SSO using a FortiGate, FortiAuthenticator, and DC Polling (Expert)

This recipe demonstrates FortiGate user authentication with the use of a FortiAuthenticator as a Single Sign-On server. In this example, the FortiAuthenticator is configured to collect the user logon by polling the Domain Controller logs. User authentication controls Internet access and applies different security profiles for different users.

 1. Configuring the FortiAuthenticator

Go to Fortinet SSO Methods > SSO > General to configure general settings as shown in the exhibit.

Go to Fortinet SSO Methods > SSO > Domain Controllers and add the Windows AD to the FortiAuthenticator.

Go to Authentication > Remote Auth. Servers > LDAP to set the Windows AD as an LDAP server. This will be useful to import SSO Filtering Objects from Windows AD to the FortiAuthenticator.

Go to Fortinet SSO Methods > SSO > FortiGate Filtering and create a new FortiGate Filtering.

Under Fortinet Single Sign-On (FSSO), enable Forward FSSO information for users from the following subset of users/groups/containers only.

Under SSO Filtering Objects, select Importin the Remote LDAP Server field, select the LDAP server created earlier in the previous step (WinLDAP in this example) and select Apply.

Next, select groups or containers to be imprted, controlled and monitored by the FortiAuthenticator. In this example the “FortiOS Writers” user group is selected.

 2. Configuring SSO on the FortiGate

Go to User & Device > Authentication > Single Sign-On and create a new SSO server.

In the Type field, select Fortinet Single-Sign-On Agent.

When selecting the Users/Groups field, the SSO user groups initially polled by the FortiAuthenticator from the Domain Controller, shows up in the FortiGate.

In this example, only the “FortiOS writers” group shows up because of the FortiGate Filtering configured in the previous step.

3. Creating a user group on the FortiGate

Go to User & Device > User > User Groups and create a new user group. Under Members, select the user group to be monitored. In this example only “FortiOS Writers” shows up because of the FortiGate Filtering configured earlier.

4. Adding a policy in the FortiGate

Go to Policy & Objects > Policy > IPv4 and create a policy allowing  “FortiOS_writers” to navigate the Internet with appropriate security profiles.

The default Web Filter security profile is used in this example.

 5. Results from the FortiAuthenticator

Go to Monitor > SSO > Domains to verify monitored domains. In this Example “techdoc.local” is monitored by the FortiAuthenticator.
Have users log on to the domain, and go to Monitor > SSO > SSO Sessions and verify SSO sessions.
Go to Logging > Log Access > Logs to verify logs.
Select an entry for details.

You can also verify results in the User inventory widget under System > Dashboard > Status.

 6. Results from the FortiGate

Upon successful authentication, go to User & Device > Monitor > Firewall and verify FSSO Logons.

Have authenticated user navigate the Internet. Security profiles will be applied accordingly. 

Go to Log & Report > Traffic Log > Forward Traffic to verify the log. 

Select an entry for details.


Fortinet Technical Documentation

Contact Fortinet Technical Documentation at
Fortinet Technical Documentation

Latest posts by Fortinet Technical Documentation (see all)