Fortinet white logo
Fortinet white logo

What's new

What's new

FortiAuthenticator version 6.6.1 includes the following enhancements:

SAML IdP: Hardened login

The Login Username and Password Page and the IAM Login Page replacement messages in Authentication > SAML IdP > Replacement Messages is modified to optionally include a Use token toggle.

The Use token toggle is only displayed when PCI DSS 3.2 two-factor authentication is enabled in the Authentication Flow pane in Authentication > User Account Policies > General.

Enable Use token to inform FortiAuthenticator that you possess a token that you want to use for login. If Use token is left disabled, FortiAuthenticator assumes that you cannot perform token-based authentication.

Self-service portal: Enhanced Security for token reset

In portal settings, FortiAuthenticator offers the ability to control the available delivery methods for FortiToken Mobile reprovisioning.

New Email and SMS delivery options in Authorized delivery options when FortiToken Revocation > Allow users to reconfigure their FortiToken Mobile is enabled in the Pre-Login Services pane when creating or editing a portal in Authentication > Portals > Portals.

In the self-service portal, when you click Lost your token?, FortiAuthenticator restricts the available activation delivery methods to the ones enabled in the portal Pre-Login Services pane.

In the Account Info page on a self-service portal, the Email address and the Mobile number fields are read-only. You must click the edit icon to modify the email address and/or the mobile number fields. When you modify the fields, FortiAuthenticator verifies the validity of the new email address and/or the mobile number:

  • You save the new primary email address/mobile number

  • FortiAuthenticator sends OTP to the new primary email address/mobile number

  • FortiAuthenticator asks you to enter the OTP

  • If the OTP is incorrect, FortiAuthenticator asks you to reenter or cancel

  • If the OTP is correct, FortiAuthenticator saves the new primary email address or mobile number.

SCEP: SAN for wildcard enrollment and optional password on renewal

FortiAuthenticator now offers the same Subject Alternative Name (SAN) settings for wildcard type SCEP requests as for the regular type ones.

The Subject Alternative Name pane is now available when creating new wildcard type SCEP enrollment requests in Certificate Management > SCEP > Enrollment Requests.

New tooltips indicating that you can use {{:cn}} tag as a placeholder for the value of the certificate CN from the subject field in the Email and User Principal Name (UPN) fields. The tooltips are available for both regular and wildcard SCEP enrollment requests.

When an SCEP enrollment request is configured to accept certificate renewals with Verify renewal request signature using the old private key enabled in the Renewal pane:

  • If the certificate renewal request contains a password, FortiAuthenticator verifies that (in addition to renewal time window and the certificate status settings):

    • The private key of the previous certificate signs the request.

    • The request password matches the configured challenge password for the renewed certificate.

  • If the certificate renewal request does not contain a password, FortiAuthenticator verifies that (in addition to renewal time window and the certificate status settings) the previous certificate's private key signs the request.

SAML IdP: IdP proxy for FortiProxy Cloud

FortiAuthenticator can now receive SAML authentication requests on an independent and configurable port.

A new Reverse proxy integration toggle when you configure SAML IdP portal settings in Authentication > SAML IdP > General.

New Listening port (default TCP/8144) and Reverse proxy URL fields available when you enable Reverse proxy integration.

A new SAML IdP Reverse Proxy toggle in Access Rights when you configure an interface in System > Network > Interfaces. It allows you to enable/disable the IdP reverse proxy port on the selected network interface.

Optional redundancy for TACACS+ servers

FortiAuthenticator now allows you to optionally configure a secondary TACACS+ server.

For optional redundancy, FortiAuthenticator attempts to connect to the secondary TACACS+ server only when there is a connection issue with the primary TACACS+ server.

FortiToken Mobile: Offline token activation

Air-gapped FortiAuthenticator devices can provision FortiToken Mobile tokens without connecting to the FortiCloud server.

Offline token provisioning can be done by scanning QR code or manually entering an activation code obtained within the FortiAuthenticator administrator GUI or using the self-service portal.

FortiToken Mobile license activation requires a temporary online connection to fortitokenmobile.fortinet.com.

FortToken Mobile token transfer (Enable token transfer feature) and push features are unavailable when operating in the FortiToken Mobile offline mode.

The FortiToken Mobile Transfer pane is renamed to FortiToken Mobile Provisioning in Authentication > User Account Policies > Tokens.

The following settings in System > Administration > FortiGuard have been moved to the FortiToken Mobile Provisioning pane in Authentication > User Account Policies > Tokens:

  • Activation timeout

  • Token size

  • Token algorithm

  • Time step

  • Require PIN

  • PIN Length

A new Provision mode setting is available in the FortiToken Mobile Provisioning pane in Authentication > User Account Policies > Tokens.

FortiAuthenticator rejects setting the Provision mode to Offline if :

  • An existing remote user synchronization rule is configured with FortiToken Mobile in the OTP method assignment priority, i.e., the FortiToken Mobile (assign an available token) option is enabled in Synchronization Attributes in Authentication > User Management > Remote User Sync Rules.

  • An existing user portal has Allow users to reconfigure their FortiToken Mobile option enabled (when FortiToken Revocation is enabled) in the Pre-Login Services pane in Authentication > Portals > Portals.

