Chapter 3 Authentication for FortiOS 5.0 : SSO using a FortiAuthenticator unit : User’s view of FortiAuthenticator SSO authentication
  
User’s view of FortiAuthenticator SSO authentication
There are two different ways users can authenticate through a FortiAuthenticator unit.
Users without FortiClient Endpoint Security - SSO widget
To log onto the network, the user accesses the organization’s web page with a web browser. Embedded on that page is a simple logon widget, like this:
User not logged in. Click Login to go to the FortiAuthenticator login page.
User logged in. Name displayed. Logout button available.
The SSO widget sets a cookie on the user’s browser. When the user browses to a page containing the login widget, the FortiAuthenticator unit recognizes the user and updates its database if the user’s IP address has changed. The user will not need to re-authenticate until the login timeout expires, which can be up to 30 days.
Users with FortiClient Endpoint Security - FortiClient SSO Mobility Agent
The user simply accesses resources and all authentication is performed transparently with no request for credentials. IP address changes, such as those due to WiFi roaming, are automatically sent to the FortiAuthenticator unit. When the user logs off or otherwise disconnects from the network, the FortiAuthenticator unit is aware of this and deathenticates the user.
The FortiClient SSO Mobility Agent, a feature of FortiClient Endpoint Security v5.0, must be configured to communicate with the appropriate FortiAuthenticator unit. After that, the agent automatically provides user name and IP address information to the FortiAuthenticator unit for transparent authentication.