Description
This article explains how to integrate single sign-on and local authentication for explicit proxy users.
Solution
New CLI commands to configure the single sign-on and local authentication for explicit proxy users.
Configure local and FSSO authentication scheme for FortiGate explicit proxy:
config authentication scheme
edit "local"
set method form
set require-tfa disable <--
set user-database "local" --> Local authentication.
next
edit "fo"
set method fsso --> Single SignOn policy.
next
end
Configure local and FSSO authentication rules for FortiGate explicit proxy:
config authentication rule
edit "2"
set status enable
set protocol HTTP
set srcaddr "Ip_172.31.134.150"
set ip-based enable
set active-auth-method ''
set sso-auth-method "fsso" --> Single SignOn policy.
set comments ''
next
edit "1"
set status enable
set protocol http
set srcaddr "all"
set ip-based enable
set active-auth-method "local" --> Local authentication policy.
set sso-auth-method ''
set comments ''
next
end
Configure proxy authentication rule :
config firewall proxy-policy
edit 2
set uuid 2e80b2c6-283d-51e9-a17c-63e20afb33dc
set proxy explicit-web
set dstintf "port2"
set srcaddr "Ip_172.31.134.150"
set dstaddr "all"
set service "webproxy"
set action accept
set schedule "always"
set groups "FSSO_PROXY"
next
edit 1
set uuid bb042630-2566-51e9-2140-39bae534f3cf
set proxy explicit-web
set dstintf "port2"
set srcaddr "all"
set dstaddr "all"
set service "webproxy"
set action accept
set schedule "always"
set groups "SSO_Guest_Users"
set profile-protocol-options "test"
next
end
Useful troubleshooting command in case authentication is not working:
diagnose wad debug enable category all auth
diagnose wad debug enable level verbose
diagnose debug enable
