Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Administration Guide

FortiAuthenticator 6.4.0

The following list contains new and expanded features added in FortiAuthenticator 6.4.0.

User Portal: LDAP users can set their security questions and answers

FortiAuthenticator now allows LDAP users to set up and edit security questions and answers in the user portal similar to local users. See Configuring password recovery options.

SAML IdP: Support for multiple domains with O365

FortiAuthenticator now allows configuring the SAML IdP service with a Service Provider (SP) containing multiple IdP prefixes.

When creating or editing a SAML SP in Authentication > SAML IdP > Service Providers, you can configure alternate IdP prefixes.

See Service providers.

SAML IdP and User Portals: FIDO2 authentication

FortiAuthenticator now offers FIDO (Fast IDentity Online) service for SAML and general API based authentication.

A new fido field is available in localusers, ldapusers, and radiususers endpoints providing the ability to enable or disable FIDO authentication for local and remote user accounts. For information about the new fido field, see the REST API Solutions Guide.

When creating or editing a local or remote user in Authentication > User Management > Local Users/ Remote Users, the following options have been renamed:

  • Password-based authentication to Password authentication.

  • Token-based authentication to One-Time Password (OTP) authentication.

A new FIDO authentication toggle is available that allows using FIDO authenticators. See Local users and Remote users.

The Create New/Edit Remote LDAP User Synchronization Rule window in Authentication > User Management > Remote User Sync Rules now has a new FIDO authentication toggle to enable FIDO authentication for synced user accounts. Also, the Token-based authentication sync priorities option in Synchronization Attributes has been renamed to OTP method assignment priority. See Remote user sync rules.

A new FIDO Revocation toggle is available in the Pre-Login Services pane when creating or editing a portal in Authentication > Portals > Portals. Token Revocation toggle has been renamed to FortiToken Revocation. It also has new Allow FIDO token registration/revocation toggles for FIDO token management when Token Registration is enabled in the Post-Login Services pane. See Portals.

A new FIDO authentication (effective once a token has been registered) toggle is available in the Authentication factors tab when creating or editing a captive portal policy or a self-service portal policy in Authentication > Portals > Policies.

The following options have been renamed in the Authentication factors tab:

  • Mandatory two-factor authentication to Mandatory password and OTP.

  • Verify all configured authentication factors to Every configured password and OTP factors.

  • Password-only authentication to Password-only.

  • Token-only authentication to OTP-only.

The above options were also renamed for RADIUS policies and TACACS+ policies in Authentication > RADIUS Service > Policies and Authentication > TACACS+ Service > Policies respectively.

See Captive portal policies, Self-service portal policies, Policies, and Creating policies.

With the inclusion of FIDO authentication, FortiTokens are no longer the only MFA method that can be self-registered. Therefore, the self-service portal main page now offers a Multi-Factor menu item replacing FortiTokens. The Multi-Factor menu item now offers FIDO token management capabilities.

The following replacement messages related to FIDO authentication have been added to Authentication > Portals > Replacement Messages:

  • FIDO Login Page

  • FIDO Login Password Page

  • User Fido Reset Email Subject

  • User Fido Reset Receipt Email Message

See Replacement messages.

When creating or editing a SAML SP in Authentication > SAML IdP > Service Providers, FIDO-only and Password and FIDO authentication methods are now available.

A new Use FIDO-only authentication if requested by the SP toggle is also available.

The following authentication methods have been renamed:

  • Mandatory two-factor authentication to Mandatory password and OTP.

  • Verify all configured authentication factors to Every configured password and OTP factors.

  • Password-only authentication to Password-only.

  • Token-only authentication to OTP-only.

See Service providers.

The following replacement messages related to FIDO authentication have been added to Authentication > SAML IdP > Replacement Messages:

  • Login Fido Page (username only)

  • Login Fido Password Page

See Replacement messages.

Guest Portal: Restrict groups available to sponsors

When creating or editing a local user group in Authentication > User Management > User Groups, there is a new Guest Group toggle that allows including or excluding this local user group from the list of groups that sponsors can assign to new guest user accounts. See User groups.

Format option for mobile number in SMS gateways

When creating or editing an SMS gateway in System > Messaging > SMS Gateways, you can now specify whether the mobile number is sent as a JSON String or JSON Number using the Send Mobile Number as option in HTTP/HTTPS pane. See SMS gateways.

Ability to unlock FTMs in bulk

Using the new Unlock option in the FortiTokens tab available in Authentication > User Management > FortiTokens, you can unlock all the selected FortiTokens at once. See FortiTokens.

Usage Profile: Reset the user's usage

A new Clear option to clear the cumulative RADIUS accounting sessions in the Cumulative tab available in Monitor > Authentication > RADIUS Sessions. See RADIUS sessions.

