Fortinet black logo

Administration Guide

Home FortiAuthenticator 6.6.0 Administration Guide
6.6.0
6.6.1
6.6.0
6.5.4
6.5.3
6.5.2
6.5.1
6.5.0
6.4.9
6.4.8
6.4.7
6.4.6
6.4.5
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0
6.3.4
6.3.3
6.3.2
6.3.1
6.3.0
6.2.2
6.2.1
6.2.0
6.1.3
6.1.2
6.1.1
6.1.0
6.0.8
6.0.7
6.0.6
6.0.5
6.0.4
6.0.3
6.0.2
6.0.1
6.0.0
5.5.0
5.4.0
5.3.0
5.2.0
5.1.0
5.0.0
4.3.0
4.2.1
4.2.0

FortiAuthenticator 6.6.0

FortiAuthenticator 6.6.0

The following list contains new and expanded features added in FortiAuthenticator 6.6.0.

FSSO: Include LDAP user groups defined on FortiAuthenticator

FortiAuthenticator can now mark some of the remote LDAP groups to be included in FSSO.

When creating or editing a remote LDAP user group in Authentication > User Management > User Groups, a new Include for FSSO option is available. The option is available only when User retrieval is set to Set a list of imported remote LDAP users. The option is disabled by default. See User groups

Also, FortiGate filters now include FortiAuthenticator LDAP groups (remote LDAP user groups with User retrieval set to Set a list of imported remote LDAP users). When creating or editing a FortiGate filter in Fortinet SSO Methods > SSO > FortiGate Filtering, selecting the Select from SSO users/groups option in the SSO Filtering Objects pane offers a new Remote LDAP Groups option to select the FortiAuthenticator LDAP groups. See FortiGate filtering.

The feature can be enabled/disabled using the new Include locally-defined remote LDAP groups option (disabled by default) in the User Group Membership pane in Fortinet SSO Methods > SSO > General. See General settings.

RADIUS: Option to send FortiToken push without an Access-Challenge

A new Trigger push without RADIUS challenge (warning: NOT recommended if using with FortiGate RADIUS clients) option (disabled by default) available when creating a RADIUS policy in Authentication > RADIUS Service > Policies.

When the option is enabled, FortiAuthenticator triggers the FortiToken Mobile push notification once the password is verified without requiring the end-user to respond "push" to a RADIUS challenge.

See Policies.

OAuth: Add PKCE to authorization code flow

When creating or editing a relying party in Authentication > OAuth Service > Relying Party, a new Authorization code with PKCE authorization grant type is available when the Client type is Public. See Relying Party.

  • When this grant type is selected, FortiAuthenticator applies the following modifications to the standard Authorization code grant type:

    • The client_secret field is ignored in requests to the /oauth/authorize/ endpoint.

    • New code_challenge_method and code_challenge fields are required in requests to the /oauth/authorize/ endpoint.

    • A new code_verifier field is required in the requests to the /oauth/token/ endpoint.

    • FortiAuthenticator rejects requests to the /oauth/token/ endpoint if the SHA256 digest for code_verifier does not match the code_challenge provided when the code was issued by the /oauth/authorize/endpoint.

    The following new fields have been introduced to the oauth/authorize/ endpoint:

    • code_challenge_method

    • code_challenge

    The following new fields have been introduced to the /oauth/token/ endpoint:

    • code_verifier

    • code

    See the FortiAuthenticator 6.6.0 REST API Solution Guide for updates to the FortiAuthenticator REST API.

Captive portal: New "No authentication" authentication type

FortiAuthenticator now offers a new No authentication authentication type when creating or editing a captive portal policy. For the new No authentication authentication type you do not require login credentials. See Captive portal policies.

RADIUS: Limit the number of concurrent MAC devices per user

When creating or editing a usage profile in Authentication > User Management > Usage Profile, a new Max. devices per user option is available in the Devices pane. See Usage profile.

The option allows you to set the maximum number of different MAC device addresses allowed concurrently for every user in the active RADIUS accounting sessions.

