Home

Fortinet Single Sign-On: A Complete Guide to SAML and FSSO Configuration

.

In the modern enterprise network, simplifying user access while maintaining robust security is a critical challenge. Fortinet offers two powerful Single Sign-On (SSO) solutions—SAML and Fortinet Single Sign-On (FSSO)—to streamline authentication across network resources. This guide provides a comprehensive overview of both methods, detailing configuration steps, key considerations, and best practices to help administrators implement secure, seamless access control.

Understanding Fortinet's SSO Methods: SAML vs. FSSO

Fortinet provides two primary SSO frameworks, each designed for different environments and use cases.

SAML (Security Assertion Markup Language) SSO is a standards-based protocol used for web-based applications and VPNs. In this model, the FortiGate acts as the Service Provider (SP), trusting an external Identity Provider (IdP) like Microsoft Entra ID, Okta, or Duo to authenticate users. This method is ideal for providing secure, certificate-based access to cloud applications and remote access VPNs.

Fortinet Single Sign-On (FSSO), formerly known as FortiGate Server Authentication Extension (FSAE), is Fortinet's proprietary agent-based solution. It is designed primarily for internal network access control. FSSO transparently identifies users who have already logged into a Windows Active Directory domain, allowing the FortiGate to apply identity-based firewall policies without prompting users for credentials again. It uses a combination of DC agents, polling, and RADIUS accounting to track user logins.

How to Configure SAML SSO on FortiGate

Configuring SAML requires a bidirectional exchange of information between the FortiGate (SP) and your chosen IdP. The general workflow is consistent across most IdPs.

Prerequisites and Information Gathering

Before you begin, you must obtain the following critical details from your Identity Provider:

  • IdP Entity ID: A unique identifier for your IdP.
  • Single Sign-On URL (ACS URL): The endpoint where the FortiGate sends authentication requests.
  • Single Logout Service URL: The endpoint for logging users out.
  • SAML Signing Certificate: The public certificate used to verify the IdP's signed SAML responses. Starting in FortiOS 7.6.4, the IdP must sign both the SAML assertion and the response.

Step-by-Step GUI Configuration

  1. Create the SSO Object: Navigate to User & Authentication > Single Sign-On and click Create new.
  2. Configure SP Settings: Enter a name and the FortiGate's address. The system will generate SP URLs (Entity ID, ACS URL, Logout URL) that you must later provide to your IdP.
  3. Configure IdP Settings: Select your IdP type (Fortinet Product or Custom). For a custom IdP (like Entra ID or Duo), input the Entity ID, URLs, and upload the SAML Signing Certificate you gathered earlier.
  4. Map User Attributes: In the "Additional SAML Attributes" section, specify the exact attribute names from the SAML response that identify the user (e.g., user.principalname) and group membership (e.g., group). This step is crucial for correct user identification and policy matching.
  5. Create a User Group: Go to User & Device > User Groups, create a new group of type "SAML", and add the SAML SSO object you just created as a member.
  6. Apply the Group to Policy: Use this new user group in any firewall policy (e.g., SSL-VPN policies) to enforce SAML authentication.

Critical Note on Certificates: To prevent browser certificate warnings for users, you must configure a trusted certificate under User & Authentication > Authentication Settings. Assign a custom certificate whose Subject Alternative Name (SAN) matches the FQDN users connect to.

Integration with Common Identity Providers

  • Microsoft Entra ID: In the Entra ID admin center, you register the FortiGate as an "Enterprise Application." You provide the SP URLs from the FortiGate and then configure "User Attributes & Claims" to emit the required user.principalname and group claims.
  • Duo SSO: The configuration is similar. Within the Duo Admin Panel, you add FortiGate as a new SAML application, exchange metadata/URLs, and ensure the "NameID" attribute is mapped correctly for user identification.

How to Configure Fortinet Single Sign-On (FSSO)

FSSO is agent-based and relies on communication between domain controllers, the FortiAuthenticator (or FortiGate collector agent), and the FortiGate.

