Fortinet white logo
Fortinet white logo

What's new

What's new

FortiAuthenticator version 6.5.2 includes the following enhancement:

SAML IdP: Optional CAPTCHA input

FortiAuthenticator now offers optional CAPTCHA input for the SAML IdP login workflow after n failed login attempts from the same source IP address.

A new Enable captcha on SAML IdP login toggle in the IP Lockout Policy Settings pane when setting up user lockout policy in Authentication > User Account Policies > Lockouts.

Using the new Display captcha after field, you can set the number of failed login attempts from the same source IP address, after which the CAPTCHA challenge must be completed to log in. Set Display captcha after to 0 to require users to complete the CAPTCHA challenge on every login.

In Authentication > SAML IdP > General, a read-only Captcha option displays the current state of the CAPTCHA setting from Lockouts. Using the pen icon, you can edit the CAPTCHA setting in Lockouts.

The following SAML IdP login replacement messages in Authentication > SAML IdP > Replacement Messages have been modified to include the CAPTCHA image and field:

  • Login Username and Password Page

  • IAM Login Page

  • Login Fido Password Page

New remote TACACS+ server

FortiAuthenticator now supports setting up a remote TACACS+ server.

You can now add remote TACACS+ users to FortiAuthenticator. These users are restricted to the Administrator role for administrative access to the FortiAuthenticator.

Single Sign-On for SSOMA trusted endpoints

FortiAuthenticator now allows SAML IdP login without entering the username/password even if there are no existing IdP sessions, provided the endpoint runs the ZTNA agent and SSOMA reporting to FortiAuthenticator FSSO module.

The General page in Authentication > SAML IdP includes the following new options:

  • Trusted endpoint single sign-on: When enabled, SSOMA endpoints can log in without reentering username and password.

    The username login page includes a new Trusted Endpoint Single Sign-On button that allows single sign-on for trusted endpoints when Trusted endpoint single sign-on is enabled.

    Note: The legacy login page does not offer the new Trusted Endpoint Single Sign-On button.

  • Listening port: Trusted endpoints TLS-connect to this TCP port to present their client certificate to the FortiAuthenticator.

  • Enforce MFA:When enabled, FortiAuthenticator enforces token-based settings configured for the SP during trusted endpoint single sign-on. When disabled, token-based verification is bypassed for trusted endpoints.

  • Enforce IP matching: When enabled, the source IP address of the endpoint connecting to the listening port must match one of the IP addresses reported by the SSOMA to do a successful trusted endpoint authentication. For example, if the endpoint is on a private network and its connection to the FortiAuthenticator is being NAT'ed, this option should be disabled.

Portals: Modernized look

FortiAuthenticator now offers a modern look for every web portal page. The modernized portal web pages have a more responsive design.

SmartConnect for Android 11 and above

The self-service portal now offers the following:

  • Legacy SmartConnect application to end-users with Android OS 10 and earlier.

  • The FortiGuest SmartConnect application to end-users with Android OS 11 if the SmartConnect profile is configured for WPA2-Personal/PSK or WPA2-Enterprise/PEAP.

  • The legacy SmartConnect application to end-users with Android OS 11 if the SmartConnect profile is configured for something other than WPA2-Personal/PSK or WPA2-Enterprise/PEAP.

  • CA certificate download links for Signing CA certificate(s), Local CA certificate(s), and Trusted CA certificate(s) to end-users with Android OS 11 and above, provided these are configured in the SmartConnect profile.

New profiler tool for FastAPI debugging

FortiAuthenticator now includes a profiler tool.

In the extended debug logs, a new Enable FastAPI Debug Mode button is available when FastAPI is selected in Log Categories > Web Server.

OAuth: Configurable expiry for refresh tokens

FortiAuthenticator now offers the ability to specify an expiry period for refresh tokens.

FortiAuthenticator keeps track of the refresh token expiry when issuing a refresh token. The refresh token never expires if the expiry period is configured as 0. FortiAuthenticator does not issue a new OAuth token using an expired refresh token.

If the specified refresh token is expired and the /oauth/token/ endpoint is called with grant_type=refresh_token, it now returns error code 400 Bad Request.

When creating a relying party in Authentication > OAuth Service > Relying Party, a new Refresh token expiry field is available. Using the Refresh token expiry field, you can set the amount of time for which the issued refresh token is valid upon authorization.

EAP-TLS: Accept any client certificate signed by a trusted CA

A new Trusted CA(s) option in Authentication mode available in the Identity sources tab when creating or editing a RADIUS policy in Authentication > RADIUS Service > Policies. The RADIUS policies also include a list of trusted CA certificates. This allows FortiAuthenticator to successfully authenticate any endpoint presenting a valid client certificate signed by one of the trusted CA certificates. The new Authentication mode option is only available when the Authentication type is Client Certificates (EAP-TLS).

