Fortinet white logo
Fortinet white logo

Administration Guide

Remote user sync rules

Remote user sync rules

Synchronization rules can be created to control how and when remote LDAP and SAML users are synchronized. To view a list of the remote user synchronization rules, go to Authentication > User Management > Remote User Sync Rules.

Synchronization rules only set the 2FA settings when a user account is newly imported to FortiAuthenticator because enabling 2FA or changing the 2FA method for a user account already imported can render previously working user accounts unable to authenticate to various services.

To create a new remote LDAP user synchronization rule:
  1. From the Remote User Sync Rules page, select LDAP users, and select Create New.
  2. Configure the following settings:
    NameEnter a name for the synchronization rule.
    Remote LDAPSelect a remote LDAP server from the dropdown menu. To configure a remote LDAP server, see LDAP.
    Base distinguished nameBase DN of the remote LDAP server that automatically populates when a remote LDAP server is selected above.
    LDAP filter

    Optionally, enter an LDAP filter.

    Select Set Group Filter to set the LDAP filter. This opens the Set Group Filter window where you can select one or more groups within the tree to build the LDAP filter string. Click Use Filter to confirm the selection.

    Once the groups have been selected, the LDAP filter string is set to the proper syntax that filters the selected groups.

    The objectClass and the memberOf portion must be set according to the User object class and the Group membership attribute setting of the remote LDAP server configuration respectively. See LDAP.

    If the LDAP filter is already configured with a non-empty value, selecting Set Group Filter attempts to interpret the LDAP filter value to preselect the already configured groups in the LDAP tree. However, if the LDAP filter value does not match the string generated by Set Group Filter, the existing filter is ignored, and Set Group Filter opens with no preselected groups. Clicking Use Filter overwrites the previous LDAP filter.

    Select Test Filter to test that the filter functions as expected. FortiAuthenticator shows an LDAP tree with all the users that match the current remote LDAP server setting (i.e., the users that the sync rule syncs when it runs).

    OTP method assignment prioritySelect the required authentication synchronization priorities.
    Drag the priorities up and down in the list change the priority order.

    FIDO authentication

    Select to enable FIDO authentication for synced user accounts. This is disabled by default for new user accounts.

    Sync as

    Select to synchronize as a remote LDAP user, remote RADIUS user, or a local user.

    In the Synchronization Attributes pane, selecting Local User for Sync as results in FortiAuthenticator generating a unique random password for each user imported from AD/LDAP, and emailing the password to the user.

    User Role for new user imports

    Select the user role to assign to remote users. Users assigned the role of Administrator are granted full permissions.

    Remote RADIUS

    Specify a remote RADIUS server to associate the imported users with.

    This dropdown allows you to select from a list of RADIUS servers. Select the pen icon to edit the selected RADIUS server, + to create a new RADIUS server, or x to delete the selected RADIUS server.

    This setting is available only when Remote RADIUS User is selected as the Sync as option.

    See RADIUS.

    Sync every

    Select the amount of time between synchronizations.

    Group to associate users with

    Optionally, select a group from the dropdown menu with which to associate the users with, or select Create New to create a new user group. See User groups.

    When Sync as is set to Remote RADIUS User, this option contains a list of remote RADIUS user groups to choose from.

    FortiToken Logo

    Optionally, select a logo from the FortiToken Logo dropdown menu to associate the imported users with the specified logo. This logo is displayed beside the one-time password in FortiToken. See FortiTokens for more information.

    Certificate binding CA

    Select CA certificates from the Certificate binding CA dropdown for users who use remote user sync rules.

    When the Certificate binding common name field is populated (under LDAP User Mapping Attributes) this field must also be specified.

    Sync users to IAM Account

    Select an IAM account to synchronize the remote users with.

    Email password recovery

    When enabled, FortiAuthenticator will enable the email password recovery setting for new and existing remote LDAP users if they also have a valid email address.

    When disabled (default), the email password recovery setting will not be available to new or existing remote LDAP users.

    Do not delete synced users when they are no longer found on the remote server

    Select to ensure that synchronized users are not deleted when they are no longer found on the remote server. This option is only available when Proceed with rule even when response empty is disabled.