Core Components and Communication Ports

FSSO uses specific ports that must be open in your network firewall. Key ports include:

  • TCP/8000: Primary channel for the FortiAuthenticator to send logon info to the FortiGate.
  • UDP/8002: Used by Domain Controller (DC) Agents to send logon events.
  • TCP/445 & TCP/139: Used for workstation polling mode to check user login status.
  • TCP/389/636 & TCP/3268: For LDAP/LDAPS queries to Active Directory for group membership.

Configuration Workflow

  1. Set up the Collector (FortiAuthenticator or FortiGate Agent):
    • On a FortiAuthenticator, enable "Windows event log polling" and/or "FortiClient SSO Mobility Agent" under Fortinet SSO Methods > SSO > General. Configure a shared secret key.
    • Alternatively, you can deploy the FSSO Collector Agent software directly on a server in your domain.
  2. Add the SSO Agent to FortiGate: Go to Security Fabric > Fabric Connectors, create a new Fortinet Single-Sign-On Agent. Enter the IP of your collector and the shared secret password.
  3. Create FSSO User Groups: In User & Device > User Groups, create a group of type "Fortinet Single Sign-On (FSSO)". You can then select the specific Active Directory security groups imported from your collector that you wish to include as members.
  4. Apply to Policies: Use these dynamic FSSO groups in firewall policies. Access is granted based on a user's real-time AD login state.

Deployment Modes

  • Polling Mode: The collector queries domain controllers for security event logs. This requires domain admin credentials.
  • DC Agent Mode: Lightweight agents are installed on domain controllers to push logon events directly to the collector. This is more efficient and scalable.
  • FortiClient SSO Mobility Agent: For laptops that leave the corporate network, the FortiClient agent can report its login status back to the FSSO infrastructure, enabling consistent policy enforcement for remote users.

Single Sign-On in the Security Fabric

Fortinet's Security Fabric allows for centralized SSO management. In this architecture, a root FortiGate can be configured as a SAML Identity Provider (IdP). Downstream fortigate (or other Fabric devices) are then configured as Service Providers (SPs). When a user tries to log into a downstream device, they are redirected to the root FortiGate for authentication. This creates a unified login experience across the entire Fabric, simplifying administration and providing a consistent security posture.

Advanced Considerations and Troubleshooting

  • Clock Synchronization: SAML assertions are time-sensitive. Use the CLI clock-tolerance setting to define an acceptable skew (in seconds) between the FortiGate and IdP clocks if they are not perfectly synchronized.
  • Certificate Errors: The most common issue is users seeing certificate warnings. Always ensure a valid, trusted certificate is configured in the Authentication Settings.
  • Failed Authentication (SAML): Double-check the attribute mapping. The "Attribute used to identify users" must match exactly (case-sensitive) the attribute name sent by your IdP. Use browser developer tools or SAML tracer add-ons to inspect the actual SAML response.
  • Users Not Identified (FSSO): Verify network connectivity on required ports between all components. Confirm the user's workstation IP is being correctly reported and that the user is a member of the AD groups added to the FSSO user group.

Frequently Asked Questions (FAQ)

What is the main difference between SAML and FSSO?

SAML is best for web-based access to applications and VPNs, using a standards-based redirect to an external identity provider. FSSO is designed for internal network access control, transparently identifying users logged into a Windows Active Directory domain without a separate login prompt.

Can I use FortiGate as a SAML Identity Provider?

Yes, starting with FortiOS 7.6.5, you can configure a root FortiGate in a Security Fabric as a SAML IdP. Other fortigate or supported applications in the Fabric can then be configured as Service Providers that trust this IdP.

Why do users get a certificate warning during SAML login?

This occurs because the FortiGate's authentication daemon presents a default self-signed certificate. To resolve this, go to User & Authentication > Authentication Settings and assign a custom certificate that is trusted by your clients' browsers (e.g., from a public or internal CA).

What should I do if SAML authentication fails with "invalid user"?

This is almost always due to incorrect attribute mapping. Verify that the "Attribute used to identify users" in the FortiGate's SAML SSO object matches the exact attribute name and value being sent by your IdP (e.g., user.principalname).

Which ports must be open for FSSO to work correctly?

FSSO requires several ports, most critically TCP/8000 (collector to FortiGate), UDP/8002 (DC Agent to collector), and TCP/445 (workstation polling). Ensure firewalls between your domain controllers, collector server, and FortiGate allow this traffic.