How to Implement Secure
Single Sign On

In recent years, the way companies operate has radically changed. We have moved from a work model based on a central IT infrastructure and networks protected by firewalls to distributed environments – remote and hybrid work. It is standard for employees to log in from different locations, often outside the corporate network, which has posed new challenges for IT administrators. At All for One, we have relied on Single Sign On technology.

At All for One, we were guided by three main objectives:

• Minimize the need to enter passwords multiple times, especially when using VPNs, to increase user convenience;
• Improve network security by managing access based on groups in Active Directory – both locally and in the cloud version (Azure AD).
• Force the use of corporate computers when accessing network resources to reduce the risks associated with unmanaged devices.

To meet the expectations that the business has set for us, we have prepared two complementary solutions:

• SSO + SSL VPN + 2FA – responsible for user login convenience and security,
• Fortinet Single Sign On + FortiAuthenticator – supporting central access management and enforcing the use of corporate computers.

The SSO + SSL VPN + 2FA solution works as follows: A user working remotely launches the FortiClient and initiates an SSL VPN connection to the corporate network. This connection creates an encrypted tunnel between the user’s device and the VPN gateway on the FortiGate unit. FortiClient is integrated with Azure AD, which enables automatic authentication through the SSO mechanism. If the computer is a member of a domain, the user does not have to enter a password every time – logging in is simplified and fast (the password only needs to be entered at initiation and when changing it).

Then two-step verification (2FA) is triggered with Microsoft Entra ID – the user confirms login with an SMS code or in the Microsoft Authenticator application.

This ensures that the login is performed by an authorized user, even if someone has learned his password.

Only after positive verification is a secure VPN tunnel set up, and the user is granted access to the company’s internal resources – servers, applications, etc. In order to strike a balance between security and convenience, in our configuration we decided to require users to log in again after 12 hours of inactivity.

FortiGate can further restrict access based on a user’s AD group membership, according to a predefined security policy (FSSO discussed below).

A FortiClient acting as a mobility agent is installed on company computers. When a user logs on to a computer in the domain, the agent collects and sends data to the FortiAuthenticator about the user’s name, computer IP address, host name, computer name, user’s domain groups (optional). There is no need to read logs from the domain controller – the data is collected and transmitted proactively and directly. FortiAuthenticator, in turn, passes this data to FortiGate, which recognizes the user in the network in real time and assigns appropriate security policies.

The solution used allows us to:

• use different levels of access for different groups of users (e.g., different for IT, different for HR),
• Enforce the ability to log in only from company computers with FortiClient,
• eliminate the need for a separate network login – the user simply works, and FortiGate already “knows" who he is.

By implementing SSO and FSSO mechanisms, we have achieved our goals, which directly translates into a better remote working experience:

• More convenient login – when connecting to a VPN client, users do not have to enter login credentials each time, which greatly improves the user experience and eliminates the frustrations of multiple authentication;
• Security – we precisely control access to systems and services based on group membership in Active Directory in both classic domain controllers and the cloud version (Azure AD);
• Manageability – only devices that meet certain criteria can access network resources, reducing the risk of unauthorized or private devices.

Modern Single Sing On is more than just a login technology – it’s a way to create a remote working environment that is both convenient, secure and transparent.