Fortinet black logo

Administration Guide

FortiAuthenticator 6.0.0

FortiAuthenticator 6.0.0

The following list contains new and expanded features added in FortiAuthenticator 6.0.0.

GUI update

The FortiAuthenticator GUI has been updated to match the look and feel of FortiOS 6.0.

SAML IdP proxy for cloud identity services

FortiAuthenticator can be configured to act as a SAML Identity Provider (IdP) proxy for cloud identity services, such as G Suite and Azure. The cloud identity service is used as the SAML IdP for authentication and its OAuth/API service for group lookups. This enables the SAML IdP service on FortiAuthenticator to add a two-factor authentication service by acting as an IdP proxy.

To configure FortiAuthenticator to act as a SAML IdP proxy:

  1. Under Authentication > Remote Auth. Servers > OAUTH, create a remote OAuth server to perform group look ups.
  2. Under Authentication > Remote Auth. Servers > SAML, configure a remote SAML IdP server.
  3. Under Authentication > User Management > Realms, create a realm for the SAML IdP server.
  4. Under Authentication > SAML IdP > General, enable the SAML IdP service and select the configured realm.
  5. Under Authentication > SAML IdP > Replacement Message, customize the SAML IdP login page to insert the correct URL for the SAML IdP portal.
  6. Under Authentication > SAML IdP > Service Provider, configure the SAML service provider.

Improvements to remote LDAP user synchronization rules

When configuring a remote LDAP user synchronization rule, new options enable you to:

  • Specify which user role (User, Sponsor, Administrator) to assign to imported users. Users assigned the role of Administrator are granted full permissions.
  • Delete all users when an LDAP query result is empty.

Configure a remote LDAP user synchronization rule under Authentication > User Management > Remote User Sync Rules. See Remote user sync rules for more information.

OAuth server capability

FortiAuthenticator can act as an authorization server to issue and manage OAuth access tokens via a set of REST API endpoints. An OAuth client is issued an OAuth access token by FortiAuthenticator after successfully providing its login credentials. The OAuth client can then use this access token as proof of authorization to access a third-party service. The third-party service may contact FortiAuthenticator to validate any given OAuth access token.

Configure OAuth applications under Authentication > OAuth Service > Applications. See OAuth Service for more information.

Use FortiNAC as sources of SSO sessions

FortiAuthenticator can retrieve SSO sessions from FortiNAC servers and use these sessions as a new FSSO source for relay to FortiGate devices. From the SSO Configuration page, you can:

  • Enable FortiNAC SSO.
  • Configure FortiNAC sources.
  • Select one or more FortiNAC sources to use as FSSO sources.

Enable and configure FortiNAC sources to use as FSSO sources under Fortinet SSO Methods > SSO > General. See General settings for more information.

FortiNAC sources can also be configured under System > Administration > FortiNACs.

FSSO domain monitor improvements

The SSO domain monitor includes the following improvements:

  • The status of all configured domain controllers is displayed, even ones not reachable during domain exploration. Each domain controller is displayed in:
    • green if the last connection attempt was successful
    • gray if no recent connection information is available
    • red if the last connection attempt failed
  • View recent connection activity for each domain controller.
  • View debug logs generated when performing the domain manager's domain structure discovery.
  • Rebuild the domain structure.

Monitor SSO domains under Monitor > SSO > Domains.

View FSSO Domain Manager debug logs and rebuild the SSO domain structure from https://<FortiAuthenticator-IP-Address>/debug/domain-manager/.

HTTPS/HTTP access controls

More granular HTTPS/HTTP access controls allow you to enable or disable HTTPS/HTTP access for each service on a selected network interface. Configure network interface access controls under System > Network > Interfaces. See Interfaces for more information.

Enhanced cryptography for local user password storage

FortiAuthenticator offers the option to use stronger cryptography for the storage of local user passwords, available under Authentication > User Account Policies > General. See User account policies for more information.

Caution

This option cannot be disabled after 30 days of being enabled. FortiAuthenticator will send an email reminder to the administrator before the end of the 30-day period.

