are generated when a user attempts to access a domain service or resource. When a user logs off from the workstation, such an event will be generated.
    Enter the additional logon event timeout time in the Additional logon event timeout field, from 1 to 480 minutes, with 5 minutes being the default time.
    Note: After a user logs off, their SSO session will stay active for the above configured period of time. During this time, if another user changes to the previous user’s IP address, they may be able to bypass the necessary authentication. For this reason, it is strongly recommended that the timeout time be kept short.
      Enable DNS lookup to get IP from workstation name Select to use DNS lookup to get IP address information when an event contains only the workstation name.
    This option is enabled by default.
      Directly use domain DNS suffix in lookup Select to use the domain DNS suffix when doing a DNS lookup.
    This option is disabled by default.
      Enable reverse DNS lookup to get workstation name from IP Select to enable reverse DNS lookup. Reverse DNS lookup is used when an event contains only an IP address and no workstation name.
    This option is enabled by default.
      Do one more DNS lookup to get full list of IPs after reverse lookup of workstation name Reverse DNS lookup is used when an event contains only an IP address and no workstation name. Once the workstation name is determined, it is used in the DNS lookup again to get more complete IP address information. This is useful in environments where workstations have multiple network interfaces.
    This option is disabled by default.
    Enable Radius Accounting SSO clients Select to enable the detection of users sign-ons and sign-offs from incoming RADIUS accounting (Start, Stop, and Interim-Update) records.
      Use RADIUS realm as Windows Active Directory domain Select to use the RADIUS realm as the Windows AD domain.
    Enable Syslog SSO Select to enable Syslog SSO.
    Enable FortiClient SSO Mobility Agent Service Select to enable single sign-on (SSO) by clients running FortiClient Endpoint Security. For more information, see FortiClient SSO Mobility Agent.
      FortiClient listening port Enter the FortiClient listening port number.
      Enable authentication Select to enable authentication, then enter a secret key, or password, in the Secret key field.
      Keep-alive interval Enter the duration between keep-alive transmissions, from 1 to 60 minutes. Default is 5 minutes.
      Idle timeout Enter an amount of time after which to logoff a user if their status is not updated. The value cannot be lower than the Keep-alive interval value.
      Enable NTLM Select to enable the NT LAN Manager (NTLM) to allow logon of users who are connected to a domain that does not have the FSSO DC Agent installed. Disable NTLM authentication only if your network does not support NTLM authentication for security or other reasons.
    Enter an amount of time after which NTLM authentication expires in the NTLM authentication expiry field, from 1 to 10080 minutes (7 days).
    Enable hierarchical FSSO tiering Select to enable hierarchical FSSO tiering. Enter the collector listening port in the Collector listening port field.
    Enable DC/TS Agent Clients Select to enable clients using DC or TS Agent. Enter the UDP port in the DC/TS Agent listening port field. Default is 8002.
    Select Enable authentication to enable authentication, then enter a secret key, or password, in the Secret key field.
    Restrict auto-discovered domain controllers to configured domain controllers Select to enable restricting automatically discovered domain controllers to already configured domain controllers only. See Domain controllers.
    Enable Windows Active Directory workstation IP verification Select to enable workstation IP verification with Windows Active Directory.
    If enabled, select Enable IP change detection via DNS lookup to detect IP changes via DNS lookup.
    Restart SSO service Select to restart the SSO service.

  4. In the User Group Membership section, enter
    5. Restrict user groups to SSO groups list Select to restrict user groups to only those groups in the SSO group list.
    Group cache mode Select the group cache mode:
    • Passive: Items have an expiry time after which the are removed and re-queried on the next logon.
    • Active: Items are periodically updated for all currently logged on users.
      Group cache item lifetime Enter the amount of time after which items will expire. This is only available when the group cache mode is set to passive.
      Group cache update period for active logons Enter the amount of time after which items are updated. This is only available when the group cache mode is set to active.
    Base distinguished names to search Enter the base distinguished names to search for nesting of users or groups into cross domain and domain local groups.
  5. Select OK to apply the settings.

Configuring FortiGate units for FSSO

Each FortiGate unit that will use FortiAuthenticator to provide Single Sign-On authentication must be configured to use the FortiAuthenticator unit as an SSO server.

To configure Single Sign-On authentication on the FortiGate unit:
  1. On the FortiGate unit, go to User & Device > Authentication > Single Sign-On and select Create New.
  2. In the Type field, select Fortinet Single-Sign-On Agent.
  3. Enter a name for the FortiAuthenticator unit in the Name field.
  4. In the Primary Agent IP/Name field, enter the IP address of the FortiAuthenticator unit.
  5. In the Password field, enter the secret key that you defined for the FortiAuthenticator unit. See Enable authentication.
  6. Select OK.

    7. In a few minutes, the FortiGate unit receives a list of user groups from the FortiAuthenticator unit. When you open the server, you can see the list of groups. The groups can be used in identity-based security policies.

Chapter: Fortinet Single Sign-On > General settings

Open topic with navigation