The Authentication mode contains the following two options:

  • Certificate bindings: Legacy mode that uses certificate bindings.

  • Trusted CA(s): Accepts all the valid client certificates signed by one of the trusted CAs.

When the Authentication mode is set as Trusted CA(s), the RADIUS daemon ignores any configured certificate bindings and only verifies that the client certificate is:

  • Signed by one of the trusted CAs

  • Not expired

  • Not revoked (if CRL is configured)

When the Authentication mode is set as Trusted CA(s), the Identity sources tab offers the following new options:

  • Local CA certificates

  • Trusted CA certificates

Since FortiAuthenticator does not match the authenticating endpoints with a user account, FortiAuthenticator cannot use RADIUS attributes specified in user accounts or user groups to return in the RADIUS Accept-Accept response. This new type of EAP-TLS RADIUS policy allows specifying a set of RADIUS attributes to be included in all Accept-Accept responses.

When the Authentication mode is set as Trusted CA(s), the RADIUS response tab includes a new Additional Attributes pane. In the Additional Attributes pane, you can add RADIUS attributes to be included with the Accept-Accept response.

The Additional Attributes pane is similar to the Additional Attributes For MAC Authentication Bypass pane available in the RADIUS response tab when the Authentication type is MAC authentication bypass (MAB).

FortiAuthenticator logs the result of the authentication attempts and includes the username specified in the EAP-TLS request as part of the log entry.

SAML IdP proxy: Bypass MFA if SAML assertion indicates external IdP enforced MFA

FortiAuthenticator performs MFA in case the remote SAML IdP does not indicate that it performed MFA.

A new Attempt token-based authentication locally if external IdP does password-only authentication toggle is available when creating or editing a remote SAML server in Authentication > Remote Auth. Servers > SAML.

The options is only available when the Type is Proxy and Authentication context is MFA.

LDAP attributes in BASE64 format can be added to SAML assertions

FortiAuthenticator now supports adding LDAP attributes in BASE64 format to SAML assertions.

When creating or editing an SP in Authentication > SAML IdP > Service Providers, a new LDAP custom attribute (BASE64) available in the User attribute dropdown in the Assertion Attributes pane.

Also, the LDAP custom attribute has been renamed to LDAP custom attribute (ASCII/UTF8).

Increased Windows machine authentication maximum value

When editing general user account policy in Authentication > User Account Policies > General, the maximum allowed value for Windows machine authentication has been increased to 10080 minutes, i.e., 7 days.

What's new

What's new

FortiAuthenticator version 6.5.2 includes the following enhancement:

SAML IdP: Optional CAPTCHA input

FortiAuthenticator now offers optional CAPTCHA input for the SAML IdP login workflow after n failed login attempts from the same source IP address.

A new Enable captcha on SAML IdP login toggle in the IP Lockout Policy Settings pane when setting up user lockout policy in Authentication > User Account Policies > Lockouts.

Using the new Display captcha after field, you can set the number of failed login attempts from the same source IP address, after which the CAPTCHA challenge must be completed to log in. Set Display captcha after to 0 to require users to complete the CAPTCHA challenge on every login.

In Authentication > SAML IdP > General, a read-only Captcha option displays the current state of the CAPTCHA setting from Lockouts. Using the pen icon, you can edit the CAPTCHA setting in Lockouts.

The following SAML IdP login replacement messages in Authentication > SAML IdP > Replacement Messages have been modified to include the CAPTCHA image and field:

  • Login Username and Password Page

  • IAM Login Page

  • Login Fido Password Page

New remote TACACS+ server

FortiAuthenticator now supports setting up a remote TACACS+ server.

You can now add remote TACACS+ users to FortiAuthenticator. These users are restricted to the Administrator role for administrative access to the FortiAuthenticator.

Single Sign-On for SSOMA trusted endpoints

FortiAuthenticator now allows SAML IdP login without entering the username/password even if there are no existing IdP sessions, provided the endpoint runs the ZTNA agent and SSOMA reporting to FortiAuthenticator FSSO module.

The General page in Authentication > SAML IdP includes the following new options:

  • Trusted endpoint single sign-on: When enabled, SSOMA endpoints can log in without reentering username and password.

    The username login page includes a new Trusted Endpoint Single Sign-On button that allows single sign-on for trusted endpoints when Trusted endpoint single sign-on is enabled.

    Note: The legacy login page does not offer the new Trusted Endpoint Single Sign-On button.

  • Listening port: Trusted endpoints TLS-connect to this TCP port to present their client certificate to the FortiAuthenticator.

  • Enforce MFA:When enabled, FortiAuthenticator enforces token-based settings configured for the SP during trusted endpoint single sign-on. When disabled, token-based verification is bypassed for trusted endpoints.

