FSSO Integration Issue with SSL VPN Authentication Portal Mapping

N_W · ‎12-30-2024

Hello, I have integrated FSSO and there is no issue, I even installed the DC agent. However, in the SSL VPN policy, I cannot select the FSSO groups under the authentication portal mapping in the SSL VPN settings, as they are not shown, only LDAP is displayed. What could be the issue? I want to configure the SSL VPN rules with FSSO, not LDAP. Where am I making a mistake or is this possible?

kaman · ‎12-30-2024

Hi N_W,

If you want to use AD Authentication with SSL-VPN then LDAP authentication will works for you. FSSO doesnt work with SSL VPN, you can intergrate authentication with LDAP. Please note that SSL-VPN is for remote users who of course will not be communicating with AD Server.

However, For SSO to work, a user needs to be authenticated first, then their login credentials are passed from one system to the next. Outside users are not authenticated before they attempt to log into the firewall. You can user the same login database (AD) for authentication for both incoming (via LDAP) and outgoing (via FSAE/FSSO).

Please refer to the below document for more information:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configure-Fortinet-Single-Sign-On-FSSO-for...

If you have found a solution, please like and accept it to make it easily accessible to others.

Regards,
Aman

N_W · ‎12-30-2024

Hello, thank you for your feedback. I understood that I cannot add the group created with FSSO from the SSL VPN Settings portal mapping section. Thank you

firacode · ‎12-30-2024

The issue likely arises from how FSSO groups are integrated and mapped in the SSL VPN authentication portal. Ensure that FSSO groups are visible under User & Device > User Groups and properly linked to your FortiGate configuration. If these groups are not showing in the SSL VPN settings, manually create user groups linked to FSSO under User & Authentication > User Groups. Verify that the SSL VPN portal mapping includes the FSSO groups and not just LDAP, as the portal may default to LDAP for authentication. Check your FortiOS version for compatibility, as some versions may require additional configurations for FSSO with SSL VPN. If issues persist, debug using diag debug authd fsso to ensure FSSO is functioning correctly, and consult Fortinet support for further assistance if needed.

N_W · ‎12-30-2024

Hello, thank you for your feedback. I understood that I cannot add the group created with FSSO from the SSL VPN Settings portal mapping section. Thank you,

ebilcari · ‎12-30-2024

The main reason is that SSLVPN will need an active authentication method like LDAP or RADIUS, FSSO is a passive way of authentication and can not be used in this case.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

N_W · ‎12-30-2024

Sure, here is the translation of your text:

"Will it be sufficient to just configure policies with LDAP and establish a connection for the users to be interpreted without writing rules with the FSSO agent?"

ebilcari · ‎12-30-2024

If the firewall policy need to be configured in the same FGT that also handles the VPN, I think the FSSO agent configuration to parse the syslog is not needed. The FGT will have an active session of the VPN user that can match with an LDAP group.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

FSSO Integration Issue with SSL VPN Authentication Portal Mapping

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website