Fortinet black logo

Administration Guide

Home FortiAuthenticator 6.6.1 Administration Guide
6.6.1
6.6.1
6.6.0
6.5.4
6.5.3
6.5.2
6.5.1
6.5.0
6.4.9
6.4.8
6.4.7
6.4.6
6.4.5
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0
6.3.4
6.3.3
6.3.2
6.3.1
6.3.0
6.2.2
6.2.1
6.2.0
6.1.3
6.1.2
6.1.1
6.1.0
6.0.8
6.0.7
6.0.6
6.0.5
6.0.4
6.0.3
6.0.2
6.0.1
6.0.0
5.5.0
5.4.0
5.3.0
5.2.0
5.1.0
5.0.0
4.3.0
4.2.1
4.2.0

Remote user sync rules- SCIM

Remote user sync rules- SCIM

SCIM

System for Cross-domain Identity Management (SCIM) is an open standard for automating user identity information exchange between an identity provider (IdP) and a service provider (SP) requiring user identity information, e.g., enterprise SaaS applications.

SCIM makes user data more secure and simplifies the user experience by automating the user identity provisioning and management process.

SCIM is a REST and JSON based protocol that defines a client and a server role.

The following is an example of SCIM implementation with Microsoft Entra ID as the SP and FortiAuthenticator as the IdP:

When changes to identities are made in the IdP, including creating, updating, and deleting, they are automatically synced to the SP according to the SCIM protocol.

The IdP can read identities from the SP to add to its directory and detect inconsistencies in the SP that potentially create security vulnerabilities. This provides a seamless access to applications for which end users are assigned, with up-to-date profiles and permissions.

In the SCIM context, the SCIM SP is the SCIM client and the SCIM server is the SCIM relying party. This is not to be confused with the SAML SP and the OIDC relying party.

The SCIM server role is needed to allow automated provisioning from an external IdP, e.g., Microsoft Entra ID to FortiAuthenticator acting as the IdP proxy.

Prerequisites

In general, the following are necessary to configure SCIM:

  • SCIM client account with appropriate level of permissions and complimentary SCIM capabilities.

  • FortiAuthenticator administrator with Administrator role is required to generate an API key.

Considerations

  • The SCIM client is where the identities are sourced and serves as the primary for user attributes. Once the identity is added to FortiAuthenticator, you can manage access and authentication and extend the identity to all the downstream SAML SPs federated and OIDC rely parties (RP) to FortiAuthenticator as the IdP and OIDC provider, respectively.

  • When a user is created on the SCIM client, the user has the option to be added as a user to FortiAuthenticator as a user with a pending password status (the user must establish and maintain a password within FortiAuthenticator), thereby becoming a local user in FortiAuthenticator.

  • The other option is for the user created in FortiAuthenticator to keep its password on the SCIM client, i.e., the upstream IdP, and add the user to FortiAuthenticator as a remote user.

  • The generic SCIM integration uses SCIM version 2.0.

  • The FortiAuthenticator SCIM API is based on the version 2.0 of the SCIM Standard.

See How to integrate a generic SCIM client with FortiAuthenticator SCIM server.

SCIM vs the FortiAuthenticator legacy remote synchronization rule

In the FortiAuthenticator legacy remote sync rule, FortiAuthenticator pulls the user changes by querying the remote user source whereas in the case of SCIM, the user changes are pushed by the remote user source acting as the SCIM client to FortiAuthenticator as the SCIM server.

In addition to the user account information, SCIM protocol allows pushing the user groups to FortiAuthenticator.

The SCIM user synchronization rule list shows the following options:

Create New

Select to create new remote SCIM user synchronization rule.

Delete

Select to delete the selected remote SCIM user synchronization rules.
To create a new remote SCIM user synchronization rule:
  1. From the Remote User Sync Rules page, select SCIM, select Create New.
  2. Configure the following settings:

    Name

    Enter a name for the SCIM synchronization rule.

    URL

    The SCIM base URL for FortiAuthenticator.

