Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiAuthenticator 6.0.2 Administration Guide
    6.0.2
    6.6.2
    6.6.1
    6.6.0
    6.5.6
    6.5.5
    6.5.4
    6.5.3
    6.5.2
    6.5.1
    6.5.0
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.3.4
    6.3.3
    6.3.2
    6.3.1
    6.3.0
    6.2.2
    6.2.1
    6.2.0
    6.1.3
    6.1.2
    6.1.1
    6.1.0
    6.0.8
    6.0.7
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0
    5.5.0
    5.4.0
    5.3.0
    5.2.0
    5.1.0
    5.0.0
    4.3.0
    4.2.1
    4.2.0

    Remote authentication servers

    Remote authentication servers

    If you already have LDAP or RADIUS servers configured on your network, FortiAuthenticator can connect to them for remote authentication, much like FortiOS remote authentication.

    General

    Go to Authentication > Remote Auth. Servers > General to edit general settings for remote LDAP and RADIUS authentication servers.

    Remote LDAP

    Enter the number of seconds between 1-3600 (or one second to one hour) for the LDAP server response and status cache timeouts.

    Remote RADIUS

    Select whether the remote RADIUS server requires case sensitive usernames.

    LDAP

    If you have existing LDAP servers, you may choose to continue using them with FortiAuthenticator by configuring them as remote LDAP servers.

    When entering the remote LDAP server information, if any information is missing or in the wrong format, error messages will highlight the problem for you.
    note icon

    FortiAuthenticator supports multiple Windows AD server forests, with a maximum of 20 remote LDAP servers with Windows AD enabled.

    To view all information about your multiple servers, go to Monitor > Authentication > Windows AD.
    To add a remote LDAP server entry:
    1. Go to Authentication > Remote Auth. Servers > LDAP and select Create New. The Create New LDAP Server window opens.

    2. Enter the following information.
      3. Name Enter the name for the remote LDAP server on FortiAuthenticator.
      Primary server name/IP Enter the IP address or FQDN for this remote server.
      Port Enter the port number.
      Use secondary server Select to use a secondary server. The secondary server name/IP and port must be entered.
      Secondary server name/IP Enter the IP address or FQDN for the secondary remote server. This option is only available when Use secondary server is selected.
      Secondary port Enter the port number for the secondary server. This option is only available when Use secondary server is selected.
      Base distinguished name Enter the base distinguished name for the server using the correct X.500 or LDAP format. The maximum length of the DN is 512 characters.
      You can also select the browse button to view and select the DN on the LDAP server.
      Bind Type

      The Bind Type determines how the authentication information is sent to the server. Select the bind type required by the remote LDAP server.

      • Simple: bind using the user’s password which is sent to the server in plaintext without a search.
      • Regular: bind using the user’s DN and password and then search.

      If the user records fall under one directory, you can use Simple bind type. But Regular is required to allow a search for a user across multiple domains.
      Add supported domain names (used only if this is not a Windows Active Directory server) Select to enter multiple domain names for remote LDAP server configurations. The FortiAuthenticator can then identify the domain that users on the LDAP server belong to.
    3. If you want to want to import a specific LDAP system's template, under Query Elements, enter the following:
      4. Pre-defined templates Select a pre-defined template from the dropdown menu: Microsoft Active Directory, OpenLDAP, or Novell eDirectory.
      User object class The type of object class to search for a user name search. The default is person.
      Username attribute The LDAP attribute that contains the user name. The default is sAMAccountName.
      Group object class The type of object class to search for a group name search. The default is group.
      Obtain group memberships from The LDAP attribute (either user or group) used to obtain group membership. The default is User attribute.
      Group membership attribute Used as the attribute to search for membership of users or groups in other groups.
      Force use of administrator account for group membership lookups Enabling this feature prevents non-admin users from searching their own attributes even after successful binding. This feature has been implemented to enhance Oracle-based ODSEE LDAP support.
    4. If you want to have a secure connection between FortiAuthenticator and the remote LDAP server, under Secure Connection, select Enable, then enter the following:
      5. Protocol Select LDAPS or STARTLS as the LDAP server requires.
      CA Certificate Select the CA certificate that verifies the server certificate from the dropdown menu.

