Fortinet white logo
Fortinet white logo

Administration Guide

Remote user sync rules

Remote user sync rules

Synchronization rules can be created to control how and when remote LDAP and SAML users are synchronized. To view a list of the remote user synchronization rules, go to Authentication > User Management > Remote User Sync Rules.

To create a new remote LDAP user synchronization rule:
  1. From the Remote User Sync Rules page, select LDAP users, and select Create New.
  2. Configure the following settings:
    NameEnter a name for the synchronization rule.
    Remote LDAPSelect a remote LDAP server from the dropdown menu. To configure a remote LDAP server, see LDAP.
    Base distinguished nameBase DN of the remote LDAP server that automatically populates when a remote LDAP server is selected above.
    LDAP filterOptionally, enter an LDAP filter. Select Test Filter to test that the filter functions as expected.
    Token-based authentication sync prioritiesSelect the required authentication synchronization priorities.
    Drag the priorities up and down in the list change the priority order.

    Sync every

    Select the amount of time between synchronizations.

    Sync asSelect to synchronize as a remote user or as a local user. Selecting either option opens a dialog box displaying the user fields that are synchronized for that selection.

    User Role

    Select the user role to assign to remote users. Users assigned the role of Administrator are granted full permissions.

    Group to associate users withOptionally, select a group from the dropdown menu with which to associate the users with, or select Create New to create a new user group. See User groups.
    OrganizationOptionally, select an organization from the dropdown menu with which to associate the users with, or select Create New to create a new organization. See Organizations.

    Email password recovery

    When enabled, FortiAuthenticator will enable the email password recovery setting for new and existing remote LDAP users if they also have a valid email address.

    When disabled (default), the email password recovery setting will not be available to new or existing remote LDAP users.

    Certificate binding CA

    Certificate binding CA for users who use remote user sync rules.

    When the Certificate binding common name field is populated (under LDAP User Mapping Attributes) this field must also be specified.

    Do not delete synced users when they are no longer found on the remote server

    Select to ensure that synchronized users are not deleted when they are no longer found on the remote server. This option is only available when Proceed with rule even when response empty is disabled.

    Proceed with rule even when response empty

    Select to enforce the synchronization rule even when the LDAP response is empty. Use this option to delete all users from a FortiAuthenticator group when synchronization rule returns an empty response. This option is only available when Do not delete synced users when they are no longer found on the remote server is disabled.

    Warning: This option should be used with caution. An error from the administrator (e.g. a typo when changing the LDAP query) could cause the deletion of all existing synchronized users, requiring the administrator to reprovision any assigned FortiTokens.

    LDAP User Mapping AttributesOptionally, edit the remote LDAP user mapping attributes.

    Debugging Settings

    Optionally, log synchronization details, including LDAP query results. These log files can be downloaded under Debug Report > LDAP Sync. In addition, select whether to delete synchronized users when they are no longer found on the remote server.

    Preview MappingSelect to preview the LDAP user sync mappings in a new window.
    Show Sync FieldsSelect to view the user fields that will be synchronized.
  3. Select OK to create the new LDAP synchronization rule.
To create a new remote SAML user synchronization rule:
  1. From the Remote User Sync Rules page, select SAML users, select Create New.
  2. Configure the following settings:
    NameEnter a name for the synchronization rule.
    Remote SAML serverSelect a remote SAML server from the dropdown menu. To configure a remote SAML server, see SAML.
    SAML groupSelect a group from the SAML server. SAML groups are retrieved dynamically from the server.
    Token-based authentication sync prioritiesSelect the required authentication synchronization priorities.
    Drag the priorities up and down in the list change the priority order.

    Sync every

    Select the amount of time between synchronizations.

    Group to associate users withOptionally, select a group from the dropdown menu with which to associate the users with. See User groups.
    OrganizationOptionally, select an organization from the dropdown menu with which to associate the users with, or select Create New to create a new organization. See Organizations.

    Do not delete synced users when they are no longer found on the remote server

    Select to ensure that synchronized users are not deleted when they are no longer found on the remote server. This option is only available when Proceed with rule even when response empty is disabled.

    SAML User Mapping AttributesOptionally, edit the remote SAML user mapping attributes.
  3. Select OK to create the new SAML synchronization rule.