    ( https://[FQDN]/scim/v2/)

    OTP method assignment priority

    Select the required authentication synchronization priorities:

    • FortiToken Cloud - Default

    • FortiToken Cloud - FortiToken Mobile

    • FortiToken Cloud - FortiToken Hardware

    • FortiToken Cloud - Email

    • FortiToken Cloud - SMS

    • Email

    • SMS

    • Dual (Email and SMS)

    • None (users are synced explicitly with no token based authentication)

    Drag the priorities up and down in the list change the priority order.

    FIDO authentication

    Select to enable FIDO authentication for synced user accounts. This is disabled by default for new user accounts.

    Sync as

    Select to synchronize as a remote SAML user, remote LDAP user, or a remote RADIUS user.

    User role for new user imports

    Select the user role to assign to remote users. Users assigned the role of Administrator are granted full permissions.

    FortiToken Logo

    Optionally, select a logo from the FortiToken Logo dropdown menu to associate the imported users with the specified logo. This logo is displayed beside the one-time password in FortiToken. See FortiTokens for more information.

    Certificate binding CA

    Select CA certificates from the Certificate binding CA dropdown for users who use remote user sync rules.

    When the Certificate binding common name field is populated (under LDAP User Mapping Attributes) this field must also be specified.

    Email password recovery

    When enabled, FortiAuthenticator will enable the email password recovery setting for new and existing remote users if they also have a valid email address.

    When disabled (default), the email password recovery setting will not be available to new or existing remote users.

    SCIM User Mapping Attributes

    Optionally, edit the SCIM user mapping attributes.

    SCIM Group Mapping Attributes

    Group display name

    The SCIM group display name attribute, e.g., displayName.

    Group members

    The SCIM group member attribute, e.g., members.

  3. Select Save to create the new SCIM user synchronization rule.
  4. After creating the SCIM user sync rule, the SCIM Secret Token window opens:

    The secret token is used to authorize the SCIM integration between the client and the server.

    You can share the randomly generated secret token (API access key).

    Note: The secret token is associated with an administrator account. You must use an administrator account with appropriate role.

    1. A new secret token is generated.
    2. Enable Send Email and enter the email address to send the SCIM secret token.

      You can view secret token by clicking the eye icon.

      Select the copy icon () to copy the secret token.

      You can then save it on your management computer.

    3. Click OK.

      The SCIM secret token is no more visible once you close the SCIM Secret Token window.

Only when editing a remote SCIM user sync rule, SCIM Secret Token window can be accessed by selecting Change Secret Token.
Previous
Next

Remote user sync rules- SCIM

SCIM

System for Cross-domain Identity Management (SCIM) is an open standard for automating user identity information exchange between an identity provider (IdP) and a service provider (SP) requiring user identity information, e.g., enterprise SaaS applications.

SCIM makes user data more secure and simplifies the user experience by automating the user identity provisioning and management process.

SCIM is a REST and JSON based protocol that defines a client and a server role.

The following is an example of SCIM implementation with Microsoft Entra ID as the SP and FortiAuthenticator as the IdP:

When changes to identities are made in the IdP, including creating, updating, and deleting, they are automatically synced to the SP according to the SCIM protocol.

The IdP can read identities from the SP to add to its directory and detect inconsistencies in the SP that potentially create security vulnerabilities. This provides a seamless access to applications for which end users are assigned, with up-to-date profiles and permissions.

In the SCIM context, the SCIM SP is the SCIM client and the SCIM server is the SCIM relying party. This is not to be confused with the SAML SP and the OIDC relying party.

The SCIM server role is needed to allow automated provisioning from an external IdP, e.g., Microsoft Entra ID to FortiAuthenticator acting as the IdP proxy.

Prerequisites

In general, the following are necessary to configure SCIM:

  • SCIM client account with appropriate level of permissions and complimentary SCIM capabilities.

  • FortiAuthenticator administrator with Administrator role is required to generate an API key.

Considerations

  • The SCIM client is where the identities are sourced and serves as the primary for user attributes. Once the identity is added to FortiAuthenticator, you can manage access and authentication and extend the identity to all the downstream SAML SPs federated and OIDC rely parties (RP) to FortiAuthenticator as the IdP and OIDC provider, respectively.