      Use Client Certificate for TLS Authentication

      Enable to select a client certificate to use to authenticate a TLS connection with the secure remote LDAP server.
    5. If you want to authenticate users using MSCHAP2 PEAP in an Active Directory environment, enable Windows Active Directory Domain Authentication, then enter the required Windows AD Domain Controller information.
      6. Kerberos realm name Enter the domain’s DNS name in uppercase letters.
      Domain NetBIOS name Enter the domain’s DNS prefix in uppercase letters.
      FortiAuthenticator NetBIOS name Enter the NetBIOS name that identifies FortiAuthenticator as a domain member.
      Administrator username

      Enter the name of the user account that's used to associate FortiAuthenticator with the domain. This user must have at least domain user privileges.

      To configure an Active Directory user with the minimum privileges needed to join an AD domain, see Configure minimum privilege Windows AD user account.
      Administrator password Enter the administrator account’s password.

      When you are finished here, go to Authentication > RADIUS Service > Clients to choose whether authentication is available for all Windows AD users or only for Windows AD users who belong to particular user groups that you select. See RADIUS service for more information.

    6. If you want to import remote LDAP users, under Remote LDAP Users, select either Import users or Import users by group memberships and click Go. A separate window opens where you may specify the LDAP server, apply filters, and attributes. Select Configure user attributes to edit the following LDAP user mapping attributes:
      7. Username

      Enter the remote LDAP user's name.
      First name Enter the attribute that specifies the user's first name. Set to givenName by default.
      Last name Enter the attribute that specifies the user's last name. Set to sn by default.
      Email Enter the attribute that specifies the user's email address. Set to mail by default.
      Phone Enter the attribute that specifies the user's number. Set to telephoneNumber by default.
      Mobile number Enter the attribute that specifies the user's mobile number. Set to mobile by default.
      FTK-200 serial number Enter the remote LDAP user's FortiToken serial number.
      Certificate binding common name

      Enter the remote LDAP user's certificate-binding CN. When this field is populated, the Certificate binding CA must also be specified.
      Certificate binding CA

      Local or trusted CAs to apply for the remote LDAP user. Must be specified if the Certificate binding common name is populated.
    7. Select OK to apply your changes.

      8. You can now add remote LDAP users, as described in Remote users.

    Configure minimum privilege Windows AD user account

    To respect the principle of least privilege, a domain administrator account should not be used to associate FortiAuthenticator with a Windows AD domain. Instead, a non-administrator account can be configured with the minimum privileges necessary to successfully join a Windows AD domain. To do this, create a user account in the applicable hierarchy of your Active Directory, then delegate the ability to manage computer objects to the user account.

    1. In the Active Directory, create a user account with the following options selected:
      • User cannot change password
      • Password never expires
    2. In Active Directory Users and Computers, right-click the container under which you want the computers added, then click Delegate Control.
      The Delegation of Control Wizard opens.
    3. Click Next.
    4. Click Add, then enter the user account created in step 1.
    5. Click Next.
    6. Select Create custom task to delegate, then click Next.
    7. Select Only the following objects in the folder, and then select Computer objects.
    8. Select Create selected objects in this folder, then click Next.
    9. Under Permissions, select Create All Child Objects, Write All Properties, and Change password.
    10. Click Next, then click Finish.

    Remote LDAP password change

    Windows AD users can conveniently change their passwords without provision changes being made to the network by a Windows AD system administrator. There are three ways FortiAuthenticator supports a password change: RADIUS login, GUI user login, and GUI user portal.

    RADIUS login:

    For the method to work, all of the following conditions must be met:

    • FortiAuthenticator has joined the Windows AD domain.
    • RADIUS client has been configured to "Use Windows AD domain authentication".
    • RADIUS authentication request uses MS-CHAPv2.
    • RADIUS client must also support MS-CHAPv2 password change.

    A "change password" response is produced that FortiAuthenticator will recognize, which allows cooperation between the NAS and the Windows AD server that will result in a password change.

    GUI user login:

    For this method to work, one of the following conditions must be met:

    • FortiAuthenticator has joined the Windows AD domain
    • Secure LDAP is enabled and the LDAP admin (i.e. regular bind) has the permissions to reset user passwords

    You must log in via the GUI portal. FortiAuthenticator will validate the user password against a Windows AD server. The Windows AD server returns with a change password response. If that happens, the user is prompted to enter a new password.

