Audit FortiCloud SSO Login on All FortiGates via FortiManager

FA
Feb 27, 2026

In early 2026, Fortinet published PSIRT advisory FG-IR-26-060 (CVE-2026-24858) describing an Administrative FortiCloud SSO authentication bypass that was exploited in the wild. The advisory notes that FortiCloud SSO admin login can end up enabled during device registration unless the administrator disables the “Allow administrative login using FortiCloud SSO” toggle, which makes it important to verify the setting across every device you manage.

A widely recommended mitigation is to temporarily disable FortiCloud SSO admin login until the FortiGate is upgraded to a patched version. For many teams, the immediate challenge is scale: how do you confirm (quickly and reliably) whether admin-forticloud-sso-login is enabled across an entire fleet?

This article shows two practical ways to audit that setting at scale using FortiManager:

A ready-to-run Postman collection for quick interactive validation.
A Python implementation suitable for repeatable audits and operational checks.

Both approaches use FortiManager’s JSON-RPC API to enumerate managed devices and then query each FortiGate’s global settings via FortiManager proxy calls—so you can produce a single report for your entire environment with minimal effort.

Postman collection:
https://www.postman.com/ilfarhanahmed/workspace/fortimanager-public/collection/30322334-7628a045-3538-4c24-b7b0-f7215034d53f
Python implementation (GitHub):
https://github.com/ilfarhanahmed/FMG_Python/tree/main/FortiCloud_SSO_Login_CHECK

Why not just run an FMG script on all devices?

You can run a FortiManager script across all FortiGates to check the setting, for example:

FGT-FAR # get system global | grep admin-forticloud-sso
admin-forticloud-sso-login: disable

The problem is operational: FortiManager will generate separate output/log entries per FortiGate. When you have tens or hundreds of devices, it’s not practical to click into each device’s script output one-by-one just to confirm whether admin-forticloud-sso-login is enabled or disabled.

That’s why the Postman/Python approach is useful: it consolidates per-device results into a single report view (table/JSON), making it feasible to validate fleet-wide exposure quickly—especially during an incident response window.

How the script runs (what happens behind the scenes)

The Python implementation follows a simple 4-step workflow that mirrors what you’d do manually in the FortiManager GUI, but at scale:

Authenticate to FortiManager (JSON-RPC)
The script sends a JSON-RPC exec call to the FortiManager endpoint https://<FMG>/jsonrpc using /sys/login/user. If authentication succeeds, FortiManager returns a session token, which the script stores and reuses for the rest of the requests.
Pull the managed device inventory
Next, the script queries FortiManager’s device database (/dvmdb/device) to retrieve the list of managed FortiGates. From this, it builds a “target list” in FortiManager proxy format:
- device/FGT-VM
- device/FGT-60E
- device/FortiGate-40F
  This ensures the script always audits “whatever FMG is managing right now,” not a hardcoded list.
Bulk query all FortiGates using sys/proxy/json
This is the key scaling feature: the script sends one FortiManager proxy request containing the full array of targets (all devices at once). FortiManager fans out the call internally and returns one combined response containing per-device results.
The proxied resource being queried is FortiGate’s:
- GET /api/v2/cmdb/system/global
From each device’s response, the script extracts:
- admin-forticloud-sso-login → typically enable or disable
Generate a report + export JSON + logout
The script prints a readable console table, includes a summary (enabled/disabled/errors), writes the raw results to sso_report.json, and then closes the session via /sys/logout.

Sample output report

🔐 Connecting to FortiManager...
   ✅ Authenticated successfully as 'api_audit_user'

📡 Retrieving managed device list...
   📋 3 device(s) found: FGT-VM, FGT-60E, FortiGate-40F

🔍 Fetching FortiCloud SSO login status from all devices...

👋 Session closed.

══════════════════════════════════════════════
   FortiCloud SSO Login Status Report
   Generated: 2026-02-26 16:35:12
══════════════════════════════════════════════
   Device Name        Status
──────────────────────────────────────────────
   FGT-VM             🔴  Disabled
   FGT-60E            🔴  Disabled
   FortiGate-40F      🔴  Disabled
──────────────────────────────────────────────

   📊 Summary:  0 enabled  |  3 disabled  |  0 error(s)
   📁 Total devices checked: 3
══════════════════════════════════════════════

💾 Full report saved to sso_report.json