  • When a user is created on the SCIM client, the user has the option to be added as a user to FortiAuthenticator as a user with a pending password status (the user must establish and maintain a password within FortiAuthenticator), thereby becoming a local user in FortiAuthenticator.

  • The other option is for the user created in FortiAuthenticator to keep its password on the SCIM client, i.e., the upstream IdP, and add the user to FortiAuthenticator as a remote user.

  • The generic SCIM integration uses SCIM version 2.0.

  • The FortiAuthenticator SCIM API is based on the version 2.0 of the SCIM Standard.

See How to integrate a generic SCIM client with FortiAuthenticator SCIM server.

SCIM vs the FortiAuthenticator legacy remote synchronization rule

In the FortiAuthenticator legacy remote sync rule, FortiAuthenticator pulls the user changes by querying the remote user source whereas in the case of SCIM, the user changes are pushed by the remote user source acting as the SCIM client to FortiAuthenticator as the SCIM server.

In addition to the user account information, SCIM protocol allows pushing the user groups to FortiAuthenticator.

The SCIM user synchronization rule list shows the following options:

Create New

Select to create new remote SCIM user synchronization rule.

Delete

Select to delete the selected remote SCIM user synchronization rules.
To create a new remote SCIM user synchronization rule:
  1. From the Remote User Sync Rules page, select SCIM, select Create New.
  2. Configure the following settings:

    Name

    Enter a name for the SCIM synchronization rule.

    URL

    The SCIM base URL for FortiAuthenticator.

    ( https://[FQDN]/scim/v2/)

    OTP method assignment priority

    Select the required authentication synchronization priorities:

    • FortiToken Cloud - Default

    • FortiToken Cloud - FortiToken Mobile

    • FortiToken Cloud - FortiToken Hardware

    • FortiToken Cloud - Email

    • FortiToken Cloud - SMS

    • Email

    • SMS

    • Dual (Email and SMS)

    • None (users are synced explicitly with no token based authentication)

    Drag the priorities up and down in the list change the priority order.

    FIDO authentication

    Select to enable FIDO authentication for synced user accounts. This is disabled by default for new user accounts.

    Sync as

    Select to synchronize as a remote SAML user, remote LDAP user, or a remote RADIUS user.

    User role for new user imports

    Select the user role to assign to remote users. Users assigned the role of Administrator are granted full permissions.

    FortiToken Logo

    Optionally, select a logo from the FortiToken Logo dropdown menu to associate the imported users with the specified logo. This logo is displayed beside the one-time password in FortiToken. See FortiTokens for more information.

    Certificate binding CA

    Select CA certificates from the Certificate binding CA dropdown for users who use remote user sync rules.

    When the Certificate binding common name field is populated (under LDAP User Mapping Attributes) this field must also be specified.

    Email password recovery

    When enabled, FortiAuthenticator will enable the email password recovery setting for new and existing remote users if they also have a valid email address.

    When disabled (default), the email password recovery setting will not be available to new or existing remote users.

    SCIM User Mapping Attributes

    Optionally, edit the SCIM user mapping attributes.

    SCIM Group Mapping Attributes

    Group display name

    The SCIM group display name attribute, e.g., displayName.

    Group members

    The SCIM group member attribute, e.g., members.

  3. Select Save to create the new SCIM user synchronization rule.
  4. After creating the SCIM user sync rule, the SCIM Secret Token window opens:

    The secret token is used to authorize the SCIM integration between the client and the server.

    You can share the randomly generated secret token (API access key).

    Note: The secret token is associated with an administrator account. You must use an administrator account with appropriate role.

    1. A new secret token is generated.
    2. Enable Send Email and enter the email address to send the SCIM secret token.

      You can view secret token by clicking the eye icon.

      Select the copy icon () to copy the secret token.

      You can then save it on your management computer.

    3. Click OK.

      The SCIM secret token is no more visible once you close the SCIM Secret Token window.

Only when editing a remote SCIM user sync rule, SCIM Secret Token window can be accessed by selecting Change Secret Token.
Previous
Next