Remote user sync rules

Remote user sync rules

Synchronization rules can be created to control how and when remote LDAP and SAML users are synchronized. To view a list of the remote user synchronization rules, go to Authentication > User Management > Remote User Sync Rules.

To create a new remote LDAP user synchronization rule:
  1. From the Remote User Sync Rules page, select LDAP users, and select Create New.
  2. Configure the following settings:
    NameEnter a name for the synchronization rule.
    Remote LDAPSelect a remote LDAP server from the dropdown menu. To configure a remote LDAP server, see LDAP.
    Base distinguished nameBase DN of the remote LDAP server that automatically populates when a remote LDAP server is selected above.
    LDAP filterOptionally, enter an LDAP filter. Select Test Filter to test that the filter functions as expected.
    Token-based authentication sync prioritiesSelect the required authentication synchronization priorities.
    Drag the priorities up and down in the list change the priority order.

    Sync every

    Select the amount of time between synchronizations.

    Sync asSelect to synchronize as a remote user or as a local user. Selecting either option opens a dialog box displaying the user fields that are synchronized for that selection.

    User Role

    Select the user role to assign to remote users. Users assigned the role of Administrator are granted full permissions.

    Group to associate users withOptionally, select a group from the dropdown menu with which to associate the users with, or select Create New to create a new user group. See User groups.
    OrganizationOptionally, select an organization from the dropdown menu with which to associate the users with, or select Create New to create a new organization. See Organizations.

    Email password recovery

    When enabled, FortiAuthenticator will enable the email password recovery setting for new and existing remote LDAP users if they also have a valid email address.

    When disabled (default), the email password recovery setting will not be available to new or existing remote LDAP users.

    Certificate binding CA

    Certificate binding CA for users who use remote user sync rules.

    When the Certificate binding common name field is populated (under LDAP User Mapping Attributes) this field must also be specified.

    Do not delete synced users when they are no longer found on the remote server

    Select to ensure that synchronized users are not deleted when they are no longer found on the remote server. This option is only available when Proceed with rule even when response empty is disabled.

    Proceed with rule even when response empty

    Select to enforce the synchronization rule even when the LDAP response is empty. Use this option to delete all users from a FortiAuthenticator group when synchronization rule returns an empty response. This option is only available when Do not delete synced users when they are no longer found on the remote server is disabled.

    Warning: This option should be used with caution. An error from the administrator (e.g. a typo when changing the LDAP query) could cause the deletion of all existing synchronized users, requiring the administrator to reprovision any assigned FortiTokens.

    LDAP User Mapping AttributesOptionally, edit the remote LDAP user mapping attributes.

    Debugging Settings

    Optionally, log synchronization details, including LDAP query results. These log files can be downloaded under Debug Report > LDAP Sync. In addition, select whether to delete synchronized users when they are no longer found on the remote server.

    Preview MappingSelect to preview the LDAP user sync mappings in a new window.
    Show Sync FieldsSelect to view the user fields that will be synchronized.
  3. Select OK to create the new LDAP synchronization rule.
To create a new remote SAML user synchronization rule:
  1. From the Remote User Sync Rules page, select SAML users, select Create New.
  2. Configure the following settings:
    NameEnter a name for the synchronization rule.
    Remote SAML serverSelect a remote SAML server from the dropdown menu. To configure a remote SAML server, see SAML.
    SAML groupSelect a group from the SAML server. SAML groups are retrieved dynamically from the server.
    Token-based authentication sync prioritiesSelect the required authentication synchronization priorities.
    Drag the priorities up and down in the list change the priority order.

    Sync every

    Select the amount of time between synchronizations.

    Group to associate users withOptionally, select a group from the dropdown menu with which to associate the users with. See User groups.
    OrganizationOptionally, select an organization from the dropdown menu with which to associate the users with, or select Create New to create a new organization. See Organizations.

    Do not delete synced users when they are no longer found on the remote server

    Select to ensure that synchronized users are not deleted when they are no longer found on the remote server. This option is only available when Proceed with rule even when response empty is disabled.

    SAML User Mapping AttributesOptionally, edit the remote SAML user mapping attributes.
  3. Select OK to create the new SAML synchronization rule.