Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

What's new

FortiAuthenticator version 6.0.0 includes the following new features and enhancements:

GUI update

The FortiAuthenticator GUI has been updated to match the look and feel of FortiOS 6.0.

SAML IdP proxy for cloud identity services

FortiAuthenticator can be configured to act as a SAML Identity Provider (IdP) proxy for cloud identity services, such as G Suite and Azure. The cloud identity service is used as the SAML IdP for authentication and its OAuth/API service for group lookups. This enables the SAML IdP service on FortiAuthenticator to add a two-factor authentication service by acting as an IdP proxy.

Improvements to remote LDAP user synchronization rules

When configuring a remote LDAP user synchronization rule, new options enable you to:

  • Specify which user role (User, Sponsor, Administrator) to assign to imported users. Users assigned the role of Administrator are granted full permissions.
  • Delete all users when an LDAP query result is empty.

OAuth server capability

FortiAuthenticator can act as an authorization server to issue and manage OAuth access tokens via a set of REST API endpoints. An OAuth client is issued an OAuth access token by FortiAuthenticator after successfully providing its login credentials. The OAuth client can then use this access token as proof of authorization to access a third-party service. The third-party service may contact FortiAuthenticator to validate any given OAuth access token.

Use FortiNAC as sources of SSO sessions

FortiAuthenticator can retrieve SSO sessions from FortiNAC servers and use these sessions as a new FSSO source for relay to FortiGate devices. From the SSO Configuration page (Fortinet SSO Methods > SSO > General), you can:

  • Enable FortiNAC SSO.
  • Configure FortiNAC sources.
  • Select one or more FortiNAC sources to use as FSSO sources.

FSSO domain monitor improvements

The SSO domain monitor includes the following improvements:

  • The status of all configured domain controllers is displayed, even ones not reachable during domain exploration. Each domain controller is displayed in:
    • green if the last connection attempt was successful
    • gray if no recent connection information is available
    • red if the last connection attempt failed
  • View recent connection activity for each domain controller.
  • View debug logs generated when performing the domain manager's domain structure discovery.
  • Rebuild the domain structure.

HTTPS/HTTP access controls

More granular HTTPS/HTTP access controls allow you to enable or disable HTTPS/HTTP access for each service on a selected network interface.

Enhanced cryptography for local user password storage

FortiAuthenticator offers the option to use stronger cryptography for the storage of local user passwords, available under General Account Policy Settings (Authentication > User Account Policies > General).

Caution

This option cannot be disabled after 30 days of being enabled. FortiAuthenticator will send an email reminder to the administrator before the end of the 30-day period.

Configurable error pages

The content of error pages can be customized to provide more helpful messages to users. The following error messages are configured on the Replacement Messages page (Authentication > Self-service Portal > Replacement Messages):

  • 500 Internal Server Error
  • 503 Service Unavailable Error
  • 404 Not Found
  • 403 Forbidden

FortiOS Security Fabric integration

FortiAuthenticator supports integration with the Fortinet Security Fabric. Starting in FortiOS 6.2, you can add the following FortiAuthenticator widgets to the FortiOS dashboard:

  • System Information
  • User Inventory
  • Authentication Activity
  • Top User Lookouts

G Suite and Azure group lookup for SAML SP

FortiAuthenticator can dynamically look up G Suite and Azure group memberships for SAML SP FSSO.

Support for additional DC event log types

FortiAuthenticator can now parse Windows security event IDs 4769, 4770, 673 to update the active SSO sessions list. In addition, when DC event log polling is enabled (Fortinet SSO Methods > SSO > General), you can specify which event IDs to use in event log polling.

Export intermediate CA certificate and private key

You can export the certificate and private key of intermediate Certificate Authorities from the Local CAs page (Certificate Management > Certificate Authorities > Local CAs). This is useful in situations where you want to use the FortiAuthenticator as a Certificate Authority.

Support for Microsoft Azure and Oracle Cloud deployments

FortiAuthenticator VM now supports deployment on Microsoft Azure and Oracle Cloud.

Upgrade FortiAuthenticator firmware through CLI

The following CLI command has been added to perform firmware upgrades via FTP/TFTP:

execute restore image tftp <filename string> <tftp server>

execute restore image ftp <filename string> <ftp server>

[:port] [ftp_user] [ftp_password]

What's new

FortiAuthenticator version 6.0.0 includes the following new features and enhancements:

GUI update

The FortiAuthenticator GUI has been updated to match the look and feel of FortiOS 6.0.

