FSSO Integration Issue with SSL VPN Authentication Portal Mapping

Hi N_W,

If you want to use AD Authentication with SSL-VPN then LDAP authentication will works for you. FSSO doesnt work with SSL VPN, you can intergrate authentication with LDAP. Please note that SSL-VPN is for remote users who of course will not be communicating with AD Server.

However, For SSO to work, a user needs to be authenticated first, then their login credentials are passed from one system to the next. Outside users are not authenticated before they attempt to log into the firewall. You can user the same login database (AD) for authentication for both incoming (via LDAP) and outgoing (via FSAE/FSSO).

Please refer to the below document for more information:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configure-Fortinet-Single-Sign-On-FSSO-for-SSL-VPN/ta-p/229274

If you have found a solution, please like and accept it to make it easily accessible to others.

Regards,
Aman

The issue likely arises from how FSSO groups are integrated and mapped in the SSL VPN authentication portal. Ensure that FSSO groups are visible under User & Device > User Groups and properly linked to your FortiGate configuration. If these groups are not showing in the SSL VPN settings, manually create user groups linked to FSSO under User & Authentication > User Groups. Verify that the SSL VPN portal mapping includes the FSSO groups and not just LDAP, as the portal may default to LDAP for authentication. Check your FortiOS version for compatibility, as some versions may require additional configurations for FSSO with SSL VPN. If issues persist, debug using diag debug authd fsso to ensure FSSO is functioning correctly, and consult Fortinet support for further assistance if needed.

Hello, thank you for your feedback. I understood that I cannot add the group created with FSSO from the SSL VPN Settings portal mapping section. Thank you,