cybersecurity

How does Fortinet SSO work?

A quick intro to FSSO

Mike Berggren

Mike Berggren

3 min read
How does Fortinet SSO work?
Photo by FlyD / Unsplash
🚧
This article is intended to be conceptual and intentionally glosses over more specific elements of this topic. If you want more detail, check the article links at the bottom.

Fortinet Single Sign-on (FSSO) is a nifty feature. It uses passive authentication techniques to associate network traffic with the end user who is generating that traffic. That way, user-specific security policies can be applied. For example: perhaps a FortiGate firewall should only allow staff members in the Accounting department to access a banking web application. In order to do this, the firewall needs to be able to differentiate user traffic.

Let's walk through how this feature works and its high-level architecture. The basic idea is pretty simple:

  • Enterprise organizations typically use some sort of centralized authentication and directory service. The most popular one by FAR these days is (still?) Active Directory.
  • FSSO components collect and monitor user login activity from an authentication source. There are several different ways this information can be collected:
    • Lightweight agents (DC agents, collector agents, etc) can be strategically installed in the environment.
    • The FortiGate itself can perform "agentless" polling (usually only suitable for really small networks).
  • Once a login event is discovered, details are gathered and stored/mapped on the FortiGate firewall:
    • Username
    • Host name
    • IP address (note that this isn't stored in Windows login events – it's generated via a separate DNS lookup).
    • User Group(s)
  • On a regular basis, FSSO components perform check-ups to see if a user is still logged in and actively using an IP address. There's a variety of techniques for doing this but some possibilities include:
    • A collector agent periodically connecting to individual user workstation via Windows Management Instrumentation (WMI) and querying to see if the user is still active.
    • "Dead entry timeout intervals" (a timeout after which the feature considers the user no longer present).

The benefit here is that this happens behind the scenes without requiring any additional manual effort by the user. Once the FortiGate has this level of detail, it can apply/enforce much more specific policies.

For more information, check out these articles and resources:

Explaining FSSO - a primer
Fortinet Single-Sign-On (FSSO) and its components in easily understood terms. It does not aim to provide a complete configuration guide. It expands on introductory documentation as found FSSO - Fortinet Single Sign-On or FSSO. Scope FortiGate, FortiProxy, FortiAuthenticator, FSSO Agents. Sol…
fortinetDebbie_FTNT
How FSSO detects logged-off users
how FSSO detects logged-off users.ScopeFortiGate.Solution User removal from FSSO is managed through a workstation check and a dead entry timer. In other words, it will not read Windows Logoff Events. The Collector Agent (CA) runs the workstation check in batches and the time interval between the…
fortinetdgough
Agent-based FSSO
Agent-based FSSO Introduction to agent-based FSSO Fortinet Single Sign-On (FSSO), through agents installed on the network, monitors user logons and passes that information to the FortiGate unit. Wh…
Fortinet GURUMike

Read more