Description
This article explains the standard mode and advanced mode of the FSSO collector Agent.
Scope
FortiGate.
Solution
FSSO has two modes of operation: Standard Mode and Advanced Mode.
- Standard: The FSSO Collector Agent receives group information from the Collector agent in the domain\user format.
- Advanced: The FSSO Collector Agent obtains user group information using LDAP. The benefit of this method is that it is possible to nest groups within groups. The group information is in standard LDAP format 'CN=myGroup,OU=myOrganizationUnit,DC=myDomain'. In this mode the monitored groups are specified on the FortiGate.
It is necessary for the Collector Agent and FortiGate to have the same Directory Access mode, or the connection between them might fail.
Even though Standard mode is the default mode of operation, sometimes it is necessary to switch to Advanced mode in order to comply to company polices or authenticate nested groups.
To switch the FSSO Directory Access mode, the following steps are needed (this applies only if an FSSO solution has been deployed and does not address steps required to deploy a fresh FSSO install). Starting from firmware branch 6.0 there were some GUI changes on the FortiGate but the underlying mechanism is the same.
Collector Agent.
- On the Collector Agent (CA), open the Fortinet Single Sign On Agent Configuration console and select the Set Directory Access Information button.
- Select the required mode and apply changes by selecting the 'OK' button.
- If any filters have been configured, remove old filters by selecting Set Group Filters, selecting filters, and then pressing the 'remove' button.
- After the group filter is specified, the FSSO service should be restarted automatically.
FortiGate v6.0.x and v6.2.x.
- On the FortiGate, go to Security Fabric -> Fabric Connectors and edit the FSSO entry.
- To use the group filter specified on the FSSO collector agent, change the User Group Source to Collector Agent. Save the setting with 'OK' and, if needed afterwards, select 'Apply & Refresh'.
After selecting 'Apply & Refresh' button, the groups specified on FSSO CA group filter should be seen.
In the CLI, this should be done by running the following:
diagnose debug authd fsso refresh-groups
- To specify a group filter on the FortiGate, change the User Group Source to Local.
Select one of the pre-configured LDAP server entries from the FortiGate and select which groups, users, or OUs it is required to filter.
Difference between User Group Source: Collector Agent and Local:
Collector Agent:
- Usually selected when the FSSO Collector Agent is configured in Standard mode.
Local:
- Usually selected when the FSSO Collector Agent is configured in Advanced mode. This option supports nested groups.
- Means that the Group Filter for users is specified on the FortiGate.
- FortiGate can see the user information tree sent by the Collector Agent, but those users will have to be explicitly selected, as shown below.
Run the following CLI command to clear logons:
diagnose debug auth fsso refresh-logons
- Remap local FSSO groups as they will be unset with the Directory Access Change on the FortiGate.
Go to User & Device -> User -> User Groups and specify AD groups that should be in the FSSO group.
Refer to the below article if the dynamic address type is used: