Version:

Version:


Table of Contents

Cookbook

Download PDF
Copy Link

FortiAuthenticator user management

FortiAuthenticator acts as the SAML IdP, authenticating users against the Windows AD. To do this, the appropriate LDAP connection, user realm and user groups must be configured before it can be applied to the SAML IdP configurations.

Configuring multiple user groups is optional. In this example, multiple groups are used to ensure only users who are members of the Sales and Finance groups can pass authentication.

To configure an LDAP remote authentication server on FortiAuthenticator:
  1. Go to Authentication > Remote Auth. Servers > LDAP, and select Create New.
  2. Configure the LDAP server settings to connect to the Windows AD as shown in the screenshot.

  3. Click OK.
To configure a user realm on FortiAuthenticator:
  1. Go to Authentication > User Management > Realms and select Create New.
  2. Name the realm.
  3. In User source, from the dropdown, select the recently created LDAP server.
  4. Click OK.
To configure user groups on FortiAuthenticator:
  1. Go to Authentication > User Management > User Groups and select Create New
  2. To create a user group for Sales:
    1. In Name, enter Sales.
    2. Set the Type as Remote LDAP.
    3. From the Remote LDAP dropdown, select the recently created LDAP server.
    4. In LDAP filter, specify an LDAP filter using an LDAP query.

      To select users who are memberOf the Sales group, enter

      (&(objectclass=user)(memberOf=CN=Sales,CN=Users,DC=fortiad,DC=info))

  3. Click OK.
  4. To create a user group for Finance:
    1. In Name, enter Finance.
    2. Set the Type as Remote LDAP.
    3. From the Remote LDAP dropdown, select the recently created LDAP server.
    4. In LDAP filter, specify an LDAP filter using an LDAP query.

      To select users who are memberOf the Finance group, enter

      (&(objectclass=user)(memberOf=CN=Sales,CN=Users,DC=fortiad,DC=info))

    5. Click OK.
  5. The LDAP filter above will not match users whose group (Sales or Finance) is set as the primary group. This is because the primary group is returned by the primaryGroupID attribute by Windows AD and does not appear in the memberOf attribute.

 

FortiAuthenticator user management

FortiAuthenticator acts as the SAML IdP, authenticating users against the Windows AD. To do this, the appropriate LDAP connection, user realm and user groups must be configured before it can be applied to the SAML IdP configurations.

Configuring multiple user groups is optional. In this example, multiple groups are used to ensure only users who are members of the Sales and Finance groups can pass authentication.

To configure an LDAP remote authentication server on FortiAuthenticator:
  1. Go to Authentication > Remote Auth. Servers > LDAP, and select Create New.
  2. Configure the LDAP server settings to connect to the Windows AD as shown in the screenshot.

  3. Click OK.
To configure a user realm on FortiAuthenticator:
  1. Go to Authentication > User Management > Realms and select Create New.
  2. Name the realm.
  3. In User source, from the dropdown, select the recently created LDAP server.
  4. Click OK.
To configure user groups on FortiAuthenticator:
  1. Go to Authentication > User Management > User Groups and select Create New
  2. To create a user group for Sales:
    1. In Name, enter Sales.
    2. Set the Type as Remote LDAP.
    3. From the Remote LDAP dropdown, select the recently created LDAP server.
    4. In LDAP filter, specify an LDAP filter using an LDAP query.

      To select users who are memberOf the Sales group, enter

      (&(objectclass=user)(memberOf=CN=Sales,CN=Users,DC=fortiad,DC=info))

  3. Click OK.
  4. To create a user group for Finance:
    1. In Name, enter Finance.
    2. Set the Type as Remote LDAP.
    3. From the Remote LDAP dropdown, select the recently created LDAP server.
    4. In LDAP filter, specify an LDAP filter using an LDAP query.

      To select users who are memberOf the Finance group, enter

      (&(objectclass=user)(memberOf=CN=Sales,CN=Users,DC=fortiad,DC=info))

    5. Click OK.
  5. The LDAP filter above will not match users whose group (Sales or Finance) is set as the primary group. This is because the primary group is returned by the primaryGroupID attribute by Windows AD and does not appear in the memberOf attribute.