Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Administration Guide

    Home FortiADC 8.0.1 Administration Guide
    8.0.1
    8.0.2
    8.0.1
    8.0.0
    7.6.5
    7.6.4
    7.6.3
    7.6.2
    7.6.1
    7.6.0

    Application Access Manager

    Application Access Manager

    The Application Access Manager in FortiADC provides a centralized, modular framework for managing user authentication and secure access to enterprise applications. It supports multiple authentication methods—including Local User, LDAP, RADIUS, and SAML—and provides fine-grained configuration of access policies across HTTP/HTTPS virtual servers.

    As part of this framework, the Agentless Application Gateway (AAG) enables agentless, browser-based access to internal applications without the need for endpoint software or VPNs.

    This section outlines the components of the Application Access Manager and their roles in authenticating users, integrating with identity providers, and enabling secure access to published services.

    Components of the Application Access Manager

    The Application Access Manager consists of several modules, each dedicated to a specific aspect of access management:

    Access Policy

    The Access Policy module defines authentication and authorization rules that regulate user access to published applications. It specifies the required authentication method including:

    • Local User accounts managed on FortiADC

    • LDAP directory services (e.g., Active Directory)

    • RADIUS authentication servers

    • SAML 2.0 Identity Providers (e.g., Azure Entra ID, FortiAuthenticator)

    Each Access Policy can also define session timeout, idle timeout, and reauthentication behavior. These policies are applied at the virtual server level—including servers configured for the Agentless Application Gateway (AAG).

    Multi-factor authentication (MFA) is not currently supported for AAG. MFA is supported for standard HTTP/HTTPS virtual server access via Access Policies.

    Agentless Application Gateway (AAG)

    The Agentless Application Gateway (AAG) module enables secure, agentless access to enterprise applications without requiring endpoint agents. AAG operates as a reverse proxy, providing users with a web-based portal to access applications such as:

    • Web-based RDP, VNC, SSH, and Telnet sessions

    • Native RDP and RemoteApp connections

    • Internal web applications published through FortiADC and presented in the portal as bookmarks

    Users must first authenticate through the Access Policy applied to the AAG Virtual Server. Supported authentication for AAG includes:

    • Local users

    • LDAP and RADIUS-based authentication

    • SAML 2.0 federated authentication (via providers such as Azure Entra ID and FortiAuthenticator)

    Multi-factor authentication (MFA) is supported for AAG App Portal login when using Local or RADIUS user authentication.

    For other authentication types, MFA can be applied to FortiADC administrative access or managed externally through the identity provider.

    AAG Configuration Components

    AAG is configured through two primary components:

    • App Group – Defines the applications available to users. Each App Group consists of one or more App Bookmarks, which specify individual applications. Each group can contain up to 256 bookmarks. For details, see Configuring an App Group.

    • App Portal – Provides users with a web-based interface to access applications. Each App Portal is associated with an App Group, controlling the set of applications available to users. Each portal supports up to 32 App Groups. For details, see Configuring an App Portal.

    User Authentication

    The User Authentication framework in FortiADC enables administrators to configure and manage how users are identified, authenticated, and grouped for access control. This section integrates with access policies, authentication workflows, and application access rules to ensure that only authorized users can access protected services.

    It includes the following modules:

    User Group

    The User Group module allows you to define logical groupings of users and assign access privileges based on group membership. Groups serve as the main unit for applying access policies, particularly in environments using directory services or federated identity systems.

    Key capabilities include:

    • Mixed membership: Groups can consist of:

      • Local users defined in FortiADC.

      • Remote users authenticated through external identity sources (LDAP, RADIUS, NTLM, TACACS+).

    • Access assignment: You can associate user groups with Access Policies or App Groups (in AAG) to determine which resources the users can access.

    • Group resolution: For remote users, FortiADC can dynamically map users to groups based on attributes retrieved during authentication (e.g., LDAP group membership or RADIUS response attributes).

    User Groups streamline user management by allowing scalable access rule configuration and simplifying identity integration across local and external systems.

    For details, see Configuring user groups.

    Local User

    The Local User module provides the ability to define and manage standalone user accounts directly on the FortiADC system. These accounts are stored in the local user database and authenticated without requiring an external identity provider.

    Key features:

    • Independent identity management: Useful in air-gapped environments, testing scenarios, or as a fallback when remote authentication systems are unavailable.

    • Password management: Supports secure password storage with configurable password policies, expiration, and complexity requirements.

    • MFA support: When enabled in the Access Policy, local users can be required to provide additional authentication factors such as time-based one-time passwords (TOTP).

