SSO using a FortiGate, FortiAuthenticator, and DC Polling (Expert)

This recipe demonstrates FortiGate user authentication with the use of a FortiAuthenticator as a Single Sign-On server. In this example, the FortiAuthenticator is configured to collect the user logon by polling the Domain Controller logs. User authentication controls Internet access and applies different security profiles for different users.

 1. Configuring the FortiAuthenticator

Go to Fortinet SSO Methods > SSO > General to configure general settings as shown in the exhibit.

Go to Fortinet SSO Methods > SSO > Domain Controllers and add the Windows AD to the FortiAuthenticator.

Go to Authentication > Remote Auth. Servers > LDAP to set the Windows AD as an LDAP server. This will be useful to import SSO Filtering Objects from Windows AD to the FortiAuthenticator.

Go to Fortinet SSO Methods > SSO > FortiGate Filtering and create a new FortiGate Filtering.

Under Fortinet Single Sign-On (FSSO), enable Forward FSSO information for users from the following subset of users/groups/containers only.

Under SSO Filtering Objects, select Importin the Remote LDAP Server field, select the LDAP server created earlier in the previous step (WinLDAP in this example) and select Apply.

Next, select groups or containers to be imprted, controlled and monitored by the FortiAuthenticator. In this example the “FortiOS Writers” user group is selected.

 2. Configuring SSO on the FortiGate

Go to User & Device > Authentication > Single Sign-On and create a new SSO server.

In the Type field, select Fortinet Single-Sign-On Agent.

When selecting the Users/Groups field, the SSO user groups initially polled by the FortiAuthenticator from the Domain Controller, shows up in the FortiGate.

In this example, only the “FortiOS writers” group shows up because of the FortiGate Filtering configured in the previous step.

3. Creating a user group on the FortiGate

Go to User & Device > User > User Groups and create a new user group. Under Members, select the user group to be monitored. In this example only “FortiOS Writers” shows up because of the FortiGate Filtering configured earlier.

4. Adding a policy in the FortiGate

Go to Policy & Objects > Policy > IPv4 and create a policy allowing  “FortiOS_writers” to navigate the Internet with appropriate security profiles.

The default Web Filter security profile is used in this example.

 5. Results from the FortiAuthenticator

Go to Monitor > SSO > Domains to verify monitored domains. In this Example “techdoc.local” is monitored by the FortiAuthenticator.
Have users log on to the domain, and go to Monitor > SSO > SSO Sessions and verify SSO sessions.
Go to Logging > Log Access > Logs to verify logs.
Select an entry for details.

You can also verify results in the User inventory widget under System > Dashboard > Status.

 6. Results from the FortiGate

Upon successful authentication, go to User & Device > Monitor > Firewall and verify FSSO Logons.

Have authenticated user navigate the Internet. Security profiles will be applied accordingly. 

Go to Log & Report > Traffic Log > Forward Traffic to verify the log. 

Select an entry for details.


Taher Elbar

Taher Elbar

Technical Product Specialist at Fortinet
After a Bachelor degree in Telecommunications from university of Geneva, Taher began his career in software development, then moved to System/Network administration followed by Security Support Engineer. With over 10 years of experience, Taher is writing various Technical documentation for Fortinet.
Taher Elbar
  • Was this helpful?
  • Yes   No
  • Cascadia89

    Right now I use the FSSO client on my DCs, but I did have a FortiAuthenticator. Is this a preferred method to using FSSO clients on DCs?

    • Taher Elbar

      This methods is more granular in the sense of having the FortiAuthenticator control/monitor SSO users in a centralized fashion. Also the use of “FortiGate Filtering” feature offers more sophisticated way of SSO users filter.