Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Administration Guide

FortiAuthenticator 6.4.4

The following list contains new and expanded features added in FortiAuthenticator 6.4.4.

New encryption/decryption key field in the backup and restore related REST API endpoint

The recovery endpoint now includes the key field. See the REST API Solutions Guide.

Zero trust tunnels

FortiAuthenticator introduces zero trust tunnels. FortiAuthenticator can form a zero trust tunnel (SSLVPN) to a remote zero trust server, e.g., a FortiGate.

The tunnels allow FortiAuthenticator to securely access TCP-based-on-premise services from the public internet.

Also, you can configure zero trust tunnels to access on-premise LDAP/AD server.

A new Zero Trust Tunnels tab in System > Network to configure zero trust tunnels. See Zero trust tunnels.

A new Use Zero Trust tunnel toggle when creating or editing an LDAP server in Authentication > Remote Auth. Servers > LDAP to configure a remote LDAP server to use a zero trust tunnel.

If zero trust tunnel is enabled for the secondary server:

  • FortiAuthenticator attempts to connect to the primary server. If zero trust is enabled for the primary server, then FortiAuthenticator uses zero trust tunnel associated with the primary server.

  • When FortiAuthenticator is unable to reach the primary server, then FortiAuthenticator attempts to use the secondary server. FortiAuthenticator uses the zero trust tunnel associated with the secondary server.

See LDAP.

The following actions now generate log events in FortiAuthenticator:

  • Bring up a zero trust tunnel

  • Bring down a zero trust tunnel

  • Unable to bring up a zero trust tunnel

FortiMail integration

When creating or editing local and remote user accounts in Authentication > User Management, the following new fields are included in the User Information pane:

  • Birthdate

  • Company

  • Department

  • Display name

  • Postal code (only in local user accounts)

  • Title

See Local users and Remote users.

The CSV file based import/ export of local users uses a new format. See Local users.

Remote user sync rules in Authentication > User Management now include the following new fields in the LDAP User Mapping Attributes pane:

  • Company

  • Department

  • Display name

  • Title

See Remote user sync rules.

The LDAP server configured in Authentication > LDAP Service now offers the following attributes for the users in its directory:

  • alternatemail: String of comma-separated email addresses from the "Alternative email addresses" table

  • birthdate: Birthdate field

  • company: Company field

  • c: Country

  • custom1: Custom1 field

  • custom2: Custom2 field

  • custom3: Custom3 field

  • department: Department field

  • displayname: Display name field

  • I: City or local (e.g. Burnaby)

  • mobiletelephonenumber: Mobile number field

  • postaladdress: String of aggregated address fields in the format: "<Street address>, <City>, <State/Province> <Zip/Postal code> <Country>"

  • postalCode: Postal or zip code

  • st: State or province (e.g. BC)

  • street: street address (e.g. 4190 Still Creek Dr.)

  • telephonenumber: Phone number field

  • title: Title field

For the LDAP server, FortiAuthenticator now supports password changes in compliance with RFC 3062.

New SNMP related endpoints

New snmpgeneral, snmp, and snmp/[id]/hosts endpoints. See REST API Solutions Guide.

Client certificate authentication for SMS gateways

A new Client Certificate authorization type for TLS connection in System > Messaging > SMS Gateways when creating or editing an SMS gateway. See SMS gateways.

Admin can configure any OTP delivery method

When creating or editing a local or remote user, the administrator can now specify the source of tokens using the new Deliver token codes from option in One-Time Password (OTP) authentication.

Previously available options in One-Time Password (OTP) authentication are available when Deliver token codes from is set as FortiAuthenticator.

When Deliver token codes from is set as FortiToken Cloud, the administrator can now specify token delivery options.

A new Show delivery options option to show the token code delivery options when editing a local or remote user account with FortiToken Cloud OTP enabled.

See Local users and Remote users.

When creating or editing a remote user sync rule in Authentication > User Management > Remote User Sync Rules, FortiAuthenticator now offers the following FortiToken Cloud options in the Synchronization Attributes pane:

  • FortiToken Cloud- Default

  • FortiToken Cloud- FortiToken Mobile

  • FortiToken Cloud- FortiToken Hardware

  • FortiToken Cloud- Email

  • FortiToken Cloud- SMS

FortiToken Cloud: Sync all remote user account changes

FortiAuthenticator updates FortiToken Cloud when a remote user configured for FortiToken Cloud MFA is updated.

The following updates to the remote user configuration are synced to FortiToken Cloud:

  • Existing remote FortiAuthenticator user with FortiToken Cloud MFA configured is deleted from FortiAuthenticator.

  • Existing remote FortiAuthenticator user with FortiToken Cloud MFA configured has an email address change.

  • Existing remote FortiAuthenticator user with FortiToken Cloud MFA configured has a mobile number change.

The above applies to all FortiAuthenticator remote users, including remote users modified or deleted as a result of changes in the remote user synchronization rules.

