Users : Single sign-on (SSO) (site publishing)
 
Single sign-on (SSO) (site publishing)
If:
your users will be accessing multiple web applications on your domain, and
you have defined accounts centrally on an LDAP server (such as Microsoft Active Directory) or a RADIUS server.
you may want to configure single sign-on (SSO) and combination access control and authentication (called “site publishing” in the web UI) instead of configuring simple HTTP authentication rules. Unlike HTTP authentication rules, SSO does not require your users to authenticate each time they access separate web applications in your domain.
For example, if you configure HTML form authentication, when FortiWeb receives the first request, it returns an HTML authentication form.
Figure 42: FortiWeb’s HTTP authentication form
FortiWeb forwards the client’s credentials in a query to the authentication server. Once the client is successfully authenticated, if you have configured FortiWeb to delegate, FortiWeb forwards the credentials to the web application. The server’s response is returned to the client. Until the session expires, subsequent requests from the client to the same or other web applications in the same domain do not require the client to authenticate again.
You can use the SSO feature to replace your discontinued Microsoft Threat Management Gateway. With SSO enabled, you can use FortiWeb as a portal for multiple applications such as SharePoint, Outlook Web Application, Lync, and/or IIS. Users log in once to use any or all of those resources.
 
When you configure SSO, FortiWeb uses the authentication method for the first site publish rule that matches. Therefore, you cannot specify different authentication methods for individual web applications in the same SSO domain.
For example, you can create a site publish rule that allows users to access Outlook Web App (OWA) via HTML Form Authentication and a rule that allows them to access Exchange via HTTP Basic Authentication. However, to ensure FortiWeb controls access to each application with the correct authentication method, do not enable SSO for the rules.
 
If you do not want to apply SSO, but still want to publish multiple sites through the same server policy, apply the same steps, except do not enable SSO.
See also
Two-factor authentication
RSA SecurID authentication
Using Kerberos authentication delegation
Offloaded authentication and optional SSO configuration