    GUI user portal:

    For this method to work, one of the following conditions must be met:

    • FortiAuthenticator has joined the Windows AD domain.
    • Secure LDAP is enabled.

    After successfully logging into the GUI, the user has access to the user portal. If desired, the user can change their password in the user portal.

    RADIUS

    If you have existing RADIUS servers, you may choose to continue using them with FortiAuthenticator by configuring them as remote RADIUS servers. This feature can also be used to migrate away from third-party two-factor authentication platforms.

    When entering the remote RADIUS server information, if any information is missing or in the wrong format, error messages will highlight the problem for you.
    To add a remote RADIUS server entry:
    1. Go to Authentication > Remote Auth. Servers > RADIUS and select Create New. The Create New RADIUS Server window opens.
    2. Enter the following information, then select OK to add the RADIUS server.
      3. Name Enter the name for the remote RADIUS server on FortiAuthenticator.
      Preferred auth. method Select from either MSCHAPv2 (by default), MSCHAP, CHAP, or PAP.
      Timeout

      Enter a timeout in seconds between 1-60 seconds (3 by default).

      Note that a high timeout may impact the processing rate of authentication requests if the remote RADIUS server becomes unresponsive.
      Primary Server Enter the server name or IP address, port, and secret in the fields provided to configure the primary server.
      Secondary Server Optionally, add redundancy by configuring a secondary server.
      User Migration

      Select Enable learning mode to record and learn users that authenticate against this RADIUS server. This option should be enabled if you need to migrate users from the server to the FortiAuthenticator.

      Select View Learned Users to view the list of learned users. See Learned RADIUS users.

    OAUTH

    FortiAuthenticator can be configured to connect to remote OAuth servers to dynamically look up group memberships from third-party SAML identify providers, such as G Suite and Azure, for SAML SP FSSO.

    To add a remote OAuth Server:
    1. Go to Authentication > Remote Auth. Servers > OAUTH and select Create New.

      2. The Create New Remote OAuth Server window appears.

    2. Enter the following information:
      3. Name Enter the name for the remote OAuth server on FortiAuthenticator.
      OAuth source

      Select Facebook, Google, LinkedIn, Twitter, Azure Directory, or G Suite Directory as the OAuth source.

      For Facebook, Google, LinkedIn, and Twitter, enter the Key and Secret for the selected OAuth source.

      For Azure Directory, enter the Client ID and Client Key for the Azure Directory.

      For G Suite Directory, enter the G-suite admin and select and upload the Service account key file (.json) for the G Suite Directory.

      Key

      Enter the OAuth application key for the selected OAuth source. This option is only available when Facebook, Google, LinkedIn, or Twitter is selected as an OAuth source.

      Secret

      Enter the OAuth application secret for the selected OAuth source .This option is only available when Facebook, Google, LinkedIn, or Twitter is selected as an OAuth source.

      Client ID

      Enter the application ID for the Azure Directory application, obtained from the Azure portal. This option is only available when Azure Directory is selected as an OAuth source.

      Client Key

      Enter the key for the Azure Directory application, obtained from the Azure portal. This option is only available when Azure Directory is selected as an OAuth source.

      G-suite admin

      Enter the G Suite admin username for the G Suite Directory application. This option is only available when G Suite Directory is selected as an OAuth source.

      Service account key file (.json)

      Select and upload the service account key file for the G Suite Directory application, obtained from the Google developers portal. This option is only available when G Suite Directory is selected as an OAuth source.
    3. Select OK to add the remote OAuth server.

    SAML

    To add a remote SAML Server:
    1. Go to Authentication > Remote Auth. Servers > SAML and select Create New.

      2. The Create New Remote SAML Server window appears.

    2. Enter the following information:
      3. Name Enter a name for the remote SAML server.
      Description Enter a description for the remote SAML server.
      Device FQDN The FQDN of the configured device from the system dashboard.
      Show IDP proxy URLs Click to display the IDP proxy portal URL, Entity ID, and ACS (login) URL.
      Show IDP server URLs Click to display the IDP server portal URL, Entity ID, and ACS (login) URL.
      URL Nomenclature

      Select the method to determine the URL path of the SAML service provider.

