FSSO in Polling mode

In this example, you will configure Fortinet Single Sign-On (FSSO) directly in the security policy using the new FSSO wizard introduced in FortiOS 5.2.2.

This example uses Active Directory polling to establish FSSO for a Windows AD Domain Controller, without requiring a FortiAuthenticator or a collector agent to act as an intermediary between the FortiGate and the domain.

1. Adding LDAP authentication to the FortiGate

In the FortiGate web interface, go to User & Device > Authentication > LDAP Servers. Create a new LDAP object that points to the Windows AD server.

For the Server IP/Name enter the server’s fully qualified domain name or the IP address.

Set the Bind Type to Regular and enter a User DN and Password.

Click Fetch DN to retrieve your Distinguished Name.


Click Test and verify that your connection is successful.


2. Configuring the FortiGate unit to poll the Active Directory

Next, go to User & Device > Authentication > Single Sign-On and add a new Single Sign-On Server.

For the Type, select Poll Active Directory Server. Enter the Server IP/Name, User, and Password, then select the Server you added previously. Make sure Enable Polling is checked. Add a test user group of your choice.


3. Adding a firewall address for the Internal network

Go to Policy & Objects > Objects > Addresses and create an internal network address to be used by your security policy.


4. One-step FSSO configuration in the security policy

Go to Policy & Objects > Policy > IPv4 and edit a security policy with access to the Internet. Set the Source Address to the Local_LAN address created in Step 3.


Under Source User(s) scroll down past the dropdown menu, and select Create Users/Groups wizard.  
For the User/Group Type, select FSSO and then click Next.  

For the Remote Group, select the appropriate FSSO Agent from the dropdown menu.

Select the Groups tab and right-click on the user groups you would like to add.

Go to the Selected tab. In this example, Standard_User_Group and Admin_User_Group are shown.

Click Next.


Select Create New and name your new FSSO user group. 

Click Create.

The groups selected have been added to the new FSSO group, My_Windows_AD_Group.

Ensure you enable logging and select All Sessions.


In the Global View your completed policy should look similar to the screenshot shown on the right.

If necessary, select the policy by clicking on the far left column, and move it as close as possible to the top of the list.


5. Results

Go to Log & Report > Traffic Log > Forward Traffic.

When users log into the Windows AD network, the FortiGate will automatically poll the domain for their account information and record their traffic. 

Select an entry for more information. 

For further reading, check out Single Sign-On to Windows AD in the FortiOS 5.2 Handbook.

This recipe requires that your FortiGate’s DNS point to a DNS server that can resolve the IP addresses or fully qualified domain names of the users’ PCs.
You must add at least one user group to create your SSO server.
To add multiple groups, hold the Shift key and click.
To see these groups go to User & Device > User > User Groups.
All other policies must deny Internet access in order for the user to be forced to authenticate.