Skip to main content
samarth-a
Staff
samarth-a
Staff
June 3, 2026

Technical Tip: How to manage FSSO group retrieval in FortiManager when 2047 groups are shown 

  • June 3, 2026
  • 0 replies
  • 51 views

Description


This article describes how to manage Fortinet Single Sign-On group retrieval in FortiManager when the FSSO Agent connector shows 2047 groups, and the required Active Directory groups are not visible. 


In large Active Directory environments, FortiManager may retrieve a broad group list from the FSSO Collector Agent. If the retrieved list reaches 2047 groups, some valid Active Directory groups may not appear in the FortiManager connector group list. 


This behavior can be addressed by filtering the group list on the FSSO Collector Agent or by using an LDAP server object as the local group source in FortiManager. 


Scope 


FortiManager, FortiGate.


Solution


FortiManager can use different sources for FSSO group selection. 


Collector agent.

FortiManager retrieves groups from the FSSO Collector Agent. 

This method is preferred when the required groups are visible, or when the Collector Agent group list can be filtered before FortiManager imports the groups. 


Via FortiGate:

FortiManager retrieves groups through a managed FortiGate. 

This method can be used when FortiGate already has a working FSSO configuration, and the required groups are visible from FortiGate. 


Local:

FortiManager uses an LDAP server object to select or specify LDAP group distinguished names. 

This method can be used when the required groups are not visible from the Collector Agent group list. Group references use the LDAP distinguished name format. 


Example behavior:

  • FortiManager is configured with an FSSO Agent connector.

  • The connector uses the Collector Agent as the User Group Source.

  • After Apply & Refresh is selected, FortiManager shows User Groups (2047).

  • A required Active Directory group exists in Active Directory, but the group is not visible in the imported group list.

614df612.png


f051c052.png


Method 1: Filter the group list on the FSSO Collector agent.

This method keeps the FortiManager connector set to Collector Agent and reduces the group list before FortiManager imports it. 


A Collector Agent group filter can be configured in either of the following ways: 

  • Use a filter with the FortiManager serial number.

  • Use a default filter.


A FortiManager serial-specific filter is preferred when only the FortiManager-imported group list must be reduced. 


A default filter can also reduce the FortiManager-imported group list, but it may affect devices without a more specific filter. 


On the FSSO Collector Agent: 

  1. Open the FSSO Agent configuration utility.

  2. Select Set Group Filters.

  3. Select Add.

  4. Enter the FortiManager serial number in the serial number field, or enable the default filter if a default filter is intended.

  5. Add only the required Active Directory groups.

  6. Select OK.

  7. Select Apply.

2f7ffee8.png


On FortiManager: 

  1. Go to Fabric View -> External Connectors.

  2. Edit the FSSO Agent connector.

  3. Keep User Group Source set to Collector Agent.

  4. Select Apply & Refresh.

  5. Confirm that the group list is reduced and the required groups are visible.  

5e8a0672.png


After the required groups are visible, reference them in the FortiManager policy package or user group configuration as needed.


Method 2: Use a local group source with an LDAP server object.

Use this method when Collector Agent filtering is not suitable, or when the required groups still cannot be selected through the Collector Agent group list. 

This method lets FortiManager select or specify the required LDAP group distinguished names. 


On FortiManager: 

  1. Go to Policy & Objects -> User & Authentication -> LDAP Servers.

  2. Create or edit the LDAP server object.

  3. Configure the LDAP server IP address or FQDN, port, common name identifier, distinguished name, bind type, username, and password.

  4. Save the LDAP server object.

c82ef74e.png


Configure the FSSO connector: 

  1. Go to Fabric View -> External Connectors.

  2. Edit the FSSO Agent connector.

  3. Set User Group Source to Local.

  4. Select the LDAP server object.

  5. Select the required LDAP groups from the Remote Server or manually specify the LDAP distinguished names.

Example LDAP group distinguished name: 

CN=<group_name>,OU=<organizational_unit>,DC=<domain>,DC=<suffix> 


Example: 

CN=Internet-Access-Group,OU=Security-Groups,DC=example,DC=com 


3aefc41d.png


84d898a9.png


After the required groups are selected, reference them in the FortiManager policy package or user group configuration and install the policy package to FortiGate. 


Notes:

  • A default Collector Agent filter may affect devices that do not have a matching specific filter. Use a FortiManager serial-specific filter when the goal is only to control the group list imported by FortiManager.

  • FortiManager group selection handles the configuration side. FortiGate must still receive valid user-to-IP and group membership information from the Collector Agent for the firewall policy to match.

  • General FSSO configuration steps are covered in existing documentation and related articles. This article only covers group retrieval behavior and group selection methods in FortiManager.


Related articles:

Technical Tip: FSSO Windows Directory Access Methods - Standard versus Advanced Mode

Technical Tip: Configuring FSSO from FortiManager

      Terms & ConditionsAccessibility statement