      • Individualize:Enable to include the name of the SAML service provider in the URL path.
      • Legacy: Enable to set the URL to a predetermined URL path. Note that Legacy can only be enabled for an existing configured SAML identity providers.
      Portal URL

      The SAML service provider login URL.
      Entity ID

      The SAML service provider Entity ID.
      ACS (login) URL

      The SAML service provider Assertion Consumer Service (ACS) login URL.
      Import IDP metadata/certificate

      Select to import the SAML IdP metadata or certificate file.

      IDP entity ID

      Also known as the entity descriptor. Enter the unique name of the SAML identity provider, typically an absolute URL:

      https://idp_name.example.edu/idp

      IDP single sign-on URL Enter the identity provider portal URL you want to use for SSO.
      IDP certificate fingerprint

      Enter the fingerprint of the certificate file. To calculate the fingerprint, you can use OpenSSL.

      Use the following OpenSSL command:

      $ openssl x509 -noout -fingerprint -in "server.crt"

      Example result, showing the fingerprint:

      SHA1 Fingerprint=AF:E7:1C:28:EF:74:0B:C8:74:25:BE:13:A2:26:3D:37:97:1D:A1:F9

      Fingerprint algorithm The SAML portal by default uses SHA-256.
      Sign SAML requests with a local certificate Select to choose a local SAML certificate.
      Single Logout
      Enable SAML single logout Select to enable SLS (logout) URL and set IDP single logout URL.
      Username

      Obtain username from

      Select the method to extract usernames:

      • Subject NameID SAML assertion: Enable to obtain usernames from the subject NameID assertion returned by the SAML IdP.
      • Text SAML assertion: Enable and enter the text-based SAML assertion that usernames are obtained from. For example: email
      Group Membership

      Obtain group membership from

      Most SAML IdP services will return the username in the Subject NameID assertion, however not all IdP services are consistent. FSSO requires group membership of each user with an active SSO session while different SAML IDP services require different methods of retrieving the group information. Before now, group information could only be obtained from very specific (hardcoded) SAML assertions. You can choose to configure SAML assertions used in group membership retrieval, retrieve group membership from an LDAP service, or retrieve group membership from an OAuth server.

      Select the method to extract usernames:

      • SAML assertions: Enable and choose whether usernames are pulled in from boolean assertions or text-based attributes.
      • LDAP lookup: Enable and select the LDAP server to obtain group memberships.
      • Cloud: Enable and select the OAuth server and group field to obtain group memberships.
      Implicit group membership Select to choose a local group the retrieved SAML users are placed into.
    3. Select OK to add the remote SAML server.
    Previous
    Next

    Remote authentication servers

    Remote authentication servers

    If you already have LDAP or RADIUS servers configured on your network, FortiAuthenticator can connect to them for remote authentication, much like FortiOS remote authentication.

    General

    Go to Authentication > Remote Auth. Servers > General to edit general settings for remote LDAP and RADIUS authentication servers.

    Remote LDAP

    Enter the number of seconds between 1-3600 (or one second to one hour) for the LDAP server response and status cache timeouts.

    Remote RADIUS

    Select whether the remote RADIUS server requires case sensitive usernames.

    LDAP

    If you have existing LDAP servers, you may choose to continue using them with FortiAuthenticator by configuring them as remote LDAP servers.

    When entering the remote LDAP server information, if any information is missing or in the wrong format, error messages will highlight the problem for you.
    note icon

    FortiAuthenticator supports multiple Windows AD server forests, with a maximum of 20 remote LDAP servers with Windows AD enabled.

    To view all information about your multiple servers, go to Monitor > Authentication > Windows AD.
    To add a remote LDAP server entry:
    1. Go to Authentication > Remote Auth. Servers > LDAP and select Create New. The Create New LDAP Server window opens.

    2. Enter the following information.
      3. Name Enter the name for the remote LDAP server on FortiAuthenticator.
      Primary server name/IP Enter the IP address or FQDN for this remote server.
      Port Enter the port number.
      Use secondary server Select to use a secondary server. The secondary server name/IP and port must be entered.
      Secondary server name/IP Enter the IP address or FQDN for the secondary remote server. This option is only available when Use secondary server is selected.
      Secondary port Enter the port number for the secondary server. This option is only available when Use secondary server is selected.
      Base distinguished name Enter the base distinguished name for the server using the correct X.500 or LDAP format. The maximum length of the DN is 512 characters.
      You can also select the browse button to view and select the DN on the LDAP server.
      Bind Type

      The Bind Type determines how the authentication information is sent to the server. Select the bind type required by the remote LDAP server.

