Technical Tip : FortiAuthenticator and Single-Sign-On (SSO) Tiered Architecture

Description

This article expands upon the Tiered Architecture feature noted here:

https://docs.fortinet.com/document/fortiauthenticator/6.0.0/administration-guide/568338/tiered-architecture

It illustrates in greater detail the purpose of tiered architecture, how to set it up, and some known limitations.

Solution.

FortiAuthenticator includes a feature called Tiered Architecture for more complex Single-Sign-On deployments across multiple FortiAuthenticators.

Tiered Architecture allows for FortiAuthenticators to share SSO session details (username, user groups, login source, etc) between them without requiring much additional setup; a FortiAuthenticator may thus track Single-Sign-On sessions for domains or locations it is not directly associated with.

This is done by defining FortiAuthenticators as supplier or collector nodes to each other; the supplier node will send SSO session details to the collector node. This may be chained; FortiAuthenticator1 is supplier node to FortiAuthenticator2, which in turn is supplier to FortiAuthenticator3, etc.

1) Enabling Tiered Architecture.

This is done under Fortinet SSO Methods -> SSO -> General, with the option 'Enable hierarchical FSSO tiering'. A port may be defined here on which FortiAuthenticator will listen as collector node.

Default is port 8003.

 

 

2) Defining nodes.

This is done under Fortinet SSO Methods -> SSO -> Tiered Architecture. The maximum number of nodes depends on the hardware model or VM license.

To have the FortiAuthenticator act as a supplier node (forwarding SSO sessions to another FortiAuthenticator), the receiving collector node needs to be defined:

 

 

To have the FortiAuthenticator act as collector node, a supplier node needs to be defined:

 

 

To define a node, select 'Create New', then set the appropriate values:

 

 

 

Note:

 

The 'Collector Port' setting is only available if a collector node is defined; this informs the FortiAuthenticator acting as supplier that it needs to use the specified port as the collector node will be listening there.
If a supplier node is defined, this setting is not available; the listening port is set globally in the SSO -> General settings as noted above.

Workflow.

 

The FortiAuthenticator(s) acting as supplier node(s) should receive SSO logins from any SSO source – FSSO agents, FortiClient, Syslog, RADIUS Accounting, etc.
These logins are added to SSO sessions (visible under Monitor -> SSO -> SSO sessions), and forwarded to the defined collector node.

The collector node receives the logins from any defined supplier node(s) and adds them to its own SSO session.

The communication is visible in the FSSO debug section https://<FortiAuthenticator>/debug/fsso-agent/

On collector nodes.

 

Supplier server accepting one connection from 10.191.19.14(sock 5)
Supplier FAC-test(FAC-xxxxxxxxxx) connected from 10.191.19.14
Received 1 event(s) from supplier: FAC-test/10.191.19.14
supplier LOGON [details]
Logon Cache [INFO]: Added new logon, workstation:[…] ip:[…] user: […]

On supplier nodes.

Load collector: test-FAC2 10.191.19.35:8003 FAC-xxxxxxxxxx,(null)
Collector: name=test-FAC2 address=10.191.19.35:8003 SN=FAC-xxxxxxxxxx
Connected to collector FAC-xxxxxxxxxx at 10.191.19.35:8003
send collector HELLO
process collector HELLO
Send all logons (total 1) in vdom 'Default' to collector: 10.191.19.35:8003
Send LOGON_INFO (640 bytes) to collector: 10.191.19.35:8003
Send LOGON_EVENT (26 bytes) to collector: 10.191.19.35:8003
process collector LOGON_ACK
Collector asks to keepalive: 10.191.19.35:8003

Note:

As of writing this, FortiAuthenticator (up to version 6.3.1) supplier nodes only support a single collector node (login events will only be forwarded to one collector node), even if multiple collector nodes are defined.

 

This may change in later firmware releases.