  • Enforce IP matching: When enabled, the source IP address of the endpoint connecting to the listening port must match one of the IP addresses reported by the SSOMA to do a successful trusted endpoint authentication. For example, if the endpoint is on a private network and its connection to the FortiAuthenticator is being NAT'ed, this option should be disabled.

Portals: Modernized look

FortiAuthenticator now offers a modern look for every web portal page. The modernized portal web pages have a more responsive design.

SmartConnect for Android 11 and above

The self-service portal now offers the following:

  • Legacy SmartConnect application to end-users with Android OS 10 and earlier.

  • The FortiGuest SmartConnect application to end-users with Android OS 11 if the SmartConnect profile is configured for WPA2-Personal/PSK or WPA2-Enterprise/PEAP.

  • The legacy SmartConnect application to end-users with Android OS 11 if the SmartConnect profile is configured for something other than WPA2-Personal/PSK or WPA2-Enterprise/PEAP.

  • CA certificate download links for Signing CA certificate(s), Local CA certificate(s), and Trusted CA certificate(s) to end-users with Android OS 11 and above, provided these are configured in the SmartConnect profile.

New profiler tool for FastAPI debugging

FortiAuthenticator now includes a profiler tool.

In the extended debug logs, a new Enable FastAPI Debug Mode button is available when FastAPI is selected in Log Categories > Web Server.

OAuth: Configurable expiry for refresh tokens

FortiAuthenticator now offers the ability to specify an expiry period for refresh tokens.

FortiAuthenticator keeps track of the refresh token expiry when issuing a refresh token. The refresh token never expires if the expiry period is configured as 0. FortiAuthenticator does not issue a new OAuth token using an expired refresh token.

If the specified refresh token is expired and the /oauth/token/ endpoint is called with grant_type=refresh_token, it now returns error code 400 Bad Request.

When creating a relying party in Authentication > OAuth Service > Relying Party, a new Refresh token expiry field is available. Using the Refresh token expiry field, you can set the amount of time for which the issued refresh token is valid upon authorization.

EAP-TLS: Accept any client certificate signed by a trusted CA

A new Trusted CA(s) option in Authentication mode available in the Identity sources tab when creating or editing a RADIUS policy in Authentication > RADIUS Service > Policies. The RADIUS policies also include a list of trusted CA certificates. This allows FortiAuthenticator to successfully authenticate any endpoint presenting a valid client certificate signed by one of the trusted CA certificates. The new Authentication mode option is only available when the Authentication type is Client Certificates (EAP-TLS).

The Authentication mode contains the following two options:

  • Certificate bindings: Legacy mode that uses certificate bindings.

  • Trusted CA(s): Accepts all the valid client certificates signed by one of the trusted CAs.

When the Authentication mode is set as Trusted CA(s), the RADIUS daemon ignores any configured certificate bindings and only verifies that the client certificate is:

  • Signed by one of the trusted CAs

  • Not expired

  • Not revoked (if CRL is configured)

When the Authentication mode is set as Trusted CA(s), the Identity sources tab offers the following new options:

  • Local CA certificates

  • Trusted CA certificates

Since FortiAuthenticator does not match the authenticating endpoints with a user account, FortiAuthenticator cannot use RADIUS attributes specified in user accounts or user groups to return in the RADIUS Accept-Accept response. This new type of EAP-TLS RADIUS policy allows specifying a set of RADIUS attributes to be included in all Accept-Accept responses.

When the Authentication mode is set as Trusted CA(s), the RADIUS response tab includes a new Additional Attributes pane. In the Additional Attributes pane, you can add RADIUS attributes to be included with the Accept-Accept response.

The Additional Attributes pane is similar to the Additional Attributes For MAC Authentication Bypass pane available in the RADIUS response tab when the Authentication type is MAC authentication bypass (MAB).

FortiAuthenticator logs the result of the authentication attempts and includes the username specified in the EAP-TLS request as part of the log entry.

SAML IdP proxy: Bypass MFA if SAML assertion indicates external IdP enforced MFA

FortiAuthenticator performs MFA in case the remote SAML IdP does not indicate that it performed MFA.

A new Attempt token-based authentication locally if external IdP does password-only authentication toggle is available when creating or editing a remote SAML server in Authentication > Remote Auth. Servers > SAML.

The options is only available when the Type is Proxy and Authentication context is MFA.

LDAP attributes in BASE64 format can be added to SAML assertions

FortiAuthenticator now supports adding LDAP attributes in BASE64 format to SAML assertions.

When creating or editing an SP in Authentication > SAML IdP > Service Providers, a new LDAP custom attribute (BASE64) available in the User attribute dropdown in the Assertion Attributes pane.

Also, the LDAP custom attribute has been renamed to LDAP custom attribute (ASCII/UTF8).

Increased Windows machine authentication maximum value

When editing general user account policy in Authentication > User Account Policies > General, the maximum allowed value for Windows machine authentication has been increased to 10080 minutes, i.e., 7 days.