    While not scalable for large deployments, Local Users are ideal for small environments or administrative access during setup and recovery.

    Remote Server

    The Remote Server module defines how FortiADC integrates with external authentication infrastructure to validate user credentials. Supported server types include:

    LDAP Server

    Enables FortiADC to authenticate users against an LDAP directory, such as Microsoft Active Directory or OpenLDAP. Administrators can configure connection parameters (host, port, base DN, bind DN, and bind password), specify search filters, and choose attribute mappings to retrieve user group membership and identity attributes used in access policy evaluation. Both LDAP over TCP (port 389) and LDAPS (port 636) are supported. For details, see Using an LDAP authentication server.

    RADIUS Server

    Supports authentication through the Remote Authentication Dial-In User Service (RADIUS) protocol. FortiADC can be configured with one or more RADIUS servers, defining parameters such as shared secret, timeout, and retry count. When a user logs in, FortiADC sends an Access-Request to the configured RADIUS server and grants access upon receiving a valid Access-Accept response. For details, see Using a RADIUS authentication server.

    NTLM Server

    Provides support for NT LAN Manager (NTLM) authentication, commonly used in Windows domain environments for single sign-on. FortiADC can act as an NTLM relay to authenticate users transparently against the Windows Domain Controller, enabling domain-joined users to access protected applications without manual credential entry. For details, see Using an NTLM authentication server.

    TACACS+ Server

    Integrates with Terminal Access Controller Access-Control System Plus (TACACS+) for centralized authentication, authorization, and accounting. FortiADC supports configuration of TACACS+ server address, port, and encryption key, and processes authentication transactions according to TACACS+ protocol standards. For details, see Using a TACACS+ authentication server.

    Authentication Relay

    The Authentication Relay module enables FortiADC to act as an intermediary between clients and external authentication services that are not directly supported by built-in methods. It is particularly useful in scenarios requiring:

    • Protocol translation, such as transforming NTLM or Kerberos requests into LDAP or RADIUS transactions.

    • Custom authentication workflows, where FortiADC forwards credentials to third-party systems via HTTP or HTTPS relay mechanisms.

    • Legacy system integration, allowing FortiADC to support proprietary or environment-specific login flows.

    FortiADC relays client credentials securely to the target authentication endpoint and processes the response to determine authentication success, enabling flexible interoperability across diverse enterprise environments.

    SAML

    The SAML module allows FortiADC to operate as a SAML 2.0 Service Provider (SP), supporting federated authentication with external Identity Providers (IdPs) such as FortiAuthenticator, Microsoft Entra ID (formerly Azure AD), Okta, and others.

    Key technical capabilities include:

    • SSO support — Users authenticate once with the IdP and gain access to multiple SAML-integrated services without repeated credential entry.

    • Metadata exchange — FortiADC supports IdP metadata import and SP metadata export for simplified trust establishment.

    • Assertion validation — FortiADC validates signed SAML assertions, enforces audience restrictions, and maps user attributes (such as group membership or username) to local access policies.

    This integration is essential for organizations adopting centralized identity platforms and enabling secure, scalable user access to protected applications through the AAG App Portal or other HTTP/HTTPS services.

    For details, see Configure an SAML service provider.

    AD FS Proxy

    The AD FS Proxy module enables FortiADC to function as an external proxy for Active Directory Federation Services (AD FS). In this role, FortiADC:

    • Acts as a gateway between clients and the internal AD FS infrastructure.

    • Terminates HTTPS on the DMZ interface while forwarding secure requests to the internal AD FS servers.

    • Ensures federated authentication compatibility for applications relying on AD FS, including those using WS-Federation and SAML protocols.

    This is particularly useful in segmented network deployments, where direct access to AD FS is restricted for security reasons, and FortiADC is positioned at the perimeter to securely mediate identity transactions. (Note: AD FS Proxy is not currently supported for AAG portal access.)

    OAuth Proxy

    The OAuth Proxy module allows FortiADC to integrate with OAuth 2.0 Authorization Servers for token-based access control. Acting as a proxy between the client application and the identity provider (IdP), FortiADC supports:

    • Authorization Code flow for secure client-side authentication.

    • Token introspection to validate bearer tokens (access tokens) with the authorization server.

    • Userinfo endpoint interaction to retrieve user attributes from the IdP (if applicable).

    • Scope enforcement and attribute mapping to align OAuth claims with FortiADC access policies.

    This feature is essential for supporting modern authentication platforms like Google Identity, Microsoft Entra ID (via OAuth), and other standards-compliant OAuth 2.0 providers. (Note: OAuth Proxy is not currently supported for AAG portal access.)

