FortiAuthenticator
FortiAuthenticator provides access management and single sign on.
Debbie_FTNT
Staff
Staff
Article Id 204724

Description

 

This article expands upon FortiAuthenticator FSSO configuration in the administration guide:

https://docs.fortinet.com/document/fortiauthenticator/6.4.0/administration-guide/712256/general-sett...

 

Solution

 

FortiAuthenticator can act as an FSSO Collector Agent. It supports both polling and agent mode when acting as Collector Agent, same as the independent Collector Agent software.

Both can be enabled under Fortinet SSO Methods -> SSO -> General.

 

Debbie_FTNT_0-1644748543414.png

 

Note.

FortiAuthenticator can also parse RADIUS Accounting Messages and Syslog logs for user logins and add them to SSO.

 

Also, verify that the interface in question has FSSO allowed:

 

Debbie_FTNT_1-1644748543422.png

 

For Polling Mode, FortiAuthenticator needs to have at least one Windows Event Log Source configured:

https://docs.fortinet.com/document/fortiauthenticator/6.4.0/administration-guide/501782/windows-even...

 

For DC Agent mode, the toggle must be enabled, and a listening port specified if something other than tcp/8002 should be used.

 

In addition, the DC Agent must be installed manually on domain controllers and configured to communicate with FortiAuthenticator.

 

DC Agent software specifically may be downloaded under support.fortinet.com -> Support -> Firmware Download -> FortiGate -> Firmware -> FSSO folder:

 

Debbie_FTNT_2-1644748543426.png

 

If uncertain what DC Agent version to use, either contact Technical Support or use a version with a similar 'Date Created/Date Modified' value to the FortiAuthenticator firmware.

 

DC Agents then need to be manually installed on any domain controllers that should forward user logins to FortiAuthenticator.

 

During the installation wizard, the Collector Agent IP is requested:

 

Debbie_FTNT_3-1644748543434.png

 

Once this is set, the DC Agent should start collecting and forwarding login events to FortiAuthenticator.

 

Note.

The above may also be set as registry keys, under HKEY_LOCAL_MACHINE -> Software -> Fortinet -> FSA -> DC Agents -> ca.

 

There should be a registry key for each collector agent.

 

Debbie_FTNT_4-1644748543438.png

 

 

 FortiAuthenticator should then display SSO sessions:

 

Debbie_FTNT_5-1644748543439.png