SSO using a FortiGate, FortiAuthenticator, and DC Polling (Expert)


This recipe demonstrates FortiGate user authentication with a FortiAuthenticator as a Single Sign-On server. In this example, the FortiAuthenticator is configured to collect the user logon by polling the Domain Controller logs. User authentication controls Internet access.

 1. Configuring the FortiAuthenticator

Go to Fortinet SSO Methods > SSO > General and configure these general settings.

Go to Fortinet SSO Methods > SSO > Domain Controllers and add the Windows DC to the FortiAuthenticator.

Go to Authentication > Remote Auth. Servers > LDAP to set the Windows AD as an LDAP server. This will be useful to import SSO Filtering Objects from Windows AD to the FortiAuthenticator.

Go to Fortinet SSO Methods > SSO > FortiGate Filtering and create a new FortiGate Filter.

Under Fortinet Single Sign-On (FSSO), enable Forward FSSO information for users from the following subset of users/groups/containers only.

Under SSO Filtering Objects, select Import. In the Remote LDAP Server field, select the LDAP server created in the previous step (WinLDAP in this example) and select Apply.

Next, select groups or containers to be imported, controlled, and monitored by the FortiAuthenticator. In this example, the “FortiOS Writers” user group is selected.

 2. Configuring SSO on the FortiGate

Go to User & Device > Single Sign-On and create a new SSO server.

In the Type field, select Fortinet Single-Sign-On Agent and set the Name, the Primary Agent IP/Name, the Password and select Apply & Refresh.

When selecting the Users/Groups field, the SSO user groups initially polled by the FortiAuthenticator from the Domain Controller appear.

In this example, only the “FortiOS Writers” group appears because of the FortiGate Filtering configuration in the previous step.



3. Creating a user group on the FortiGate

Go to User & Device > User Groups and create a new Fortinet Single Sign-On (FSSO) user group. Under Members, select the user group to be monitored. In this example only “FortiOS Writers” appears because of the FortiGate Filtering configured earlier.

4. Adding a policy on the FortiGate

Go to Policy & Objects > IPv4 Policy and create a policy allowing  “FortiOS_writers” to navigate the Internet with appropriate security profiles.

The default Web Filter security profile is used in this example.

 5. Results from the FortiAuthenticator

Go to Monitor > SSO > Domains to verify monitored domains. In this example “techdoc.local” is monitored by the FortiAuthenticator.

Have users log on to the domain.

Go to Monitor > SSO > SSO Sessions to verify SSO sessions.

Go to Logging > Log Access > Logs to verify logs.
Select an entry for details.

You can also verify FSSO users in the User Inventory widget under System > Dashboard > Status.

 6. Results from the FortiGate

Upon successful authentication, go to Monitor > Firewall User Monitor and verify FSSO Logons.

Have authenticated users navigate the Internet. Security profiles will be applied accordingly. 

Go to Log & Report > Forward Traffic to verify the log. 

Select an entry for details.


Fortinet Technical Documentation

Contact Fortinet Technical Documentation at
Fortinet Technical Documentation

Latest posts by Fortinet Technical Documentation (see all)