By default, the Max. devices per user is set to 0. When set to 0, MAC devices control is disabled, i.e., there is no limit on the number of concurrent MAC devices per user.

Also, RADIUS attribute for user IP and the RADIUS attribute options previously available in Authentication > RADIUS Service > Policies are now available in Authentication > RADIUS Service > Clients. See Clients.

SAML IdP: Extend login sessions

Login session timeout in Authentication > SAML IdP > General can now be configured with a value between 5 minutes to 120 days. See General.

Support custom user account attributes in SAML SP assertions

Custom fields configured in Authentication > User Account Policies > Custom User Fields are now available in the User attribute dropdown in the Assertion Attributes pane in Authentication > SAML IdP > Service Providers. See Custom user fields and Service providers.

Captive portal: Expiry for tracked devices

The portal configuration settings in Authentication > Portals > Portals now includes a new Remove MAC devices after option to control the MAC device expiry.

By default, the option is set to 7 days (1 - 365 days). See Portals.

LB HA: Wider and customizable configuration subsets

The HA configuration page in System > Administration > High Availability now offers new Synced settings (load-balancing) to select which subsets of the configuration to include in the LB HA sync. Synced settings (load-balancing) is available only when the Role is Standalone Primary. See High availability.

Exporting the admin user list for audit reports

FortiAuthenticator user audit reports generated from Logging > Audit Reports > Users Audit now include a new Only include administrator & sponsor accounts option. Enabling the option allows you only to include administrator and sponsor accounts in the user audit report.

The following new columns are included in the CSV file generated as part of the audit report:

  • lb synced

  • trusted subnets

  • password auth

See Audit reports.

FortiToken Cloud: Migrating FortiToken Mobile to FortiToken Cloud

FortiAuthenticator now allows you to migrate FortiToken Mobile tokens from a FortiToken Mobile license to FortiToken Cloud using the following CLI command:

execute fortitoken-cloud ftm-migrate <FTM license number>

Once the FortiToken Mobile license and its tokens are migrated to FortiToken Cloud:

• The original FortiToken Mobile license is invalidated and the migration cannot be reversed.

• Your perpetual license changes to an annual subscription license.

Certificate enrollment via CMPv2

FortiAuthenticator now provides CMPv2 server functionality.

CMPv2 is a Certificate Management Protocol designed by Safenet for the secure signing of digital certificates and complete certificate life cycle management.

A new CMP menu is available in Certificate Management. CMP contains the following two tabs:

  • General

  • Enrollment Requests

See CMP.

Support for SCIM client

FortiAuthenticator now supports SCIM client service.

You can now configure a SCIM service provider in Authentication > SCIM > Service Provider. See Service providers.

OAuth: Support for IAM

A new IAM login option in the Identity sources tab to enable IAM logins when configuring an OAuth policy in Authentication > OAuth Service > Policies. See Policies.

When creating or editing an OAuth relying party, you can now include OIDC claims that return IAM account name, IAM account alias, and/or IAM username when the grant type is Authorization code (with/without PKCE). See Relying Party.

The OAuth login page (Login Page replacement message) now offers a Sign-in as IAM user link when IAM login is enabled.

The OAuth service now offers a new OAuth IAM Login Page replacement message used as the login form when the Sign-in as IAM user link is clicked on the OAuth login page.

The following new fields have been introduced to the /oauth/token endpoint:

  • iam_account

  • iam_user

See the FortiAuthenticator 6.6.0 REST API Solution Guide for updates to the FortiAuthenticator REST API.

FSSO: New field for FortiGate expected LDAP username attribute

When editing the SSO configuration in Fortinet SSO Methods > SSO > General, a new Username attribute field is available. When the Username attribute field is configured, the attribute value is obtained from the user LDAP lookup and is used as the username instead of the user login username.

See General settings.

Support custom user account attributes in OAuth relying parties

Custom fields configured in Authentication > User Account Policies > Custom User Fields are now available in the User Attribute dropdown in the Claims pane in Authentication > OAuth Service > Relying Party. See Custom user fields and Relying Party.

