Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Administration Guide

FortiAuthenticator 6.1.0

The following list contains new and expanded features added in FortiAuthenticator 6.1.0.

REST API: Enforce permissions

Admin profiles are enforced when administrating the FortiAuthenticator via the REST API. The permissions required for each endpoint must match the permissions of the equivalent form(s) in the GUI.

See the REST API Solutions Guide for more information.

REST API: Statistics & logging

Add logs and/or statistics on FortiAuthenticator to allow profiling of the REST API usage.

See the REST API Solutions Guide for more information.

SAML IdP: Enhanced SP signature options

The following enhancements have been made to SAML Service Providers:

  • During SAML SP configuration, when SAML request must be signed by SP is enabled, the certificate type can be configured as:
    • SP certificate: The SP request is signed by the specified certificate (default behavior prior to 6.1.0).
    • Direct CA certificate: The SP request must contain the certificate fingerprint that was used to sign the request, and the certificate must be issued by the CA specified in the configuration.
  • The fingerprint algorithm Use ACS URL from SP authentication request can be enabled to indicate that the ACS URL must be included within the SP request, and that the FortiAuthenticator must use it instead of the preconfigured ACS URL.
  • You can configure an alternative certificate fingerprint for SP and CA certificates. FortiAuthenticator will accept requests with valid signatures from either configured certificate.

SAML IdP: Single logout

FortiAuthenticator supports single logout for SAML IdP, causing logout from one SP to trigger logout from all other configured service providers.

Single logout for SAML IdP is configured in Authentication > SAML IdP > Service Providers. Alternative SLS URLs can be configured through the Alternative ACS URLs menu.

IdP-initiated SAML

Support has been added for IdP-initiated SAML authentication on FortiAuthenticator.

SAML IdP-initiated authentication works as follows:
  1. A user attempts to access the IdP login portal, resulting in one of two possibilities:
    • The user's browser is already authenticated by the IdP. Proceed to step 2.
    • The user's browser is not yet authenticated by the IdP. The IdP requests and validates the user's credentials. If successful, go to step 2. Otherwise, access is denied.
  2. The user is presented with an IdP portal landing page that includes a list of the SPs participating in IdP-initiated login. The user selects a service provider.
  3. IdP generates the SAML assertions for the browser and sends it to the SP.
  4. The SP receives the assertions and authenticates the user, resulting in one of two possibilities:
    • The user is authorized, and the SP provides the requested resource to the user.
    • The user is not authorized, and access to the SP is denied.

OCSP and CRL distribution URLs for intermediate CA certificates

OCSP and/or CRL distribution URLs can be enabled for intermediate CA certificates.

Prompt administrator password change on first login

During initial setup of the FortiAuthenticator, administrators are required to create a non-blank password.

Dual two-factor authentication for remote user sync rules

The Dual (Email and SMS) option is now available in the list of token-based authentication sync priorities when creating or editing a remote user sync rule.

Additional configurations synchronized in HA load-balancing

The following additional configurations are synchronized between the standalone primary and load balancer in an HA load-balancing configuration.

  • Certificates included in:
    • Certificate Management > End Entities > Local Services, excluding firmware (Fortinet) certificates.
    • Certificate Management > Certificate Authorities > Local CAs, including firmware (Fortinet) certificates.
  • SAML configurations:
    • IdP settings configured in Authentication > SAML IdP > General.
      Realm tables are not synchronized, but the default realm selection (radio button) is.
    • SP settings configured in Authentication > SAML IdP > Service Providers.
  • Administrators with Sync in HA Load Balancing mode enabled.

The current synchronization status of the standalone primary to load balancer can be viewed at Dashboard > HA Status.

NetHSM Support

Support has been added for using the Safenet Luna HSM with FortiAuthenticator for the following purposes:

  • Storing the private keys of local CAs.
  • Issuing (i.e. signing) user and local service certificates with local CAs that have their private key stored on the NetHSM.

HSM servers can be configured at System > Administration > NetHSMs.

Wizard-based authentication policies

The GUI has been streamlined for configuring RADIUS services and Portals, and a new setup wizard has been introduced for authentication policies. This update only impacts the GUI and does not remove or introduce new RADIUS or Portal configuration options. When upgrading from a version prior to 6.1.0, RADIUS Services and Guest Portals settings are configured to the corresponding 6.1.2 menus.

Guest Portals:

  • Authentication > Guest Portals has been renamed to Portals.
  • Authentication > Guest Portals > General has been renamed to FortiWLC Pinholes.
  • Authentication > Guest Portals > Rules has been renamed to Policies.
  • Portal authentication logic now resides in Authentication > Portals > Policies.

RADIUS Service:

  • Authentication > RADIUS Services > Policies has been added as a new configuration menu.
  • RADIUS authentication logic now resides in Authentication > RADIUS Service > Policies.

