Remote user sync rules
Synchronization rules can be created to control how and when remote LDAP and SAML users are synchronized. To view a list of the remote user synchronization rules, go to Authentication > User Management > Remote User Sync Rules.
To create a new remote LDAP user synchronization rule:
- From the Remote User Sync Rules page, select LDAP users, and select Create New.
- Configure the following settings:
Name Enter a name for the synchronization rule. Remote LDAP Select a remote LDAP server from the dropdown menu. To configure a remote LDAP server, see LDAP. Base distinguished name Base DN of the remote LDAP server that automatically populates when a remote LDAP server is selected above. LDAP filter Optionally, enter an LDAP filter.
Select Set Group Filter to set the LDAP filter. This opens the Set Group Filter window where you can select one or more groups within the tree to build the LDAP filter string. Click Use Filter to confirm the selection.
Once the groups have been selected, the LDAP filter string is set to the proper syntax that filters the selected groups.
The
objectClass
and thememberOf
portion must be set according to the User object class and the Group membership attribute setting of the remote LDAP server configuration respectively. See LDAP.If the LDAP filter is already configured with a non-empty value, selecting Set Group Filter attempts to interpret the LDAP filter value to preselect the already configured groups in the LDAP tree. However, if the LDAP filter value does not match the string generated by Set Group Filter, the existing filter is ignored, and Set Group Filter opens with no preselected groups. Clicking Use Filter overwrites the previous LDAP filter.
Select Test Filter to test that the filter functions as expected. FortiAuthenticator shows an LDAP tree with all the users that match the current remote LDAP server setting (i.e., the users that the sync rule syncs when it runs).
Token-based authentication sync priorities Select the required authentication synchronization priorities.
Drag the priorities up and down in the list change the priority order.Sync as Select to synchronize as a remote LDAP user, remote RADIUS user, or a local user.
In the Synchronization Attributes pane, selecting Local User for Sync as results in FortiAuthenticator generating a unique random password for each user imported from AD/LDAP, and emailing the password to the user.
User Role for new user imports
Select the user role to assign to remote users. Users assigned the role of Administrator are granted full permissions.
Remote RADIUS
Specify a remote RADIUS server to associate the imported users with.
This dropdown allows you to select from a list of RADIUS servers. Select the pen icon to edit the selected RADIUS server, + to create a new RADIUS server, or x to delete the selected RADIUS server.
This setting is available only when Remote RADIUS User is selected as the Sync as option.
See RADIUS.
Sync every
Select the amount of time between synchronizations.
Group to associate users with Optionally, select a group from the dropdown menu with which to associate the users with, or select Create New to create a new user group. See User groups.
When Sync as is set to Remote RADIUS User, this option contains a list of remote RADIUS user groups to choose from.
FortiToken Logo Optionally, select a logo from the FortiToken Logo dropdown menu to associate the imported users with the specified logo. This logo is displayed beside the one-time password in FortiToken. See FortiTokens for more information.
Certificate binding CA
Select CA certificates from the Certificate binding CA dropdown for users who use remote user sync rules.
When the Certificate binding common name field is populated (under LDAP User Mapping Attributes) this field must also be specified.
Sync users to IAM Account
Select an IAM account to synchronize the remote users with.
Email password recovery
When enabled, FortiAuthenticator will enable the email password recovery setting for new and existing remote LDAP users if they also have a valid email address.
When disabled (default), the email password recovery setting will not be available to new or existing remote LDAP users.
Do not delete synced users when they are no longer found on the remote server
Select to ensure that synchronized users are not deleted when they are no longer found on the remote server. This option is only available when Proceed with rule even when response empty is disabled.
Proceed with rule even when response empty
Select to enforce the synchronization rule even when the LDAP response is empty. Use this option to delete all users from a FortiAuthenticator group when synchronization rule returns an empty response. This option is only available when Do not delete synced users when they are no longer found on the remote server is disabled.
Warning: This option should be used with caution. An error from the administrator (e.g. a typo when changing the LDAP query) could cause the deletion of all existing synchronized users, requiring the administrator to reprovision any assigned FortiTokens.
LDAP User Mapping Attributes Optionally, edit the remote LDAP user mapping attributes. Debugging Settings
Optionally, log synchronization details, including LDAP query results. These log files can be downloaded under Debug Report > LDAP Sync. In addition, select whether to delete synchronized users when they are no longer found on the remote server.
Preview Mapping Select to preview the LDAP user sync mappings in a new window. Show Sync Fields Select to view the user fields that will be synchronized. - Select OK to create the new LDAP synchronization rule.
To create a new remote SAML user synchronization rule:
- From the Remote User Sync Rules page, select SAML users, select Create New.
- Configure the following settings:
Name Enter a name for the synchronization rule. Remote SAML server Select a remote SAML server from the dropdown menu. To configure a remote SAML server, see SAML. SAML group Select a group from the SAML server. SAML groups are retrieved dynamically from the server. Token-based authentication sync priorities Select the required authentication synchronization priorities.
Drag the priorities up and down in the list change the priority order.Sync every
Select the amount of time between synchronizations.
Group to associate users with Optionally, select a group from the dropdown menu with which to associate the users with. See User groups. FortiToken Logo Optionally, select a logo from the FortiToken Logo dropdown menu to associate the imported users with the specified logo. This logo is displayed beside the one-time password in FortiToken. See FortiTokens for more information.
Do not delete synced users when they are no longer found on the remote server
Select to ensure that synchronized users are not deleted when they are no longer found on the remote server. This option is only available when Proceed with rule even when response empty is disabled.
SAML User Mapping Attributes Optionally, edit the remote SAML user mapping attributes. - Select OK to create the new SAML synchronization rule.