New fields for local, LDAP, and RADIUS users endpoints

The following new fields have been introduced to the /localusers/, /ldapusers/, and /radiususers/ endpoints:

  • company

  • department

See the FortiAuthenticator 6.6.0 REST API Solution Guide for updates to the FortiAuthenticator REST API.

Previous
Next

FortiAuthenticator 6.6.0

The following list contains new and expanded features added in FortiAuthenticator 6.6.0.

FSSO: Include LDAP user groups defined on FortiAuthenticator

FortiAuthenticator can now mark some of the remote LDAP groups to be included in FSSO.

When creating or editing a remote LDAP user group in Authentication > User Management > User Groups, a new Include for FSSO option is available. The option is available only when User retrieval is set to Set a list of imported remote LDAP users. The option is disabled by default. See User groups

Also, FortiGate filters now include FortiAuthenticator LDAP groups (remote LDAP user groups with User retrieval set to Set a list of imported remote LDAP users). When creating or editing a FortiGate filter in Fortinet SSO Methods > SSO > FortiGate Filtering, selecting the Select from SSO users/groups option in the SSO Filtering Objects pane offers a new Remote LDAP Groups option to select the FortiAuthenticator LDAP groups. See FortiGate filtering.

The feature can be enabled/disabled using the new Include locally-defined remote LDAP groups option (disabled by default) in the User Group Membership pane in Fortinet SSO Methods > SSO > General. See General settings.

RADIUS: Option to send FortiToken push without an Access-Challenge

A new Trigger push without RADIUS challenge (warning: NOT recommended if using with FortiGate RADIUS clients) option (disabled by default) available when creating a RADIUS policy in Authentication > RADIUS Service > Policies.

When the option is enabled, FortiAuthenticator triggers the FortiToken Mobile push notification once the password is verified without requiring the end-user to respond "push" to a RADIUS challenge.

See Policies.

OAuth: Add PKCE to authorization code flow

When creating or editing a relying party in Authentication > OAuth Service > Relying Party, a new Authorization code with PKCE authorization grant type is available when the Client type is Public. See Relying Party.

  • When this grant type is selected, FortiAuthenticator applies the following modifications to the standard Authorization code grant type:

    • The client_secret field is ignored in requests to the /oauth/authorize/ endpoint.

    • New code_challenge_method and code_challenge fields are required in requests to the /oauth/authorize/ endpoint.

    • A new code_verifier field is required in the requests to the /oauth/token/ endpoint.

    • FortiAuthenticator rejects requests to the /oauth/token/ endpoint if the SHA256 digest for code_verifier does not match the code_challenge provided when the code was issued by the /oauth/authorize/endpoint.

    The following new fields have been introduced to the oauth/authorize/ endpoint:

    • code_challenge_method

    • code_challenge

    The following new fields have been introduced to the /oauth/token/ endpoint:

    • code_verifier

    • code

    See the FortiAuthenticator 6.6.0 REST API Solution Guide for updates to the FortiAuthenticator REST API.

Captive portal: New "No authentication" authentication type

FortiAuthenticator now offers a new No authentication authentication type when creating or editing a captive portal policy. For the new No authentication authentication type you do not require login credentials. See Captive portal policies.

RADIUS: Limit the number of concurrent MAC devices per user

When creating or editing a usage profile in Authentication > User Management > Usage Profile, a new Max. devices per user option is available in the Devices pane. See Usage profile.

The option allows you to set the maximum number of different MAC device addresses allowed concurrently for every user in the active RADIUS accounting sessions.

By default, the Max. devices per user is set to 0. When set to 0, MAC devices control is disabled, i.e., there is no limit on the number of concurrent MAC devices per user.

Also, RADIUS attribute for user IP and the RADIUS attribute options previously available in Authentication > RADIUS Service > Policies are now available in Authentication > RADIUS Service > Clients. See Clients.