FortiAuthenticator 6.4.4

The following list contains new and expanded features added in FortiAuthenticator 6.4.4.

New encryption/decryption key field in the backup and restore related REST API endpoint

The recovery endpoint now includes the key field. See the REST API Solutions Guide.

Zero trust tunnels

FortiAuthenticator introduces zero trust tunnels. FortiAuthenticator can form a zero trust tunnel (SSLVPN) to a remote zero trust server, e.g., a FortiGate.

The tunnels allow FortiAuthenticator to securely access TCP-based-on-premise services from the public internet.

Also, you can configure zero trust tunnels to access on-premise LDAP/AD server.

A new Zero Trust Tunnels tab in System > Network to configure zero trust tunnels. See Zero trust tunnels.

A new Use Zero Trust tunnel toggle when creating or editing an LDAP server in Authentication > Remote Auth. Servers > LDAP to configure a remote LDAP server to use a zero trust tunnel.

If zero trust tunnel is enabled for the secondary server:

  • FortiAuthenticator attempts to connect to the primary server. If zero trust is enabled for the primary server, then FortiAuthenticator uses zero trust tunnel associated with the primary server.

  • When FortiAuthenticator is unable to reach the primary server, then FortiAuthenticator attempts to use the secondary server. FortiAuthenticator uses the zero trust tunnel associated with the secondary server.

See LDAP.

The following actions now generate log events in FortiAuthenticator:

  • Bring up a zero trust tunnel

  • Bring down a zero trust tunnel

  • Unable to bring up a zero trust tunnel

FortiMail integration

When creating or editing local and remote user accounts in Authentication > User Management, the following new fields are included in the User Information pane:

  • Birthdate

  • Company

  • Department

  • Display name

  • Postal code (only in local user accounts)

  • Title

See Local users and Remote users.

The CSV file based import/ export of local users uses a new format. See Local users.

Remote user sync rules in Authentication > User Management now include the following new fields in the LDAP User Mapping Attributes pane:

  • Company

  • Department

  • Display name

  • Title

See Remote user sync rules.

The LDAP server configured in Authentication > LDAP Service now offers the following attributes for the users in its directory:

  • alternatemail: String of comma-separated email addresses from the "Alternative email addresses" table

  • birthdate: Birthdate field

  • company: Company field

  • c: Country

  • custom1: Custom1 field

  • custom2: Custom2 field

  • custom3: Custom3 field

  • department: Department field

  • displayname: Display name field

  • I: City or local (e.g. Burnaby)

  • mobiletelephonenumber: Mobile number field

  • postaladdress: String of aggregated address fields in the format: "<Street address>, <City>, <State/Province> <Zip/Postal code> <Country>"

  • postalCode: Postal or zip code

  • st: State or province (e.g. BC)

  • street: street address (e.g. 4190 Still Creek Dr.)

  • telephonenumber: Phone number field

  • title: Title field

For the LDAP server, FortiAuthenticator now supports password changes in compliance with RFC 3062.

New SNMP related endpoints

New snmpgeneral, snmp, and snmp/[id]/hosts endpoints. See REST API Solutions Guide.

Client certificate authentication for SMS gateways

A new Client Certificate authorization type for TLS connection in System > Messaging > SMS Gateways when creating or editing an SMS gateway. See SMS gateways.

Admin can configure any OTP delivery method

When creating or editing a local or remote user, the administrator can now specify the source of tokens using the new Deliver token codes from option in One-Time Password (OTP) authentication.

Previously available options in One-Time Password (OTP) authentication are available when Deliver token codes from is set as FortiAuthenticator.

When Deliver token codes from is set as FortiToken Cloud, the administrator can now specify token delivery options.

A new Show delivery options option to show the token code delivery options when editing a local or remote user account with FortiToken Cloud OTP enabled.

See Local users and Remote users.

When creating or editing a remote user sync rule in Authentication > User Management > Remote User Sync Rules, FortiAuthenticator now offers the following FortiToken Cloud options in the Synchronization Attributes pane:

  • FortiToken Cloud- Default

  • FortiToken Cloud- FortiToken Mobile

  • FortiToken Cloud- FortiToken Hardware

  • FortiToken Cloud- Email

  • FortiToken Cloud- SMS

FortiToken Cloud: Sync all remote user account changes

FortiAuthenticator updates FortiToken Cloud when a remote user configured for FortiToken Cloud MFA is updated.

The following updates to the remote user configuration are synced to FortiToken Cloud:

  • Existing remote FortiAuthenticator user with FortiToken Cloud MFA configured is deleted from FortiAuthenticator.

  • Existing remote FortiAuthenticator user with FortiToken Cloud MFA configured has an email address change.

  • Existing remote FortiAuthenticator user with FortiToken Cloud MFA configured has a mobile number change.

The above applies to all FortiAuthenticator remote users, including remote users modified or deleted as a result of changes in the remote user synchronization rules.