Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
sbuerger
New Contributor III

SSO on the SSL VPN Webportal

What documentation exists about the forwarding of a authentication on the ssl vpn webportal to services I present in the portal?

 

If you use this, what services do you present with using SSO?

 

We have a lot of internal services, microsoft based, atlassian systems, etc. (all of them are using our active directory for authentication) and we would like the users to only have to sign on on the portal itself.

1 Solution
sbuerger
New Contributor III

We found time to implement some bookmarks with SSO:

 

You have to use the login URL in the bookmarks. If you use any URL that cause a HTTP redirect the login would not work!

If your server uses "login" and "password" as html input name fields for the login form it works with SSO auto.

If not you have to add the fields by yourself.

At least in v5.2.3 there is a bug where you couldn't add more than one input field. You have to do it through SSH.

 

Atlassian Confluence and JIRA are using the same form input fields.

OWA is for Exchange 2010.

 

config vpn ssl web portal
edit "SSL Client VPN"
set user-bookmark disable
config bookmark-group
edit "Saxsys Websites"
config bookmarks

...

edit "Confluence - Wiki"
set url "https://url/login.action"
set sso static
config form-data
edit "os_username"
set value "%username%"
next
edit "os_password"
set value "%passwd%"
next
end
next
edit "Outlook Web App"
set url "https://url/owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%2furl%2fowa%2f"
set sso static
config form-data
edit "username"
set value "%username%"
next
edit "password"
set value "%passwd%"
next
end
next
edit "SonarQube"
set url "http://url/sessions/new?return_to=%2F"
set sso auto
next
edit "Stash"
set url "https://url/login?next=/projects"
set sso static
config form-data
edit "j_username"
set value "%username%"
next
edit "j_password"
set value "%passwd%"
next
end
next

View solution in original post

6 REPLIES 6
RyanS
New Contributor

I have a similar need for the SSL VPN Webportal to pass on authenticated credentials to bookmarks that we publish on the portal

 

We are using IIS and had it setup to authenticate users but the FortiGate doens't seem to be able to pass through credentials to those pages that we have setup for SSO.

 

On the one webpage that we have the need for users to enter there user name and password because SSO is not available for that page the FortiGate SSO bookmark works great.

 

Have you been able to figure out a solution to this?

sbuerger
New Contributor III

We are still working on SSL Client VPN. We still have weird problems with identity based policies on the ssl vpn, sometimes the forticlient does not register itself with the forticlient so the forward traffic is denied, other times the client is shown as another client which had the ssl vpn ip before (all on FW 5.2.2 with Client 5.2.3).

 

On the web portal we found a bigger problem. We have a lot of internal IIS with SSL. We reconfigured the IIS Instances because of the heartbleed attack with "IISCrypto", disabling SSL v3 and stuff. When I use the sites through the Web portal, the fortigate gets a memory problem within seconds, switches in conserve mode, killing around 1000 open sessions to make more ram... Really strange for a security device.

 

On the authentication side, we only saw authentication working on a custom tomcat application with a form based authentication (via HTTP post). I just don't know why the fortigate support this. There is not much documentation how this feature works. Maybe it detects the login and password fields in the form and just tries it. If we get the memory problem fixed (maybe there is a fix in FW 5.2.3, I did not see anything about this in the release notes) we will dig deeper in the web portal.

 

RyanS
New Contributor

Sounds like you are having a little more fun than I am!

 

But for the last part that is the only page that works for me is the webpage running on Tomcat. If I turn SSO on for that bookmark the FortiGate will automatically pass the SSL VPN sign on credentials through to the webpage and it logs in perfectly I think because there is a user name and password field on the page to initially log into the page. But on the pages that are run on IIS and have SSO built into the page the FortiGate just can't seem to handle it and pass through the credentials.

 

I have a ticket open for this and asked them if using a FortiWeb appliance may help out with the authentication SSO piece or if they have any other recomendations beacuse it would be really really nice if I could post bookmarks in the FortiGate portal and have the SSO work seamlessly

sbuerger
New Contributor III

RyanS wrote:

I have a ticket open for this and asked them if using a FortiWeb appliance may help out with the authentication SSO piece or if they have any other recomendations beacuse it would be really really nice if I could post bookmarks in the FortiGate portal and have the SSO work seamlessly

Yes, SSO is a big deal for us too. Internally we have a zoo of systems and a lot of them don't care about integrated windows authentication. At least most of them have LDAP authentication.

 

There is another problem with the SSO forwarding. On the Web portal the users can logon only with the sam account name (for us it's firstname.surename) (and a Mobile token as second factor for some of the users). With basic authentication on IIS, it could be necessary to logon with a domain "domain\firstname.surename" or "firstname.surename@domain.tld". It's possible that the fortigate tries to logon and the username format is wrong.

 

We have this list of systems we would like to publish through web portal and have forwarded the authentication:

 

Exchange 2010 OWA (forms based)

Sharepoint 2010 (integrated auth)

Custom forms based Web Apps

Team Foundation Web Portal (integrated auth)

Atlassian JIRA, Stash (Web Portal), Confluence (forms based)

Nexus (forms based)

 

If anyone have succeeded please tell what are the requirements to get it to work.

RyanS
New Contributor

So this is what I got back from there support. The only way the SSO on the SSL VPN works is with form based authentication.

 

Thank you for the update. I did some research and found that SSO sign on does not work with NTLM authentication method, which is the method being used here. This would only work with form base authentication.

sbuerger
New Contributor III

We found time to implement some bookmarks with SSO:

 

You have to use the login URL in the bookmarks. If you use any URL that cause a HTTP redirect the login would not work!

If your server uses "login" and "password" as html input name fields for the login form it works with SSO auto.

If not you have to add the fields by yourself.

At least in v5.2.3 there is a bug where you couldn't add more than one input field. You have to do it through SSH.

 

Atlassian Confluence and JIRA are using the same form input fields.

OWA is for Exchange 2010.

 

config vpn ssl web portal
edit "SSL Client VPN"
set user-bookmark disable
config bookmark-group
edit "Saxsys Websites"
config bookmarks

...

edit "Confluence - Wiki"
set url "https://url/login.action"
set sso static
config form-data
edit "os_username"
set value "%username%"
next
edit "os_password"
set value "%passwd%"
next
end
next
edit "Outlook Web App"
set url "https://url/owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%2furl%2fowa%2f"
set sso static
config form-data
edit "username"
set value "%username%"
next
edit "password"
set value "%passwd%"
next
end
next
edit "SonarQube"
set url "http://url/sessions/new?return_to=%2F"
set sso auto
next
edit "Stash"
set url "https://url/login?next=/projects"
set sso static
config form-data
edit "j_username"
set value "%username%"
next
edit "j_password"
set value "%passwd%"
next
end
next

Labels
Top Kudoed Authors