This article describes how to configure SSO Auto with LDAP users for SSL-VPN bookmarks.
Scope
FortiGate
Solution
Note: At this moment, the FortiGate’s SSL-VPN SSO supports only FORM-BASED authentication and BASIC authorization method. Other authentication methods like Integrated Windows and Digest are currently not supported by SSO. Since the FortiAuthenticator login page has form based authentication method, the following http/https bookmark as an example will be configured with a FortiAuthenticator.
Outputs of view page source from FortiAuthenticator’s login page:
<div class="inner_wrapper">
<form id="login_form" action="" method="post" autocomplete="off"><input type='hidden' name='csrfmiddlewaretoken' value='mSsFkkcooLE3hf6tSDHfNEsrsI9KVHHX' />
<div>
<table>
<tbody>
<tr>
<td><input id="id_username" placeholder="Username" maxlength="253" name="username" type="text" value=""></td>
</tr>
<tr>
<td><input id="id_password" placeholder="Password" name="password" type="password"></td>
</tr>
</tbody>
</table>
<input type="hidden" name="next" value="/">
<input class="submit" type="submit" value="Login">
</div>
</form>
</div>
1) Configure LDAP server:
# config user ldap
edit "LDAPSERVER"
set server "172.16.190.216"
set cnid "sAMAccountName"
set dn "dc=iba,dc=local"
set type regular
set username "cn=Administrator, cn=Users, dc=iba, dc=local"
set password SUPERSECRETPASSWORD
next
end
1.2) Check the connectivity status between FortiGate and LDAP server. On GUI, click on the “Test Connectivity” button or run the checking by running the following CLI command:
# diagnose test authserver ldap <server_name> <username> <password>
2) Configure LDAP user group:
# config user group
edit "ldapgroup1"
set member " LDAPSERVER "
config match
edit 1
set server-name "LDAPSERVER"
set group-name "CN=ldapgroup1,CN=Users,DC=iba,DC=local"
next
end
next
end
3) Configure SSL-VPN Portal and bookmark with SSO with type “auto” (it will automatically use SSL-VPN Login to connect to the web resource):
Note: the specified URL for bookmark is https://x.x.x.x/login/?next=/, since it is the login page URL of the FortiAuthenticator. Normally, using the login URL in the bookmarks is needed, otherwise it may not work.
4) Configure Authentication/Portal Mapping in SSL-VPN settings:
# config firewall policy6) Connect to the web portal and check the connection to the bookmark:
edit 3
set name "SSL-VPN"
set srcintf "ssl.root"
set dstintf "LAN"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set groups "ldapgroup1"
set nat enable
next
6.1) Set the option below on FGT:
config vpn ssl web portal
edit <PORTAL>
set hide-sso-credential disable
end
When connecting, the credentials will automatically be filled in with the username as a fgt_sso_key, if 'hide-sso-credential' is enabled. Once the option is disabled, the FortiGate will use the connected user credentials for auto-filling.
6.2) Please make sure that the web resource (in this example it is the FortiAuthenticator) will allow authentication for pre-configured LDAP user on the FortiGate:
For troubleshooting, use the following CLI commands:
# diagnose debug reset
# diagnose debug console timestamp enable
# diagnose debug application fnbamd -1
# diagnose debug application sslvpn
# diagnose debug enable
Also, the developer tools on a browser can be used to collect HAR file while connecting to the bookmark, as explained in the related article.
Related Articles
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.