Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Handbook

    Home FortiADC 6.0.0 Handbook
    6.0.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.1.4
    7.1.3
    7.1.2
    7.1.1
    7.1.0
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.6
    6.1.5
    6.1.4
    6.1.3
    6.1.2
    6.1.1
    6.1.0
    6.0.1
    6.0.0
    5.4.3
    5.4.2
    5.4.1
    5.4.0
    5.3.6
    5.3.5
    5.3.4
    5.3.3
    5.3.2
    5.3.1
    5.3.0
    5.2.7

    Configuring user groups

    Configuring user groups

    User groups are authorized by the virtual server authentication policy. The user group configuration references the authentication servers that contain valid user credentials.

    Suggested steps:

    1. Configure LDAP, RADIUS, and NTLM servers, if applicable.
    2. Configure local users.
    3. Configure user groups (reference servers and local users).
    4. Configure an authentication policy (reference the user group).
    5. Configure the virtual server (reference the authentication policy).

    Before you begin:

    • You must have created configuration objects for any LDAP, RADIUS, and/or NTLM servers you want to use, and you must have created user accounts for local users.
    • You must have read-write permission for System and User settings.

    After you have created user groups, you can specify them in the server load balancing authentication policy configuration.

    To configure a user group:
    1. Go to User Authentication > User Group.
    2. Click Create New to display the configuration editor.
    3. Complete the configuration as described in User group configuration.
    4. Save the configuration.

    User group configuration
    Settings Guidelines

    Name

    Configuration name. Valid characters are A-Z, a-z, 0-9, _, and -. No spaces.

    After you initially save the configuration, you cannot edit the name.

    User Cache

    Enable to cache the credentials for the remote users (LDAP, RADIUS) once they are authorized.

    Cache Timeout

    Timeout for cached user credentials. The default is 300 seconds. The valid range is 1-86,400 seconds.

    Authentication Timeout

    Timeout for query sent from FortiADC to a remote authentication server. The default is 2,000 milliseconds. The valid range is 1-60,000 milliseconds.

    Authentication Log

    Specify one of the following logging options for authentication events:

    • No logging
    • Log failed attempts
    • Log successful attempts
    • Log all (both failed and successful attempts)

    Client Authentication Method
    • HTML Form
    • HTTP
    • NTLM (only if you want to use NTLM server as a authentication server)

    Group Type
    • Local—Default. No action is needed.
    • SSO—Select to enable single sign-on (SSO) and then populate the fields below.

    Authentication Relay

    Select an authentication relay profile.

    Authentication Session Timeout

    Specify the authentication session timeout. Valid values range from 1 to 180 minutes. The default is 3 (minutes).

    SSO Support

    Disabled by default. When enabled, you must specify the SSO domain. See below.

    Note: Let's suppose that you add two or more virtual servers on FortiADC and they all use the same authentication relay, and then you set the Group Type (above) to SSO and enable SSO Support. When a client visits different services within the defined domain, only in the first request needs to be authenticated. Once authenticated, the client can visit all other services in the same domain.

    SSO Domain

    Specify the SSO domain.

    Log-off URL

    Specify the log-off URL.
    Previous
    Next

    Configuring user groups

    Configuring user groups

    User groups are authorized by the virtual server authentication policy. The user group configuration references the authentication servers that contain valid user credentials.

    Suggested steps:

    1. Configure LDAP, RADIUS, and NTLM servers, if applicable.
    2. Configure local users.
    3. Configure user groups (reference servers and local users).
    4. Configure an authentication policy (reference the user group).
    5. Configure the virtual server (reference the authentication policy).

    Before you begin:

    • You must have created configuration objects for any LDAP, RADIUS, and/or NTLM servers you want to use, and you must have created user accounts for local users.
    • You must have read-write permission for System and User settings.

    After you have created user groups, you can specify them in the server load balancing authentication policy configuration.

    To configure a user group:
    1. Go to User Authentication > User Group.
    2. Click Create New to display the configuration editor.
    3. Complete the configuration as described in User group configuration.
    4. Save the configuration.

    User group configuration
    Settings Guidelines

    Name

    Configuration name. Valid characters are A-Z, a-z, 0-9, _, and -. No spaces.

    After you initially save the configuration, you cannot edit the name.

    User Cache

    Enable to cache the credentials for the remote users (LDAP, RADIUS) once they are authorized.

    Cache Timeout

    Timeout for cached user credentials. The default is 300 seconds. The valid range is 1-86,400 seconds.

    Authentication Timeout

    Timeout for query sent from FortiADC to a remote authentication server. The default is 2,000 milliseconds. The valid range is 1-60,000 milliseconds.

    Authentication Log

    Specify one of the following logging options for authentication events:

    • No logging
    • Log failed attempts
    • Log successful attempts
    • Log all (both failed and successful attempts)

    Client Authentication Method
    • HTML Form
    • HTTP
    • NTLM (only if you want to use NTLM server as a authentication server)

    Group Type
    • Local—Default. No action is needed.
    • SSO—Select to enable single sign-on (SSO) and then populate the fields below.

    Authentication Relay

    Select an authentication relay profile.

    Authentication Session Timeout

    Specify the authentication session timeout. Valid values range from 1 to 180 minutes. The default is 3 (minutes).

    SSO Support

    Disabled by default. When enabled, you must specify the SSO domain. See below.

    Note: Let's suppose that you add two or more virtual servers on FortiADC and they all use the same authentication relay, and then you set the Group Type (above) to SSO and enable SSO Support. When a client visits different services within the defined domain, only in the first request needs to be authenticated. Once authenticated, the client can visit all other services in the same domain.

    SSO Domain

    Specify the SSO domain.

    Log-off URL

    Specify the log-off URL.
    Previous
    Next