      • Simple: bind using the user’s password which is sent to the server in plaintext without a search.
      • Regular: bind using the user’s DN and password and then search.

      If the user records fall under one directory, you can use Simple bind type. But Regular is required to allow a search for a user across multiple domains.
      Add supported domain names (used only if this is not a Windows Active Directory server) Select to enter multiple domain names for remote LDAP server configurations. The FortiAuthenticator can then identify the domain that users on the LDAP server belong to.
    3. If you want to want to import a specific LDAP system's template, under Query Elements, enter the following:
      4. Pre-defined templates Select a pre-defined template from the dropdown menu: Microsoft Active Directory, OpenLDAP, or Novell eDirectory.
      User object class The type of object class to search for a user name search. The default is person.
      Username attribute The LDAP attribute that contains the user name. The default is sAMAccountName.
      Group object class The type of object class to search for a group name search. The default is group.
      Obtain group memberships from The LDAP attribute (either user or group) used to obtain group membership. The default is User attribute.
      Group membership attribute Used as the attribute to search for membership of users or groups in other groups.
      Force use of administrator account for group membership lookups Enabling this feature prevents non-admin users from searching their own attributes even after successful binding. This feature has been implemented to enhance Oracle-based ODSEE LDAP support.
    4. If you want to have a secure connection between FortiAuthenticator and the remote LDAP server, under Secure Connection, select Enable, then enter the following:
      5. Protocol Select LDAPS or STARTLS as the LDAP server requires.
      CA Certificate Select the CA certificate that verifies the server certificate from the dropdown menu.

      Use Client Certificate for TLS Authentication

      Enable to select a client certificate to use to authenticate a TLS connection with the secure remote LDAP server.
    5. If you want to authenticate users using MSCHAP2 PEAP in an Active Directory environment, enable Windows Active Directory Domain Authentication, then enter the required Windows AD Domain Controller information.
      6. Kerberos realm name Enter the domain’s DNS name in uppercase letters.
      Domain NetBIOS name Enter the domain’s DNS prefix in uppercase letters.
      FortiAuthenticator NetBIOS name Enter the NetBIOS name that identifies FortiAuthenticator as a domain member.
      Administrator username

      Enter the name of the user account that's used to associate FortiAuthenticator with the domain. This user must have at least domain user privileges.

      To configure an Active Directory user with the minimum privileges needed to join an AD domain, see Configure minimum privilege Windows AD user account.
      Administrator password Enter the administrator account’s password.

      When you are finished here, go to Authentication > RADIUS Service > Clients to choose whether authentication is available for all Windows AD users or only for Windows AD users who belong to particular user groups that you select. See RADIUS service for more information.

    6. If you want to import remote LDAP users, under Remote LDAP Users, select either Import users or Import users by group memberships and click Go. A separate window opens where you may specify the LDAP server, apply filters, and attributes. Select Configure user attributes to edit the following LDAP user mapping attributes:
      7. Username

      Enter the remote LDAP user's name.
      First name Enter the attribute that specifies the user's first name. Set to givenName by default.
      Last name Enter the attribute that specifies the user's last name. Set to sn by default.
      Email Enter the attribute that specifies the user's email address. Set to mail by default.
      Phone Enter the attribute that specifies the user's number. Set to telephoneNumber by default.
      Mobile number Enter the attribute that specifies the user's mobile number. Set to mobile by default.
      FTK-200 serial number Enter the remote LDAP user's FortiToken serial number.
      Certificate binding common name

      Enter the remote LDAP user's certificate-binding CN. When this field is populated, the Certificate binding CA must also be specified.
      Certificate binding CA

      Local or trusted CAs to apply for the remote LDAP user. Must be specified if the Certificate binding common name is populated.
    7. Select OK to apply your changes.

      8. You can now add remote LDAP users, as described in Remote users.

    Configure minimum privilege Windows AD user account

    To respect the principle of least privilege, a domain administrator account should not be used to associate FortiAuthenticator with a Windows AD domain. Instead, a non-administrator account can be configured with the minimum privileges necessary to successfully join a Windows AD domain. To do this, create a user account in the applicable hierarchy of your Active Directory, then delegate the ability to manage computer objects to the user account.