    Previous
    Next

    Application Access Manager

    Application Access Manager

    The Application Access Manager in FortiADC provides a centralized, modular framework for managing user authentication and secure access to enterprise applications. It supports multiple authentication methods—including Local User, LDAP, RADIUS, and SAML—and provides fine-grained configuration of access policies across HTTP/HTTPS virtual servers.

    As part of this framework, the Agentless Application Gateway (AAG) enables agentless, browser-based access to internal applications without the need for endpoint software or VPNs.

    This section outlines the components of the Application Access Manager and their roles in authenticating users, integrating with identity providers, and enabling secure access to published services.

    Components of the Application Access Manager

    The Application Access Manager consists of several modules, each dedicated to a specific aspect of access management:

    Access Policy

    The Access Policy module defines authentication and authorization rules that regulate user access to published applications. It specifies the required authentication method including:

    • Local User accounts managed on FortiADC

    • LDAP directory services (e.g., Active Directory)

    • RADIUS authentication servers

    • SAML 2.0 Identity Providers (e.g., Azure Entra ID, FortiAuthenticator)

    Each Access Policy can also define session timeout, idle timeout, and reauthentication behavior. These policies are applied at the virtual server level—including servers configured for the Agentless Application Gateway (AAG).

    Multi-factor authentication (MFA) is not currently supported for AAG. MFA is supported for standard HTTP/HTTPS virtual server access via Access Policies.

    Agentless Application Gateway (AAG)

    The Agentless Application Gateway (AAG) module enables secure, agentless access to enterprise applications without requiring endpoint agents. AAG operates as a reverse proxy, providing users with a web-based portal to access applications such as:

    • Web-based RDP, VNC, SSH, and Telnet sessions

    • Native RDP and RemoteApp connections

    • Internal web applications published through FortiADC and presented in the portal as bookmarks

    Users must first authenticate through the Access Policy applied to the AAG Virtual Server. Supported authentication for AAG includes:

    • Local users

    • LDAP and RADIUS-based authentication

    • SAML 2.0 federated authentication (via providers such as Azure Entra ID and FortiAuthenticator)

    Multi-factor authentication (MFA) is supported for AAG App Portal login when using Local or RADIUS user authentication.

    For other authentication types, MFA can be applied to FortiADC administrative access or managed externally through the identity provider.

    AAG Configuration Components

    AAG is configured through two primary components:

    • App Group – Defines the applications available to users. Each App Group consists of one or more App Bookmarks, which specify individual applications. Each group can contain up to 256 bookmarks. For details, see Configuring an App Group.

    • App Portal – Provides users with a web-based interface to access applications. Each App Portal is associated with an App Group, controlling the set of applications available to users. Each portal supports up to 32 App Groups. For details, see Configuring an App Portal.

    User Authentication

    The User Authentication framework in FortiADC enables administrators to configure and manage how users are identified, authenticated, and grouped for access control. This section integrates with access policies, authentication workflows, and application access rules to ensure that only authorized users can access protected services.

    It includes the following modules:

    User Group

    The User Group module allows you to define logical groupings of users and assign access privileges based on group membership. Groups serve as the main unit for applying access policies, particularly in environments using directory services or federated identity systems.

    Key capabilities include:

    • Mixed membership: Groups can consist of:

      • Local users defined in FortiADC.

      • Remote users authenticated through external identity sources (LDAP, RADIUS, NTLM, TACACS+).

    • Access assignment: You can associate user groups with Access Policies or App Groups (in AAG) to determine which resources the users can access.

    • Group resolution: For remote users, FortiADC can dynamically map users to groups based on attributes retrieved during authentication (e.g., LDAP group membership or RADIUS response attributes).

    User Groups streamline user management by allowing scalable access rule configuration and simplifying identity integration across local and external systems.

    For details, see Configuring user groups.

    Local User

    The Local User module provides the ability to define and manage standalone user accounts directly on the FortiADC system. These accounts are stored in the local user database and authenticated without requiring an external identity provider.

    Key features:

    • Independent identity management: Useful in air-gapped environments, testing scenarios, or as a fallback when remote authentication systems are unavailable.

    • Password management: Supports secure password storage with configurable password policies, expiration, and complexity requirements.

    • MFA support: When enabled in the Access Policy, local users can be required to provide additional authentication factors such as time-based one-time passwords (TOTP).

    While not scalable for large deployments, Local Users are ideal for small environments or administrative access during setup and recovery.