Configurable error pages

The content of error pages can be customized to provide more helpful messages to users. The following error messages are configured under Authentication > Self-service Portal > Replacement Messages:

  • 500 Internal Server Error
  • 503 Service Unavailable Error
  • 404 Not Found
  • 403 Forbidden

See Replacement messages for more information.

FortiOS Security Fabric integration

FortiAuthenticator supports integration with the Fortinet Security Fabric. Starting in FortiOS 6.2, you can add the following FortiAuthenticator widgets to the FortiOS dashboard:

  • System Information
  • User Inventory
  • Authentication Activity
  • Top User Lookouts

G Suite and Azure group lookup for SAML SP

FortiAuthenticator can dynamically look up G Suite and Azure group memberships for SAML SP FSSO.

To configure dynamic look up of user group memberships, create a remote OAuth server that connects to G Suite or Azure under Authentication > Remote Auth. Server > OAUTH. See OAUTH for more information.

Support for additional DC event log types

FortiAuthenticator can now parse Windows security event IDs 4769, 4770, 673 to update the active SSO sessions list. In addition, when DC event log polling is enabled under Fortinet SSO Methods > SSO > General, you can specify which event IDs to use in event log polling. See General settings for more information.

Export intermediate CA certificate and private key

You can export the certificate and private key of intermediate Certificate Authorities under Certificate Management > Certificate Authorities > Local CAs. This is useful in situations where you want to use the FortiAuthenticator as a Certificate Authority. See Local CAs for more information.

Support for Microsoft Azure and Oracle Cloud deployments

FortiAuthenticator VM now supports deployment on Microsoft Azure and Oracle Cloud.

Upgrade FortiAuthenticator firmware through CLI

The following CLI command has been added to perform firmware upgrades via FTP/TFTP:

execute restore image tftp <filename string> <tftp server>

execute restore image ftp <filename string> <ftp server>

[:port] [ftp_user] [ftp_password]

See Upgrading the firmware for more information.

FortiAuthenticator 6.0.0

The following list contains new and expanded features added in FortiAuthenticator 6.0.0.

GUI update

The FortiAuthenticator GUI has been updated to match the look and feel of FortiOS 6.0.

SAML IdP proxy for cloud identity services

FortiAuthenticator can be configured to act as a SAML Identity Provider (IdP) proxy for cloud identity services, such as G Suite and Azure. The cloud identity service is used as the SAML IdP for authentication and its OAuth/API service for group lookups. This enables the SAML IdP service on FortiAuthenticator to add a two-factor authentication service by acting as an IdP proxy.

To configure FortiAuthenticator to act as a SAML IdP proxy:

  1. Under Authentication > Remote Auth. Servers > OAUTH, create a remote OAuth server to perform group look ups.
  2. Under Authentication > Remote Auth. Servers > SAML, configure a remote SAML IdP server.
  3. Under Authentication > User Management > Realms, create a realm for the SAML IdP server.
  4. Under Authentication > SAML IdP > General, enable the SAML IdP service and select the configured realm.
  5. Under Authentication > SAML IdP > Replacement Message, customize the SAML IdP login page to insert the correct URL for the SAML IdP portal.
  6. Under Authentication > SAML IdP > Service Provider, configure the SAML service provider.

Improvements to remote LDAP user synchronization rules

When configuring a remote LDAP user synchronization rule, new options enable you to:

  • Specify which user role (User, Sponsor, Administrator) to assign to imported users. Users assigned the role of Administrator are granted full permissions.
  • Delete all users when an LDAP query result is empty.

Configure a remote LDAP user synchronization rule under Authentication > User Management > Remote User Sync Rules. See Remote user sync rules for more information.

OAuth server capability

FortiAuthenticator can act as an authorization server to issue and manage OAuth access tokens via a set of REST API endpoints. An OAuth client is issued an OAuth access token by FortiAuthenticator after successfully providing its login credentials. The OAuth client can then use this access token as proof of authorization to access a third-party service. The third-party service may contact FortiAuthenticator to validate any given OAuth access token.

