Chapter 3 Authentication for FortiOS 5.0 : Single Sign-On to Windows AD : Configuring Single Sign On to Windows AD : Creating Fortinet Single Sign-On (FSSO) user groups
  
Creating Fortinet Single Sign-On (FSSO) user groups
You cannot use Windows or Novell groups directly in FortiGate security policies. You must create FortiGate user groups of the FSSO type and add Windows or Novell groups to them.
To create a user group for FSSO authentication - web-based manager
1. Go to User & Device > User > User Groups. and select Create New.
The New User Group dialog box opens.
2. In the Name box, enter a name for the group, FSSO_Internet_users for example.
3. In Type, select Fortinet Single Sign-On (FSSO).
4. From the Available Members list, select the required FSSO groups.
Using the CTRL or SHIFT keys, you can select multiple groups.
5. Select the green right arrow button to move the selected groups to the Members list.
6. Select OK.
To create the FSSO_Internet-users user group - CLI
config user group
edit FSSO_Internet_users
set group-type fsso-service
set member CN=Engineering,cn=users,dc=office,dc=example,dc=com CN=Sales,cn=users,dc=office,dc=example,dc=com
end