Description

This article describes how to create secured FSSO connector FortiGate and FortiTrust Identity using certificates.

Scope

FortiTrust Identity, FortiGate.

Solution

External connectors in FortiGate devices are essential for expanding network capabilities, enhancing security, integrating with other systems, and providing flexibility and scalability. They play a crucial role in optimizing network performance, ensuring high availability, and supporting comprehensive management and monitoring.

By default FortiGate uses port 8000 for FSSO communication with FortiTrust Identity.

Since  collector agent (FortiTrust Identity) is not on-premises, using certificates makes an secure communication between FortiGate and FortiTrust Identity.

Newer versions of FortiTrust Identity provide an 'Enable encryption' feature. This can be verified after logging to FortiTrust Identity -Fortinet SSO - Settings- FortiGate.

Figure 1. Enable encryption on FortiTrust Identity

In this article, FortiTrust Identity is being used as a Root Certificate Authority, which will issue certificate to FSSO.

Go to FortiTrust Identity, Certificate Management -> Certificate Authority -> Local CAs -> Select Create New.

Specify Certificate ID, select Root CA as the Certificate type, fill in all other fields on Subject Information and select Save.

Figure 2. Generating Root CA

Create another Local Service certificate signed by this Root CA, which will be linked to the FSSO encryption settings in FortiTrust Identity.

Go to FortiTrust Identity , Certificate Management -> End Entities -> Local Services -> Create New.

Specify Certificate ID, select the Certificate Authority Root CA created previously, and fill in the Subject Information fields. Under Subject Alternative Name, specify the SAN DNS entry of the FortiTrust Identity FQDN, and select Save.

Figure 3. Creating Local Services Certificate

Make sure that FortiGate FSSO is enabled on Interface. Select System -> Administration -> Access Rights.

Figure 4. FSSO service enabled on Interface

A Root CA created before in FortiTrust Identity should be exported in order to import it as Remote CA Certificate on FortiGate Side. Go back to the Local CAs under Certificate Authorities, select the Certificate and select Export Certificate.

Figure 5. Exporting Root CA

The next step is to import this exported certificate to FortiGate as Remote CA Certificate.

Log in to the FortiGate, then select System -> Certificates -> Create/Import -> CA Certificate.

Figure 6. Importing Root CA in FortiGate

Next, create an FSSO External connector with FortiTrust Identity. While still logged in to FortiGate, select Security Fabric -> Select External Connector and Create New. 

Specify the FQDN of the FortiTrust Identity, as well as the secret, and select the imported Root CA from FortiGate.

Figure 7. External Connector

If the status is shown as Not Connected, some information from debugs can be retrieved from https://<FTID-FQDN>/debug by selecting FSSO Agent.