SAML IdP proxy for cloud identity services

FortiAuthenticator can be configured to act as a SAML Identity Provider (IdP) proxy for cloud identity services, such as G Suite and Azure. The cloud identity service is used as the SAML IdP for authentication and its OAuth/API service for group lookups. This enables the SAML IdP service on FortiAuthenticator to add a two-factor authentication service by acting as an IdP proxy.

Improvements to remote LDAP user synchronization rules

When configuring a remote LDAP user synchronization rule, new options enable you to:

  • Specify which user role (User, Sponsor, Administrator) to assign to imported users. Users assigned the role of Administrator are granted full permissions.
  • Delete all users when an LDAP query result is empty.

OAuth server capability

FortiAuthenticator can act as an authorization server to issue and manage OAuth access tokens via a set of REST API endpoints. An OAuth client is issued an OAuth access token by FortiAuthenticator after successfully providing its login credentials. The OAuth client can then use this access token as proof of authorization to access a third-party service. The third-party service may contact FortiAuthenticator to validate any given OAuth access token.

Use FortiNAC as sources of SSO sessions

FortiAuthenticator can retrieve SSO sessions from FortiNAC servers and use these sessions as a new FSSO source for relay to FortiGate devices. From the SSO Configuration page (Fortinet SSO Methods > SSO > General), you can:

  • Enable FortiNAC SSO.
  • Configure FortiNAC sources.
  • Select one or more FortiNAC sources to use as FSSO sources.

FSSO domain monitor improvements

The SSO domain monitor includes the following improvements:

  • The status of all configured domain controllers is displayed, even ones not reachable during domain exploration. Each domain controller is displayed in:
    • green if the last connection attempt was successful
    • gray if no recent connection information is available
    • red if the last connection attempt failed
  • View recent connection activity for each domain controller.
  • View debug logs generated when performing the domain manager's domain structure discovery.
  • Rebuild the domain structure.

HTTPS/HTTP access controls

More granular HTTPS/HTTP access controls allow you to enable or disable HTTPS/HTTP access for each service on a selected network interface.

Enhanced cryptography for local user password storage

FortiAuthenticator offers the option to use stronger cryptography for the storage of local user passwords, available under General Account Policy Settings (Authentication > User Account Policies > General).

Caution

This option cannot be disabled after 30 days of being enabled. FortiAuthenticator will send an email reminder to the administrator before the end of the 30-day period.

Configurable error pages

The content of error pages can be customized to provide more helpful messages to users. The following error messages are configured on the Replacement Messages page (Authentication > Self-service Portal > Replacement Messages):

  • 500 Internal Server Error
  • 503 Service Unavailable Error
  • 404 Not Found
  • 403 Forbidden

FortiOS Security Fabric integration

FortiAuthenticator supports integration with the Fortinet Security Fabric. Starting in FortiOS 6.2, you can add the following FortiAuthenticator widgets to the FortiOS dashboard:

  • System Information
  • User Inventory
  • Authentication Activity
  • Top User Lookouts

G Suite and Azure group lookup for SAML SP

FortiAuthenticator can dynamically look up G Suite and Azure group memberships for SAML SP FSSO.

Support for additional DC event log types

FortiAuthenticator can now parse Windows security event IDs 4769, 4770, 673 to update the active SSO sessions list. In addition, when DC event log polling is enabled (Fortinet SSO Methods > SSO > General), you can specify which event IDs to use in event log polling.

Export intermediate CA certificate and private key

You can export the certificate and private key of intermediate Certificate Authorities from the Local CAs page (Certificate Management > Certificate Authorities > Local CAs). This is useful in situations where you want to use the FortiAuthenticator as a Certificate Authority.

Support for Microsoft Azure and Oracle Cloud deployments

FortiAuthenticator VM now supports deployment on Microsoft Azure and Oracle Cloud.

Upgrade FortiAuthenticator firmware through CLI

The following CLI command has been added to perform firmware upgrades via FTP/TFTP:

execute restore image tftp <filename string> <tftp server>

execute restore image ftp <filename string> <ftp server>

[:port] [ftp_user] [ftp_password]