    Proceed with rule even when response empty

    Select to enforce the synchronization rule even when the LDAP response is empty. Use this option to delete all users from a FortiAuthenticator group when synchronization rule returns an empty response. This option is only available when Do not delete synced users when they are no longer found on the remote server is disabled.

    Warning: This option should be used with caution. An error from the administrator (e.g. a typo when changing the LDAP query) could cause the deletion of all existing synchronized users, requiring the administrator to reprovision any assigned FortiTokens.

    LDAP User Mapping AttributesOptionally, edit the remote LDAP user mapping attributes.

    Debugging Settings

    Optionally, log synchronization details, including LDAP query results. These log files can be downloaded under Debug Report > LDAP Sync. In addition, select whether to delete synchronized users when they are no longer found on the remote server.

    Preview MappingSelect to preview the LDAP user sync mappings in a new window.
    Show Sync FieldsSelect to view the user fields that will be synchronized.
  3. Select Save to create the new LDAP synchronization rule.
To create a new remote SAML user synchronization rule:
  1. From the Remote User Sync Rules page, select SAML users, select Create New.
  2. Configure the following settings:
    NameEnter a name for the synchronization rule.
    Remote SAML serverSelect a remote SAML server from the dropdown menu. To configure a remote SAML server, see SAML.
    SAML groupSelect a group from the SAML server. SAML groups are retrieved dynamically from the server.
    Token-based authentication sync prioritiesSelect the required authentication synchronization priorities.
    Drag the priorities up and down in the list change the priority order.

    Sync every

    Select the amount of time between synchronizations.

    Group to associate users withOptionally, select a group from the dropdown menu with which to associate the users with. See User groups.
    FortiToken Logo

    Optionally, select a logo from the FortiToken Logo dropdown menu to associate the imported users with the specified logo. This logo is displayed beside the one-time password in FortiToken. See FortiTokens for more information.

    Do not delete synced users when they are no longer found on the remote server

    Select to ensure that synchronized users are not deleted when they are no longer found on the remote server. This option is only available when Proceed with rule even when response empty is disabled.

    SAML User Mapping AttributesOptionally, edit the remote SAML user mapping attributes.
  3. Select Save to create the new SAML synchronization rule.

Remote user sync rules

Remote user sync rules

Synchronization rules can be created to control how and when remote LDAP and SAML users are synchronized. To view a list of the remote user synchronization rules, go to Authentication > User Management > Remote User Sync Rules.

Synchronization rules only set the 2FA settings when a user account is newly imported to FortiAuthenticator because enabling 2FA or changing the 2FA method for a user account already imported can render previously working user accounts unable to authenticate to various services.

To create a new remote LDAP user synchronization rule:
  1. From the Remote User Sync Rules page, select LDAP users, and select Create New.
  2. Configure the following settings:
    NameEnter a name for the synchronization rule.
    Remote LDAPSelect a remote LDAP server from the dropdown menu. To configure a remote LDAP server, see LDAP.
    Base distinguished nameBase DN of the remote LDAP server that automatically populates when a remote LDAP server is selected above.
    LDAP filter

    Optionally, enter an LDAP filter.

    Select Set Group Filter to set the LDAP filter. This opens the Set Group Filter window where you can select one or more groups within the tree to build the LDAP filter string. Click Use Filter to confirm the selection.

    Once the groups have been selected, the LDAP filter string is set to the proper syntax that filters the selected groups.

    The objectClass and the memberOf portion must be set according to the User object class and the Group membership attribute setting of the remote LDAP server configuration respectively. See LDAP.

    If the LDAP filter is already configured with a non-empty value, selecting Set Group Filter attempts to interpret the LDAP filter value to preselect the already configured groups in the LDAP tree. However, if the LDAP filter value does not match the string generated by Set Group Filter, the existing filter is ignored, and Set Group Filter opens with no preselected groups. Clicking Use Filter overwrites the previous LDAP filter.

    Select Test Filter to test that the filter functions as expected. FortiAuthenticator shows an LDAP tree with all the users that match the current remote LDAP server setting (i.e., the users that the sync rule syncs when it runs).

    OTP method assignment prioritySelect the required authentication synchronization priorities.
    Drag the priorities up and down in the list change the priority order.

    FIDO authentication

    Select to enable FIDO authentication for synced user accounts. This is disabled by default for new user accounts.