Configure OAuth applications under Authentication > OAuth Service > Applications. See OAuth Service for more information.

Use FortiNAC as sources of SSO sessions

FortiAuthenticator can retrieve SSO sessions from FortiNAC servers and use these sessions as a new FSSO source for relay to FortiGate devices. From the SSO Configuration page, you can:

  • Enable FortiNAC SSO.
  • Configure FortiNAC sources.
  • Select one or more FortiNAC sources to use as FSSO sources.

Enable and configure FortiNAC sources to use as FSSO sources under Fortinet SSO Methods > SSO > General. See General settings for more information.

FortiNAC sources can also be configured under System > Administration > FortiNACs.

FSSO domain monitor improvements

The SSO domain monitor includes the following improvements:

  • The status of all configured domain controllers is displayed, even ones not reachable during domain exploration. Each domain controller is displayed in:
    • green if the last connection attempt was successful
    • gray if no recent connection information is available
    • red if the last connection attempt failed
  • View recent connection activity for each domain controller.
  • View debug logs generated when performing the domain manager's domain structure discovery.
  • Rebuild the domain structure.

Monitor SSO domains under Monitor > SSO > Domains.

View FSSO Domain Manager debug logs and rebuild the SSO domain structure from https://<FortiAuthenticator-IP-Address>/debug/domain-manager/.

HTTPS/HTTP access controls

More granular HTTPS/HTTP access controls allow you to enable or disable HTTPS/HTTP access for each service on a selected network interface. Configure network interface access controls under System > Network > Interfaces. See Interfaces for more information.

Enhanced cryptography for local user password storage

FortiAuthenticator offers the option to use stronger cryptography for the storage of local user passwords, available under Authentication > User Account Policies > General. See User account policies for more information.

Caution

This option cannot be disabled after 30 days of being enabled. FortiAuthenticator will send an email reminder to the administrator before the end of the 30-day period.

Configurable error pages

The content of error pages can be customized to provide more helpful messages to users. The following error messages are configured under Authentication > Self-service Portal > Replacement Messages:

  • 500 Internal Server Error
  • 503 Service Unavailable Error
  • 404 Not Found
  • 403 Forbidden

See Replacement messages for more information.

FortiOS Security Fabric integration

FortiAuthenticator supports integration with the Fortinet Security Fabric. Starting in FortiOS 6.2, you can add the following FortiAuthenticator widgets to the FortiOS dashboard:

  • System Information
  • User Inventory
  • Authentication Activity
  • Top User Lookouts

G Suite and Azure group lookup for SAML SP

FortiAuthenticator can dynamically look up G Suite and Azure group memberships for SAML SP FSSO.

To configure dynamic look up of user group memberships, create a remote OAuth server that connects to G Suite or Azure under Authentication > Remote Auth. Server > OAUTH. See OAUTH for more information.

Support for additional DC event log types

FortiAuthenticator can now parse Windows security event IDs 4769, 4770, 673 to update the active SSO sessions list. In addition, when DC event log polling is enabled under Fortinet SSO Methods > SSO > General, you can specify which event IDs to use in event log polling. See General settings for more information.

Export intermediate CA certificate and private key

You can export the certificate and private key of intermediate Certificate Authorities under Certificate Management > Certificate Authorities > Local CAs. This is useful in situations where you want to use the FortiAuthenticator as a Certificate Authority. See Local CAs for more information.

Support for Microsoft Azure and Oracle Cloud deployments

FortiAuthenticator VM now supports deployment on Microsoft Azure and Oracle Cloud.

Upgrade FortiAuthenticator firmware through CLI

The following CLI command has been added to perform firmware upgrades via FTP/TFTP:

execute restore image tftp <filename string> <tftp server>

execute restore image ftp <filename string> <ftp server>

[:port] [ftp_user] [ftp_password]

See Upgrading the firmware for more information.