Selecting the Optimal Authentication Method for AAG
Choosing the appropriate authentication method for FortiADC's Agentless Application Gateway (AAG) is critical for securing access to published applications while ensuring compatibility with existing identity management frameworks. This section provides a structured approach to determining the most suitable authentication mechanism based on user types, security policies, and infrastructure requirements.
Authentication Methods and Deployment Considerations
FortiADC supports multiple authentication mechanisms for AAG access, all enforced through Access Policies. Each authentication method is suited to specific deployment scenarios. The table below outlines the key characteristics of each method:
|
Authentication Method |
Best Suited For |
Key Advantages |
|---|---|---|
| Local User Authentication | Small-scale or standalone deployments without external authentication infrastructure | Simple configuration and self-contained user management directly on FortiADC. Supports MFA through FortiToken or push approval. |
| Remote User Authentication (LDAP, RADIUS) | Enterprises with centralized authentication systems such as Active Directory or corporate RADIUS servers | Enables centralized credential management and integration with existing infrastructure. RADIUS-based users can leverage MFA for additional verification. |
| SAML Authentication | Federated authentication across multiple domains or cloud environments | Seamless login experience via trusted Identity Providers (IdPs), including FortiAuthenticator and Microsoft Entra ID |
|
Multi-factor authentication (MFA) is supported for AAG App Portal login when using Local or RADIUS user authentication. For other authentication types, MFA can be applied to FortiADC administrative access or managed externally through the identity provider. |
Authentication Deployment Considerations
Local User Authentication
Local user accounts are defined and stored directly on FortiADC. This method is suitable for small deployments or administrative access when external identity systems are unavailable. Local users can be assigned to User Groups and linked to App Portals via Access Policies.
-
Pros: Simplifies configuration, requires no external dependencies, and allows MFA enforcement through FortiToken or push notification.
-
Cons: Requires manual user provisioning and offers limited scalability.
For details, see Local User.
LDAP and RADIUS Authentication
AAG integrates with LDAP directories (e.g., Microsoft Active Directory) and RADIUS servers to authenticate users based on corporate credentials. This allows centralized user account management and simplifies integration into existing identity infrastructures.
-
Pros: Supports secure credential validation and dynamic group mapping through Access Policies. RADIUS authentication can also enforce multi-factor authentication (MFA) using FortiToken or push approval.
-
Cons: LDAP authentication does not support MFA for AAG App Portal login. Both methods require connectivity to external servers and rely on network availability for login verification.
For details, see Using an LDAP authentication server and Using a RADIUS authentication server.
SAML-Based Authentication
SAML is the preferred method for organizations using federated identity platforms such as FortiAuthenticator or Microsoft Entra ID (formerly Azure AD). FortiADC acts as a SAML 2.0 Service Provider (SP), redirecting authentication requests to the Identity Provider (IdP).
Benefits:
-
Centralized authentication and single sign-on (SSO)
-
Passwordless experience through external IdP
-
Support for cross-domain identity federation
For details, see Configure an SAML service provider.
Multi-Factor Authentication (MFA) Support
FortiADC supports multi-factor authentication (MFA) for AAG App Portal login when using Local or RADIUS user authentication. After successful primary credential validation, users are prompted for a second factor, such as a FortiToken one-time passcode (OTP) or push notification.
MFA is not available for LDAP or SAML authentication at the AAG App Portal level.
For deployments using these authentication types, MFA can still be applied to FortiADC administrative login or managed externally through the connected identity provider.
Aligning Authentication with Security Policies
Authentication settings should be configured in conjunction with FortiADC’s access control policies, session management rules, and logging mechanisms to ensure a secure and compliant deployment.
By selecting an appropriate authentication method—such as Local User, LDAP, RADIUS, or SAML—and integrating with centralized identity services where applicable, organizations can strengthen authentication workflows and improve user experience in their AAG deployments.