Creating the FSSO user group
For this example, assume that FSSO has already been set up on the Windows network and that it uses Advanced mode, meaning that it uses LDAP to access user group information. You need to
• configure LDAP access to the Windows AD global catalog
• specify the collector agent that sends user logon information to the FortiGate unit
• select Windows user groups to monitor
• select and add the Engineering and Sales groups to an FSSO user group
To configure LDAP for FSSO - web-based manager
1. Go to User & Device > Authentication > LDAP Servers and select Create New.
2. Enter the following information:
Name | ADserver |
Server Name / IP | 10.11.101.160 |
Distinguished Name | dc=office,dc=example,dc=com |
Bind Type | Regular |
User DN | cn=FSSO_Admin,cn=users,dc=office,dc=example,dc=com |
Password | set_a_secure_password |
Leave other fields at their default values.
3. Select OK.
To configure LDAP for FSSO - CLI
config user ldap
edit "ADserver"
set server "10.11.101.160"
set dn "cn=users,dc=office,dc=example,dc=com"
set type regular
set username "cn=administrator,cn=users,dc=office,dc=example,dc=com"
set password set_a_secure_password
next
end
To specify the collector agent for FSSO - web-based manager
1. Go to User & Device > Authentication > Single Sign-On and select Create New.
2. Enter the following information:
Type | Fortinet Single Sign-On Agent |
Name | WinGroups |
Primary Agent IP/Name | 10.11.101.160 |
Password | fortinet_canada |
LDAP Server | ADserver |
3. Select Apply & Refresh.
In a few minutes, the FortiGate unit downloads the list of user groups from the server.
To specify the collector agent for FSSO - CLI
config user fsso
edit "WinGroups"
set ldap-server "ADserver"
set password ENC G7GQV7NEqilCM9jKmVmJJFVvhQ2+wtNEe9T0iYA5Sa+EqT2J8zhOrbkJFDr0RmY3c4LaoXdsoBczA1dONmcGfthTxxwGsigzGpbJdC71spFlQYtj
set server "10.11.101.160"
end
To create the FSSO_Internet-users user group - web-based manager
1. Go to User & Device > User > User Groups and select Create New.
2. Enter the following information and then select OK:
Name | FSSO_Internet_users |
Type | Fortinet Single Sign-On (FSSO) |
Members | Engineering, Sales |
3. Select OK.
To create the FSSO_Internet-users user group - CLI
config user group
edit FSSO_Internet_users
set group-type fsso-service
set member CN=Engineering,cn=users,dc=office,dc=example,dc=com CN=Sales,cn=users,dc=office,dc=example,dc=com
end