    1. In the Active Directory, create a user account with the following options selected:
      • User cannot change password
      • Password never expires
    2. In Active Directory Users and Computers, right-click the container under which you want the computers added, then click Delegate Control.
      The Delegation of Control Wizard opens.
    3. Click Next.
    4. Click Add, then enter the user account created in step 1.
    5. Click Next.
    6. Select Create custom task to delegate, then click Next.
    7. Select Only the following objects in the folder, and then select Computer objects.
    8. Select Create selected objects in this folder, then click Next.
    9. Under Permissions, select Create All Child Objects, Write All Properties, and Change password.
    10. Click Next, then click Finish.

    Remote LDAP password change

    Windows AD users can conveniently change their passwords without provision changes being made to the network by a Windows AD system administrator. There are three ways FortiAuthenticator supports a password change: RADIUS login, GUI user login, and GUI user portal.

    RADIUS login:

    For the method to work, all of the following conditions must be met:

    • FortiAuthenticator has joined the Windows AD domain.
    • RADIUS client has been configured to "Use Windows AD domain authentication".
    • RADIUS authentication request uses MS-CHAPv2.
    • RADIUS client must also support MS-CHAPv2 password change.

    A "change password" response is produced that FortiAuthenticator will recognize, which allows cooperation between the NAS and the Windows AD server that will result in a password change.

    GUI user login:

    For this method to work, one of the following conditions must be met:

    • FortiAuthenticator has joined the Windows AD domain
    • Secure LDAP is enabled and the LDAP admin (i.e. regular bind) has the permissions to reset user passwords

    You must log in via the GUI portal. FortiAuthenticator will validate the user password against a Windows AD server. The Windows AD server returns with a change password response. If that happens, the user is prompted to enter a new password.

    GUI user portal:

    For this method to work, one of the following conditions must be met:

    • FortiAuthenticator has joined the Windows AD domain.
    • Secure LDAP is enabled.

    After successfully logging into the GUI, the user has access to the user portal. If desired, the user can change their password in the user portal.

    RADIUS

    If you have existing RADIUS servers, you may choose to continue using them with FortiAuthenticator by configuring them as remote RADIUS servers. This feature can also be used to migrate away from third-party two-factor authentication platforms.

    When entering the remote RADIUS server information, if any information is missing or in the wrong format, error messages will highlight the problem for you.
    To add a remote RADIUS server entry:
    1. Go to Authentication > Remote Auth. Servers > RADIUS and select Create New. The Create New RADIUS Server window opens.
    2. Enter the following information, then select OK to add the RADIUS server.
      3. Name Enter the name for the remote RADIUS server on FortiAuthenticator.
      Preferred auth. method Select from either MSCHAPv2 (by default), MSCHAP, CHAP, or PAP.
      Timeout

      Enter a timeout in seconds between 1-60 seconds (3 by default).

      Note that a high timeout may impact the processing rate of authentication requests if the remote RADIUS server becomes unresponsive.
      Primary Server Enter the server name or IP address, port, and secret in the fields provided to configure the primary server.
      Secondary Server Optionally, add redundancy by configuring a secondary server.
      User Migration

      Select Enable learning mode to record and learn users that authenticate against this RADIUS server. This option should be enabled if you need to migrate users from the server to the FortiAuthenticator.

      Select View Learned Users to view the list of learned users. See Learned RADIUS users.

    OAUTH

    FortiAuthenticator can be configured to connect to remote OAuth servers to dynamically look up group memberships from third-party SAML identify providers, such as G Suite and Azure, for SAML SP FSSO.

    To add a remote OAuth Server:
    1. Go to Authentication > Remote Auth. Servers > OAUTH and select Create New.

      2. The Create New Remote OAuth Server window appears.

    2. Enter the following information:
      3. Name Enter the name for the remote OAuth server on FortiAuthenticator.
      OAuth source

      Select Facebook, Google, LinkedIn, Twitter, Azure Directory, or G Suite Directory as the OAuth source.

      For Facebook, Google, LinkedIn, and Twitter, enter the Key and Secret for the selected OAuth source.

      For Azure Directory, enter the Client ID and Client Key for the Azure Directory.

      For G Suite Directory, enter the G-suite admin and select and upload the Service account key file (.json) for the G Suite Directory.