    Remote Server

    The Remote Server module defines how FortiADC integrates with external authentication infrastructure to validate user credentials. Supported server types include:

    LDAP Server

    Enables FortiADC to authenticate users against an LDAP directory, such as Microsoft Active Directory or OpenLDAP. Administrators can configure connection parameters (host, port, base DN, bind DN, and bind password), specify search filters, and choose attribute mappings to retrieve user group membership and identity attributes used in access policy evaluation. Both LDAP over TCP (port 389) and LDAPS (port 636) are supported. For details, see Using an LDAP authentication server.

    RADIUS Server

    Supports authentication through the Remote Authentication Dial-In User Service (RADIUS) protocol. FortiADC can be configured with one or more RADIUS servers, defining parameters such as shared secret, timeout, and retry count. When a user logs in, FortiADC sends an Access-Request to the configured RADIUS server and grants access upon receiving a valid Access-Accept response. For details, see Using a RADIUS authentication server.

    NTLM Server

    Provides support for NT LAN Manager (NTLM) authentication, commonly used in Windows domain environments for single sign-on. FortiADC can act as an NTLM relay to authenticate users transparently against the Windows Domain Controller, enabling domain-joined users to access protected applications without manual credential entry. For details, see Using an NTLM authentication server.

    TACACS+ Server

    Integrates with Terminal Access Controller Access-Control System Plus (TACACS+) for centralized authentication, authorization, and accounting. FortiADC supports configuration of TACACS+ server address, port, and encryption key, and processes authentication transactions according to TACACS+ protocol standards. For details, see Using a TACACS+ authentication server.

    Authentication Relay

    The Authentication Relay module enables FortiADC to act as an intermediary between clients and external authentication services that are not directly supported by built-in methods. It is particularly useful in scenarios requiring:

    • Protocol translation, such as transforming NTLM or Kerberos requests into LDAP or RADIUS transactions.

    • Custom authentication workflows, where FortiADC forwards credentials to third-party systems via HTTP or HTTPS relay mechanisms.

    • Legacy system integration, allowing FortiADC to support proprietary or environment-specific login flows.

    FortiADC relays client credentials securely to the target authentication endpoint and processes the response to determine authentication success, enabling flexible interoperability across diverse enterprise environments.

    SAML

    The SAML module allows FortiADC to operate as a SAML 2.0 Service Provider (SP), supporting federated authentication with external Identity Providers (IdPs) such as FortiAuthenticator, Microsoft Entra ID (formerly Azure AD), Okta, and others.

    Key technical capabilities include:

    • SSO support — Users authenticate once with the IdP and gain access to multiple SAML-integrated services without repeated credential entry.

    • Metadata exchange — FortiADC supports IdP metadata import and SP metadata export for simplified trust establishment.

    • Assertion validation — FortiADC validates signed SAML assertions, enforces audience restrictions, and maps user attributes (such as group membership or username) to local access policies.

    This integration is essential for organizations adopting centralized identity platforms and enabling secure, scalable user access to protected applications through the AAG App Portal or other HTTP/HTTPS services.

    For details, see Configure an SAML service provider.

    AD FS Proxy

    The AD FS Proxy module enables FortiADC to function as an external proxy for Active Directory Federation Services (AD FS). In this role, FortiADC:

    • Acts as a gateway between clients and the internal AD FS infrastructure.

    • Terminates HTTPS on the DMZ interface while forwarding secure requests to the internal AD FS servers.

    • Ensures federated authentication compatibility for applications relying on AD FS, including those using WS-Federation and SAML protocols.

    This is particularly useful in segmented network deployments, where direct access to AD FS is restricted for security reasons, and FortiADC is positioned at the perimeter to securely mediate identity transactions. (Note: AD FS Proxy is not currently supported for AAG portal access.)

    OAuth Proxy

    The OAuth Proxy module allows FortiADC to integrate with OAuth 2.0 Authorization Servers for token-based access control. Acting as a proxy between the client application and the identity provider (IdP), FortiADC supports:

    • Authorization Code flow for secure client-side authentication.

    • Token introspection to validate bearer tokens (access tokens) with the authorization server.

    • Userinfo endpoint interaction to retrieve user attributes from the IdP (if applicable).

    • Scope enforcement and attribute mapping to align OAuth claims with FortiADC access policies.

    This feature is essential for supporting modern authentication platforms like Google Identity, Microsoft Entra ID (via OAuth), and other standards-compliant OAuth 2.0 providers. (Note: OAuth Proxy is not currently supported for AAG portal access.)

    Previous
    Next