FortiAuthenticator 6.1.0

The following list contains new and expanded features added in FortiAuthenticator 6.1.0.

REST API: Enforce permissions

Admin profiles are enforced when administrating the FortiAuthenticator via the REST API. The permissions required for each endpoint must match the permissions of the equivalent form(s) in the GUI.

See the REST API Solutions Guide for more information.

REST API: Statistics & logging

Add logs and/or statistics on FortiAuthenticator to allow profiling of the REST API usage.

See the REST API Solutions Guide for more information.

SAML IdP: Enhanced SP signature options

The following enhancements have been made to SAML Service Providers:

  • During SAML SP configuration, when SAML request must be signed by SP is enabled, the certificate type can be configured as:
    • SP certificate: The SP request is signed by the specified certificate (default behavior prior to 6.1.0).
    • Direct CA certificate: The SP request must contain the certificate fingerprint that was used to sign the request, and the certificate must be issued by the CA specified in the configuration.
  • The fingerprint algorithm Use ACS URL from SP authentication request can be enabled to indicate that the ACS URL must be included within the SP request, and that the FortiAuthenticator must use it instead of the preconfigured ACS URL.
  • You can configure an alternative certificate fingerprint for SP and CA certificates. FortiAuthenticator will accept requests with valid signatures from either configured certificate.

SAML IdP: Single logout

FortiAuthenticator supports single logout for SAML IdP, causing logout from one SP to trigger logout from all other configured service providers.

Single logout for SAML IdP is configured in Authentication > SAML IdP > Service Providers. Alternative SLS URLs can be configured through the Alternative ACS URLs menu.

IdP-initiated SAML

Support has been added for IdP-initiated SAML authentication on FortiAuthenticator.

SAML IdP-initiated authentication works as follows:
  1. A user attempts to access the IdP login portal, resulting in one of two possibilities:
    • The user's browser is already authenticated by the IdP. Proceed to step 2.
    • The user's browser is not yet authenticated by the IdP. The IdP requests and validates the user's credentials. If successful, go to step 2. Otherwise, access is denied.
  2. The user is presented with an IdP portal landing page that includes a list of the SPs participating in IdP-initiated login. The user selects a service provider.
  3. IdP generates the SAML assertions for the browser and sends it to the SP.
  4. The SP receives the assertions and authenticates the user, resulting in one of two possibilities:
    • The user is authorized, and the SP provides the requested resource to the user.
    • The user is not authorized, and access to the SP is denied.

OCSP and CRL distribution URLs for intermediate CA certificates

OCSP and/or CRL distribution URLs can be enabled for intermediate CA certificates.

Prompt administrator password change on first login

During initial setup of the FortiAuthenticator, administrators are required to create a non-blank password.

Dual two-factor authentication for remote user sync rules

The Dual (Email and SMS) option is now available in the list of token-based authentication sync priorities when creating or editing a remote user sync rule.

Additional configurations synchronized in HA load-balancing

The following additional configurations are synchronized between the standalone primary and load balancer in an HA load-balancing configuration.

  • Certificates included in:
    • Certificate Management > End Entities > Local Services, excluding firmware (Fortinet) certificates.
    • Certificate Management > Certificate Authorities > Local CAs, including firmware (Fortinet) certificates.
  • SAML configurations:
    • IdP settings configured in Authentication > SAML IdP > General.
      Realm tables are not synchronized, but the default realm selection (radio button) is.
    • SP settings configured in Authentication > SAML IdP > Service Providers.
  • Administrators with Sync in HA Load Balancing mode enabled.

The current synchronization status of the standalone primary to load balancer can be viewed at Dashboard > HA Status.

NetHSM Support

Support has been added for using the Safenet Luna HSM with FortiAuthenticator for the following purposes:

  • Storing the private keys of local CAs.
  • Issuing (i.e. signing) user and local service certificates with local CAs that have their private key stored on the NetHSM.

HSM servers can be configured at System > Administration > NetHSMs.

Wizard-based authentication policies

The GUI has been streamlined for configuring RADIUS services and Portals, and a new setup wizard has been introduced for authentication policies. This update only impacts the GUI and does not remove or introduce new RADIUS or Portal configuration options. When upgrading from a version prior to 6.1.0, RADIUS Services and Guest Portals settings are configured to the corresponding 6.1.2 menus.

Guest Portals:

  • Authentication > Guest Portals has been renamed to Portals.
  • Authentication > Guest Portals > General has been renamed to FortiWLC Pinholes.
  • Authentication > Guest Portals > Rules has been renamed to Policies.
  • Portal authentication logic now resides in Authentication > Portals > Policies.

RADIUS Service:

  • Authentication > RADIUS Services > Policies has been added as a new configuration menu.
  • RADIUS authentication logic now resides in Authentication > RADIUS Service > Policies.