      Key

      Enter the OAuth application key for the selected OAuth source. This option is only available when Facebook, Google, LinkedIn, or Twitter is selected as an OAuth source.

      Secret

      Enter the OAuth application secret for the selected OAuth source .This option is only available when Facebook, Google, LinkedIn, or Twitter is selected as an OAuth source.

      Client ID

      Enter the application ID for the Azure Directory application, obtained from the Azure portal. This option is only available when Azure Directory is selected as an OAuth source.

      Client Key

      Enter the key for the Azure Directory application, obtained from the Azure portal. This option is only available when Azure Directory is selected as an OAuth source.

      G-suite admin

      Enter the G Suite admin username for the G Suite Directory application. This option is only available when G Suite Directory is selected as an OAuth source.

      Service account key file (.json)

      Select and upload the service account key file for the G Suite Directory application, obtained from the Google developers portal. This option is only available when G Suite Directory is selected as an OAuth source.
    3. Select OK to add the remote OAuth server.

    SAML

    To add a remote SAML Server:
    1. Go to Authentication > Remote Auth. Servers > SAML and select Create New.

      2. The Create New Remote SAML Server window appears.

    2. Enter the following information:
      3. Name Enter a name for the remote SAML server.
      Description Enter a description for the remote SAML server.
      Device FQDN The FQDN of the configured device from the system dashboard.
      Show IDP proxy URLs Click to display the IDP proxy portal URL, Entity ID, and ACS (login) URL.
      Show IDP server URLs Click to display the IDP server portal URL, Entity ID, and ACS (login) URL.
      URL Nomenclature

      Select the method to determine the URL path of the SAML service provider.

      • Individualize:Enable to include the name of the SAML service provider in the URL path.
      • Legacy: Enable to set the URL to a predetermined URL path. Note that Legacy can only be enabled for an existing configured SAML identity providers.
      Portal URL

      The SAML service provider login URL.
      Entity ID

      The SAML service provider Entity ID.
      ACS (login) URL

      The SAML service provider Assertion Consumer Service (ACS) login URL.
      Import IDP metadata/certificate

      Select to import the SAML IdP metadata or certificate file.

      IDP entity ID

      Also known as the entity descriptor. Enter the unique name of the SAML identity provider, typically an absolute URL:

      https://idp_name.example.edu/idp

      IDP single sign-on URL Enter the identity provider portal URL you want to use for SSO.
      IDP certificate fingerprint

      Enter the fingerprint of the certificate file. To calculate the fingerprint, you can use OpenSSL.

      Use the following OpenSSL command:

      $ openssl x509 -noout -fingerprint -in "server.crt"

      Example result, showing the fingerprint:

      SHA1 Fingerprint=AF:E7:1C:28:EF:74:0B:C8:74:25:BE:13:A2:26:3D:37:97:1D:A1:F9

      Fingerprint algorithm The SAML portal by default uses SHA-256.
      Sign SAML requests with a local certificate Select to choose a local SAML certificate.
      Single Logout
      Enable SAML single logout Select to enable SLS (logout) URL and set IDP single logout URL.
      Username

      Obtain username from

      Select the method to extract usernames:

      • Subject NameID SAML assertion: Enable to obtain usernames from the subject NameID assertion returned by the SAML IdP.
      • Text SAML assertion: Enable and enter the text-based SAML assertion that usernames are obtained from. For example: email
      Group Membership

      Obtain group membership from

      Most SAML IdP services will return the username in the Subject NameID assertion, however not all IdP services are consistent. FSSO requires group membership of each user with an active SSO session while different SAML IDP services require different methods of retrieving the group information. Before now, group information could only be obtained from very specific (hardcoded) SAML assertions. You can choose to configure SAML assertions used in group membership retrieval, retrieve group membership from an LDAP service, or retrieve group membership from an OAuth server.

      Select the method to extract usernames:

      • SAML assertions: Enable and choose whether usernames are pulled in from boolean assertions or text-based attributes.
      • LDAP lookup: Enable and select the LDAP server to obtain group memberships.
      • Cloud: Enable and select the OAuth server and group field to obtain group memberships.
      Implicit group membership Select to choose a local group the retrieved SAML users are placed into.
    3. Select OK to add the remote SAML server.
    Previous
    Next