Description
This article provides an explanation of standard mode and advanced mode of the FSSO collector Agent.
Solution
FSSO has two modes of operation: Standard Mode and Advanced Mode.
- Standard: The FSSO Collector Agent receives group information from the Collector agent in the domain\user format. In this mode the monitored groups are specified on the Collector Agent.
- Advanced: The FSSO Collector Agent obtains user group information using LDAP. The benefit of this method is that it is possible to nest groups within groups. The group information is in standard LDAP format "CN=myGroup,OU=myOrganizationUnit,DC=myDomain". In this mode the monitored groups are specified on the FortiGate.
It is necessary for the Collector Agent and FortiGate to have the same Directory Access mode, or the connection between them might fail.
Even though Standard mode is the default mode of operation, sometimes it is necessary to switch to Advanced mode in order to comply to company polices or authenticate nested groups.
To switch the FSSO Directory Access mode, the following steps are needed (this applies only if an FSSO solution has been deployed and does not address steps required to deploy a fresh FSSO install). Starting from firmware branch 6.0 there were some GUI changes on the FortiGate but the underlying mechanism is the same.
Collector Agent
- On the Collector Agent (CA), open the Fortinet Single Sign On Agent Configuration console and select the Set Directory Access Information button.
- Select the required mode and apply changes by selecting the 'OK' button.
- If any filters have been configured, remove old filters by selecting Set Group Filters, selecting filters, and then pressing the 'remove' button.
- After the group filter is specified, the FSSO service should be restarted automatically.
FORTIGATE 6.0.x and 6.2.x.
- On the FortiGate, go to Security Fabric -> Fabric Connectors and edit the FSSO entry.
- To use the group filter specified on the FSSO collector agent, change the User Group Source to Collector Agent. Save the setting with 'OK' and, if needed afterwards, select 'Apply & Refresh'.
After selecting 'Apply & Refresh' button, the groups specified on FSSO CA group filter should be seen.
In the CLI, this should be done by running the following:
In the CLI, this should be done by running the following:
diag debug authd fsso refresh-groups
- To specify a group filter on the FortiGate, change the User Group Source to Local.
Select one of the pre-configured LDAP server entries from the FortiGate and select which groups, users or OUs it is required to filter.
Difference between User Group Source: Collector Agent and Local:-
Collector Agent:
- Usually selected when FSSO Collector Agent is configured in Standard mode.
- Means that the Group Filter for users is specified on the Collector Agent.
Local:
- Usually selected when the FSSO Collector Agent is configured in Advanced mode.
- Means that the Group Filter for users is specified on the FortiGate.
- FortiGate can see the user information tree sent by the Collector Agent, but those users will have to be explicitly selected, as shown below.
Run the following CLI command to clear logons:
diag debug auth fsso refresh-logons
- Remap local FSSO groups as they will be unset with the Directory Access Change on the FortiGate.
Go to User & Device -> User -> User Groups and specify AD groups which should be in the FSSO group.