    Sync as

    Select to synchronize as a remote LDAP user, remote RADIUS user, or a local user.

    In the Synchronization Attributes pane, selecting Local User for Sync as results in FortiAuthenticator generating a unique random password for each user imported from AD/LDAP, and emailing the password to the user.

    User Role for new user imports

    Select the user role to assign to remote users. Users assigned the role of Administrator are granted full permissions.

    Remote RADIUS

    Specify a remote RADIUS server to associate the imported users with.

    This dropdown allows you to select from a list of RADIUS servers. Select the pen icon to edit the selected RADIUS server, + to create a new RADIUS server, or x to delete the selected RADIUS server.

    This setting is available only when Remote RADIUS User is selected as the Sync as option.

    See RADIUS.

    Sync every

    Select the amount of time between synchronizations.

    Group to associate users with

    Optionally, select a group from the dropdown menu with which to associate the users with, or select Create New to create a new user group. See User groups.

    When Sync as is set to Remote RADIUS User, this option contains a list of remote RADIUS user groups to choose from.

    FortiToken Logo

    Optionally, select a logo from the FortiToken Logo dropdown menu to associate the imported users with the specified logo. This logo is displayed beside the one-time password in FortiToken. See FortiTokens for more information.

    Certificate binding CA

    Select CA certificates from the Certificate binding CA dropdown for users who use remote user sync rules.

    When the Certificate binding common name field is populated (under LDAP User Mapping Attributes) this field must also be specified.

    Sync users to IAM Account

    Select an IAM account to synchronize the remote users with.

    Email password recovery

    When enabled, FortiAuthenticator will enable the email password recovery setting for new and existing remote LDAP users if they also have a valid email address.

    When disabled (default), the email password recovery setting will not be available to new or existing remote LDAP users.

    Do not delete synced users when they are no longer found on the remote server

    Select to ensure that synchronized users are not deleted when they are no longer found on the remote server. This option is only available when Proceed with rule even when response empty is disabled.

    Proceed with rule even when response empty

    Select to enforce the synchronization rule even when the LDAP response is empty. Use this option to delete all users from a FortiAuthenticator group when synchronization rule returns an empty response. This option is only available when Do not delete synced users when they are no longer found on the remote server is disabled.

    Warning: This option should be used with caution. An error from the administrator (e.g. a typo when changing the LDAP query) could cause the deletion of all existing synchronized users, requiring the administrator to reprovision any assigned FortiTokens.

    LDAP User Mapping AttributesOptionally, edit the remote LDAP user mapping attributes.

    Debugging Settings

    Optionally, log synchronization details, including LDAP query results. These log files can be downloaded under Debug Report > LDAP Sync. In addition, select whether to delete synchronized users when they are no longer found on the remote server.

    Preview MappingSelect to preview the LDAP user sync mappings in a new window.
    Show Sync FieldsSelect to view the user fields that will be synchronized.
  3. Select Save to create the new LDAP synchronization rule.
To create a new remote SAML user synchronization rule:
  1. From the Remote User Sync Rules page, select SAML users, select Create New.
  2. Configure the following settings:
    NameEnter a name for the synchronization rule.
    Remote SAML serverSelect a remote SAML server from the dropdown menu. To configure a remote SAML server, see SAML.
    SAML groupSelect a group from the SAML server. SAML groups are retrieved dynamically from the server.
    Token-based authentication sync prioritiesSelect the required authentication synchronization priorities.
    Drag the priorities up and down in the list change the priority order.

    Sync every

    Select the amount of time between synchronizations.

    Group to associate users withOptionally, select a group from the dropdown menu with which to associate the users with. See User groups.
    FortiToken Logo

    Optionally, select a logo from the FortiToken Logo dropdown menu to associate the imported users with the specified logo. This logo is displayed beside the one-time password in FortiToken. See FortiTokens for more information.

    Do not delete synced users when they are no longer found on the remote server

    Select to ensure that synchronized users are not deleted when they are no longer found on the remote server. This option is only available when Proceed with rule even when response empty is disabled.

    SAML User Mapping AttributesOptionally, edit the remote SAML user mapping attributes.
  3. Select Save to create the new SAML synchronization rule.