Then enter the password for the collector agent. Select + to add up to four more FSSO agents.Įnter the IP address or name of the Directory Service server where the collector agent is installed. Then enter the password in the Password field. If you selected Fortinet Single-Sign-On Agent, enter the server IP address or name for the primary agent. If you selected Fortinet Single-Sign-On Agent, enter a name for the agent. If you selected Poll Active Directory Server and selected an LDAP server, view or edit the users, groups, and organizational units associated with the server.
If you selected Poll Active Directory Server, select this option to enable polling. To add an LDAP server, see To add a new LDAP server. If you selected Poll Active Directory Server, select an LDAP server from the drop-down list to access the Directory Service. If you selected Poll Active Directory Server, enter the password for the user. If you selected Poll Active Directory Server, enter the user name. If you selected Poll Active Directory Server, enter the server name or IP address. Enter the following information, depending on the type selected:.Only one RADIUS single sign-on agent can be created on the FortiProxy device. One of: Poll Active Directory Server, Fortinet Single Sign-On Agent, or RADIUS Single Sign-On Agent. Select the type of server that will be created in the Type area.The New Single Sign-On Server page opens. In the single sign-on server list, select Create New from the toolbar.the Object Usage window opens and displays the various locations of the referenced object. To view the location of the referenced object, select the number in Ref. The IP address or name of the FSSO agent.ĭisplays the number of times the object is referenced to other objects. The users and groups associated with the server. The LDAP server associated with the FSSO server. Hover your cursor over the icon to view the type. See To delete a server or servers.Īn icon representing the type of server. See To edit an SSO server.ĭelete an FSSO server or servers. See To create a new SSO server.Įdit an FSSO server. The following options are available: Create NewĬreate a new FSSO server. You can also drag column headings to change their order. Right-click on any column heading to select which columns are displayed or to reset all the columns to their default settings. To manage single sign-on (SSO) servers, go to User & Device > Single Sign-On.
You must install the FSSO agent on the network and configure the unit to retrieve information from the Directory Service server. It recognizes group members by their IP address. Because the domain controller authenticates users, the unit does not perform authentication. The unit uses this information to maintain a copy of the domain controller user group database. Alternately, a FortiAuthenticator server can take the place of the collector agent in an FSSO polling mode configuration. The collector agent must be installed on at least one domain controller to send the information received from the domain controller agents to the Fortinet unit.The domain controller agent must be installed on every domain controller to monitor user logins and send information about them to the collector agent.The FSSO agent has two components that must be installed on your network:
When a user logs in to the Windows or Novell domain, an FSSO agent sends the user’s IP address, and the names of the Directory Service user groups that the user belongs to, to the FortiProxy unit. Each Fortinet user group is associated with one or more Directory Service user groups.
This chapter covers the following topics:įortinet units use security policies to control access to resources based on user groups configured in the policies. If you are going to use authentication servers, you must configure the servers before you configure the FortiProxy users or user groups that require them. An authentication server can provide password checking for selected FortiProxy users, or it can be added as a member of a FortiProxy user group. FortiProxy units support the use of external authentication servers.