Description
This article describes how to configure SSO Auto with LDAP users for SSL-VPN bookmarks.
Solution
Note: At this moment the FortiGate’s SSL-VPN SSO supports only FORM-BASED authentication and BASIC authorization method. Other authentication methods like Integrated Windows and Digest are currently not supported by SSO. Since the FortiAuthenticator login page has form based authentication method, the following http/https bookmark as an example will be configured with a FortiAuthenticator.
Outputs of view page source from FortiAuthenticator’s login page:
<div class=”inner_wrapper”>
<form id=”login_form” action=”” method=”post” autocomplete=”off”><input type=’hidden’ name=’csrfmiddlewaretoken’ value=’mSsFkkcooLE3hf6tSDHfNEsrsI9KVHHX’ />
<div>
<table>
<tbody>
<tr>
<td><input id=”id_username” placeholder=”Username” maxlength=”253″ name=”username” type=”text” value=””></td>
</tr>
<tr>
<td><input id=”id_password” placeholder=”Password” name=”password” type=”password”></td>
</tr>
</tbody>
</table>
<input type=”hidden” name=”next” value=”/”>
<input class=”submit” type=”submit” value=”Login”>
</div>
</form>
</div>
1) Configure LDAP server:
# config user ldap
edit “LDAPSERVER”
set server “172.16.190.216”
set cnid “sAMAccountName”
set dn “dc=iba,dc=local”
set type regular
set username “cn=Administrator, cn=Users, dc=iba, dc=local”
set password SUPERSECRETPASSWORD
next
end
1.2) Check the connectivity status between FortiGate and LDAP server. On GUI, click on the “Test Connectivity” button or run the checking by running the following CLI command:
# diagnose test authserver ldap <server_name> <username> <password>
2) Configure LDAP user group:
# config user group
edit “ldapgroup1”
set member ” LDAPSERVER ”
config match
edit 1
set server-name “LDAPSERVER”
set group-name “CN=ldapgroup1,CN=Users,DC=iba,DC=local”
next
end
next
end
3) Configure SSL-VPN Portal and bookmark with SSO with type “auto” (it will automatically use SSL-VPN Login to connect to the web resource):
Note: the specified URL for bookmark is https://x.x.x.x/login/?next=/, since it is the login page URL of the FortiAuthenticator. Normally, using the login URL in the bookmarks is needed, otherwise it may not work.
4) Configure Authentication/Portal Mapping in SSL-VPN settings:
5) Configure the firewall policy with the LDAP user group for SSL-VPN connection:
# config firewall policy
edit 3
set name “SSL-VPN”
set srcintf “ssl.root”
set dstintf “LAN”
set srcaddr “all”
set dstaddr “all”
set action accept
set schedule “always”
set service “ALL”
set groups “ldapgroup1”
set nat enable
next
6) Connect to the web portal and check the connection to the bookmark:
6.1) When connecting, the username will automatically be filled in with the username as a fgt_sso_key if hide-sso-credential is enabled in “configure ssl vpn we portal”, if hide-sso-credential is disabled the FortiGate will use the real username for auto-filling.
6.2) Please make sure that the web resource (in this example it is the FortiAuthenticator) will allow authentication for pre-configured LDAP user on the FortiGate:
For troubleshooting, use the following CLI commands:
# diagnose debug reset
# diagnose debug console timestamp enable
# diagnose debug application fnbamd -1
# diagnose debug application sslvpn
# diagnose debug enable
Also, the developer tools on a browser can be used to collect HAR file while connecting to the bookmark, as explained in the related article.
Internal Notes
Configuration example for SSL VPN gateway in tunnel mode for multiple customers can be found here.
Source IP used by FortiGate to access resources via SSL VPN (Web Mode) can be found here.
Maximum values for SSL VPN bookmarks can be found here.
Related tickets – 3422006, 3269834, 2909033, 1474645
Related Articles