FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
gmanea
Staff
Staff
Article Id 196554

 

Description

 

 

This article describes how to configure SSO Auto with LDAP users for SSL-VPN bookmarks.

 

Scope

 

FortiGate


Solution
Note: At this moment, the FortiGate’s SSL-VPN SSO supports only FORM-BASED authentication and BASIC authorization method. Other authentication methods like Integrated Windows and Digest are currently not supported by SSO. Since the FortiAuthenticator login page has form based authentication method, the following http/https bookmark as an example will be configured with a FortiAuthenticator.

Outputs of view page source from FortiAuthenticator’s login page:

<div class="inner_wrapper">
    <form id="login_form" action="" method="post" autocomplete="off"><input type='hidden' name='csrfmiddlewaretoken' value='mSsFkkcooLE3hf6tSDHfNEsrsI9KVHHX' />
        <div>
            <table>
                <tbody>
                <tr>
                    <td><input id="id_username" placeholder="Username" maxlength="253" name="username" type="text" value=""></td>
                </tr>
                <tr>
                    <td><input id="id_password" placeholder="Password" name="password" type="password"></td>
                </tr>
                </tbody>
            </table>
            <input type="hidden" name="next" value="/">
            <input class="submit" type="submit" value="Login">
        </div>
    </form>
</div>

1) Configure LDAP server:

# config user ldap
    edit "LDAPSERVER"
        set server "172.16.190.216"
        set cnid "sAMAccountName"
        set dn "dc=iba,dc=local"
        set type regular
        set username "cn=Administrator, cn=Users, dc=iba, dc=local"
        set password SUPERSECRETPASSWORD
    next
end

1.2) Check the connectivity status between FortiGate and LDAP server. On GUI, click on the “Test Connectivity” button or run the checking by running the following CLI command:

# diagnose test authserver ldap <server_name> <username> <password>

2) Configure LDAP user group:

# config user group
    edit "ldapgroup1"
        set member " LDAPSERVER "
        config match
            edit 1
                set server-name "LDAPSERVER"
                set group-name "CN=ldapgroup1,CN=Users,DC=iba,DC=local"

            next
        end
    next
end

3) Configure SSL-VPN Portal and bookmark with SSO with type “auto” (it will automatically use SSL-VPN Login to connect to the web resource):

 
 

Note: the specified URL for bookmark is https://x.x.x.x/login/?next=/, since it is the login page URL of the FortiAuthenticator. Normally, using the login URL in the bookmarks is needed, otherwise it may not work.

4) Configure Authentication/Portal Mapping in SSL-VPN settings:

 
5) Configure the firewall policy with the LDAP user group for SSL-VPN connection:
# config firewall policy
    edit 3
        set name "SSL-VPN"
        set srcintf "ssl.root"
        set dstintf "LAN"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set groups "ldapgroup1"
        set nat enable
    next
6) Connect to the web portal and check the connection to the bookmark:
 
 

6.1) Set the option below on FGT:

config vpn ssl web portal
edit <PORTAL>
set hide-sso-credential disable
end

When connecting, the credentials will automatically be filled in with the username as a fgt_sso_key, if 'hide-sso-credential' is enabled. Once the option is disabledthe FortiGate will use the connected user credentials for auto-filling.


 

6.2) Please make sure that the web resource (in this example it is the FortiAuthenticator) will allow authentication for pre-configured LDAP user on the FortiGate:

 


For troubleshooting, use the following CLI commands:

# diagnose debug reset

# diagnose debug console timestamp enable

# diagnose debug application fnbamd -1

# diagnose debug application sslvpn

# diagnose debug enable

 Also, the developer tools on a browser can be used to collect HAR file while connecting to the bookmark, as explained in the related article.

Related Articles

Troubleshooting Tip: How to collect HAR file