SAML IdP: Extend login sessions

Login session timeout in Authentication > SAML IdP > General can now be configured with a value between 5 minutes to 120 days. See General.

Support custom user account attributes in SAML SP assertions

Custom fields configured in Authentication > User Account Policies > Custom User Fields are now available in the User attribute dropdown in the Assertion Attributes pane in Authentication > SAML IdP > Service Providers. See Custom user fields and Service providers.

Captive portal: Expiry for tracked devices

The portal configuration settings in Authentication > Portals > Portals now includes a new Remove MAC devices after option to control the MAC device expiry.

By default, the option is set to 7 days (1 - 365 days). See Portals.

LB HA: Wider and customizable configuration subsets

The HA configuration page in System > Administration > High Availability now offers new Synced settings (load-balancing) to select which subsets of the configuration to include in the LB HA sync. Synced settings (load-balancing) is available only when the Role is Standalone Primary. See High availability.

Exporting the admin user list for audit reports

FortiAuthenticator user audit reports generated from Logging > Audit Reports > Users Audit now include a new Only include administrator & sponsor accounts option. Enabling the option allows you only to include administrator and sponsor accounts in the user audit report.

The following new columns are included in the CSV file generated as part of the audit report:

  • lb synced

  • trusted subnets

  • password auth

See Audit reports.

FortiToken Cloud: Migrating FortiToken Mobile to FortiToken Cloud

FortiAuthenticator now allows you to migrate FortiToken Mobile tokens from a FortiToken Mobile license to FortiToken Cloud using the following CLI command:

execute fortitoken-cloud ftm-migrate <FTM license number>

Once the FortiToken Mobile license and its tokens are migrated to FortiToken Cloud:

• The original FortiToken Mobile license is invalidated and the migration cannot be reversed.

• Your perpetual license changes to an annual subscription license.

Certificate enrollment via CMPv2

FortiAuthenticator now provides CMPv2 server functionality.

CMPv2 is a Certificate Management Protocol designed by Safenet for the secure signing of digital certificates and complete certificate life cycle management.

A new CMP menu is available in Certificate Management. CMP contains the following two tabs:

  • General

  • Enrollment Requests

See CMP.

Support for SCIM client

FortiAuthenticator now supports SCIM client service.

You can now configure a SCIM service provider in Authentication > SCIM > Service Provider. See Service providers.

OAuth: Support for IAM

A new IAM login option in the Identity sources tab to enable IAM logins when configuring an OAuth policy in Authentication > OAuth Service > Policies. See Policies.

When creating or editing an OAuth relying party, you can now include OIDC claims that return IAM account name, IAM account alias, and/or IAM username when the grant type is Authorization code (with/without PKCE). See Relying Party.

The OAuth login page (Login Page replacement message) now offers a Sign-in as IAM user link when IAM login is enabled.

The OAuth service now offers a new OAuth IAM Login Page replacement message used as the login form when the Sign-in as IAM user link is clicked on the OAuth login page.

The following new fields have been introduced to the /oauth/token endpoint:

  • iam_account

  • iam_user

See the FortiAuthenticator 6.6.0 REST API Solution Guide for updates to the FortiAuthenticator REST API.

FSSO: New field for FortiGate expected LDAP username attribute

When editing the SSO configuration in Fortinet SSO Methods > SSO > General, a new Username attribute field is available. When the Username attribute field is configured, the attribute value is obtained from the user LDAP lookup and is used as the username instead of the user login username.

See General settings.

Support custom user account attributes in OAuth relying parties

Custom fields configured in Authentication > User Account Policies > Custom User Fields are now available in the User Attribute dropdown in the Claims pane in Authentication > OAuth Service > Relying Party. See Custom user fields and Relying Party.

New fields for local, LDAP, and RADIUS users endpoints

The following new fields have been introduced to the /localusers/, /ldapusers/, and /radiususers/ endpoints:

  • company

  • department

See the FortiAuthenticator 6.6.0 REST API Solution Guide for updates to the FortiAuthenticator REST API.

Previous
Next