FortiAuthenticator 6.4.0

The following list contains new and expanded features added in FortiAuthenticator 6.4.0.

User Portal: LDAP users can set their security questions and answers

FortiAuthenticator now allows LDAP users to set up and edit security questions and answers in the user portal similar to local users. See Configuring password recovery options.

SAML IdP: Support for multiple domains with O365

FortiAuthenticator now allows configuring the SAML IdP service with a Service Provider (SP) containing multiple IdP prefixes.

When creating or editing a SAML SP in Authentication > SAML IdP > Service Providers, you can configure alternate IdP prefixes.

See Service providers.

SAML IdP and User Portals: FIDO2 authentication

FortiAuthenticator now offers FIDO (Fast IDentity Online) service for SAML and general API based authentication.

A new fido field is available in localusers, ldapusers, and radiususers endpoints providing the ability to enable or disable FIDO authentication for local and remote user accounts. For information about the new fido field, see the REST API Solutions Guide.

When creating or editing a local or remote user in Authentication > User Management > Local Users/ Remote Users, the following options have been renamed:

  • Password-based authentication to Password authentication.

  • Token-based authentication to One-Time Password (OTP) authentication.

A new FIDO authentication toggle is available that allows using FIDO authenticators. See Local users and Remote users.

The Create New/Edit Remote LDAP User Synchronization Rule window in Authentication > User Management > Remote User Sync Rules now has a new FIDO authentication toggle to enable FIDO authentication for synced user accounts. Also, the Token-based authentication sync priorities option in Synchronization Attributes has been renamed to OTP method assignment priority. See Remote user sync rules.

A new FIDO Revocation toggle is available in the Pre-Login Services pane when creating or editing a portal in Authentication > Portals > Portals. Token Revocation toggle has been renamed to FortiToken Revocation. It also has new Allow FIDO token registration/revocation toggles for FIDO token management when Token Registration is enabled in the Post-Login Services pane. See Portals.

A new FIDO authentication (effective once a token has been registered) toggle is available in the Authentication factors tab when creating or editing a captive portal policy or a self-service portal policy in Authentication > Portals > Policies.

The following options have been renamed in the Authentication factors tab:

  • Mandatory two-factor authentication to Mandatory password and OTP.

  • Verify all configured authentication factors to Every configured password and OTP factors.

  • Password-only authentication to Password-only.

  • Token-only authentication to OTP-only.

The above options were also renamed for RADIUS policies and TACACS+ policies in Authentication > RADIUS Service > Policies and Authentication > TACACS+ Service > Policies respectively.

See Captive portal policies, Self-service portal policies, Policies, and Creating policies.

With the inclusion of FIDO authentication, FortiTokens are no longer the only MFA method that can be self-registered. Therefore, the self-service portal main page now offers a Multi-Factor menu item replacing FortiTokens. The Multi-Factor menu item now offers FIDO token management capabilities.

The following replacement messages related to FIDO authentication have been added to Authentication > Portals > Replacement Messages:

  • FIDO Login Page

  • FIDO Login Password Page

  • User Fido Reset Email Subject

  • User Fido Reset Receipt Email Message

See Replacement messages.

When creating or editing a SAML SP in Authentication > SAML IdP > Service Providers, FIDO-only and Password and FIDO authentication methods are now available.

A new Use FIDO-only authentication if requested by the SP toggle is also available.

The following authentication methods have been renamed:

  • Mandatory two-factor authentication to Mandatory password and OTP.

  • Verify all configured authentication factors to Every configured password and OTP factors.

  • Password-only authentication to Password-only.

  • Token-only authentication to OTP-only.

See Service providers.

The following replacement messages related to FIDO authentication have been added to Authentication > SAML IdP > Replacement Messages:

  • Login Fido Page (username only)

  • Login Fido Password Page

See Replacement messages.

Guest Portal: Restrict groups available to sponsors

When creating or editing a local user group in Authentication > User Management > User Groups, there is a new Guest Group toggle that allows including or excluding this local user group from the list of groups that sponsors can assign to new guest user accounts. See User groups.

Format option for mobile number in SMS gateways

When creating or editing an SMS gateway in System > Messaging > SMS Gateways, you can now specify whether the mobile number is sent as a JSON String or JSON Number using the Send Mobile Number as option in HTTP/HTTPS pane. See SMS gateways.

Ability to unlock FTMs in bulk

Using the new Unlock option in the FortiTokens tab available in Authentication > User Management > FortiTokens, you can unlock all the selected FortiTokens at once. See FortiTokens.

Usage Profile: Reset the user's usage

A new Clear option to clear the cumulative RADIUS accounting sessions in the Cumulative tab available in Monitor > Authentication > RADIUS Sessions. See RADIUS sessions.