Previously available Seed encryption passphrase field in FortiTokens has been moved to the FortiToken Mobile Provisioning pane.

When editing a local/remote user with the Provision mode set to Offline:

  • The user account page only offers the Scan QR codeActivation delivery method for FortiToken Mobile (no Email or SMS options).

  • In the User Information pane, you are not required to add an Email.

When editing/creating a remote user synchronization rule in Authentication > User Management > Remote User Sync Rules with Provision mode set to Offline, FortiToken Mobile (assign an available token) in Synchronization Attributes cannot be enabled.

When editing/creating a portal in Authentication > Portals > Portals with Provision mode set to Offline, Allow users to reconfigure their FortiToken Mobile (when FortiToken Revocation is enabled) cannot be enabled.

When Provision mode is set to Offline, two-factor authentication self-provisioning page only offers Scan QR code activation delivery method for FortiToken Mobile.

SCIM server: Remote user synchronization rule functionality for the SCIM protocol

FortiAuthenticator now supports providing the remote sync rule functionality over SCIM protocol.

The SCIM client and provisioning settings can be configured by selecting the SCIM tab in Authentication > User Management > Remote User Sync Rules.

Note that when configuring a new remote SCIM user synchronization rule, FortiToken Mobile (assign an available token) option in OTP method assignment priority is not available.

Import/export user and user group data via CSV

FortiAuthenticator now allows you add, edit, and delete local, RADIUS, and SAML users and user groups via CSV files.

A new Advanced options settings when importing local users with options to keep, disable, or delete existing user accounts not in the CSV file.

New Import and Export options for RADIUS users.

New Export option for SAML users.

When importing SAML users, the Import SAML Users page now allows you to import SAML users from a SAML server or a CSV file.

New Import and Export options for user groups. User groups can be imported from the CSV file.

The following new options are available for auto provisioning local users and groups into the LDAP directory tree in Authentication > LDAP service > General:

  • Auto provision local groups from the following sources:

    • GUI (Imported local users)

    • API (Imported local users)

  • Provision users into the following container

CSV import of users and user groups generates a system log for every single user account or user group created, modified, or deleted.

FortiAuthenticator generates a summary log for each CSV import operation.

A new /csv/localusers/ endpoint available, see REST API Solutions Guide.

Fortinet SSO GUI reorganization

The previously available Fortinet SSO Methods > SSO menu has been reorganized as:

  • Fortinet SSO

    • Settings

      • FortiGate

      • Methods

      • User Group Membership

      • Tiered Architecture

      • Log Config

    • Methods

      • Web Services

      • SAML Authentication

      • Windows Event Log

      • RADIUS Accounting

      • Syslog

    • Filtering

      • SSO Users

      • SSO Groups

      • Fine-grained Controls

      • Domain Groupings

      • FortiGate

      • IP Rules

What's new

What's new

FortiAuthenticator version 6.6.1 includes the following enhancements:

SAML IdP: Hardened login

The Login Username and Password Page and the IAM Login Page replacement messages in Authentication > SAML IdP > Replacement Messages is modified to optionally include a Use token toggle.

The Use token toggle is only displayed when PCI DSS 3.2 two-factor authentication is enabled in the Authentication Flow pane in Authentication > User Account Policies > General.

Enable Use token to inform FortiAuthenticator that you possess a token that you want to use for login. If Use token is left disabled, FortiAuthenticator assumes that you cannot perform token-based authentication.

Self-service portal: Enhanced Security for token reset

In portal settings, FortiAuthenticator offers the ability to control the available delivery methods for FortiToken Mobile reprovisioning.

New Email and SMS delivery options in Authorized delivery options when FortiToken Revocation > Allow users to reconfigure their FortiToken Mobile is enabled in the Pre-Login Services pane when creating or editing a portal in Authentication > Portals > Portals.

In the self-service portal, when you click Lost your token?, FortiAuthenticator restricts the available activation delivery methods to the ones enabled in the portal Pre-Login Services pane.

In the Account Info page on a self-service portal, the Email address and the Mobile number fields are read-only. You must click the edit icon to modify the email address and/or the mobile number fields. When you modify the fields, FortiAuthenticator verifies the validity of the new email address and/or the mobile number:

  • You save the new primary email address/mobile number

  • FortiAuthenticator sends OTP to the new primary email address/mobile number

  • FortiAuthenticator asks you to enter the OTP

  • If the OTP is incorrect, FortiAuthenticator asks you to reenter or cancel

  • If the OTP is correct, FortiAuthenticator saves the new primary email address or mobile number.

SCEP: SAN for wildcard enrollment and optional password on renewal

FortiAuthenticator now offers the same Subject Alternative Name (SAN) settings for wildcard type SCEP requests as for the regular type ones.

The Subject Alternative Name pane is now available when creating new wildcard type SCEP enrollment requests in Certificate Management > SCEP > Enrollment Requests.

New tooltips indicating that you can use {{:cn}} tag as a placeholder for the value of the certificate CN from the subject field in the Email and User Principal Name (UPN) fields. The tooltips are available for both regular and wildcard SCEP enrollment requests.

When an SCEP enrollment request is configured to accept certificate renewals with Verify renewal request signature using the old private key enabled in the Renewal pane:

  • If the certificate renewal request contains a password, FortiAuthenticator verifies that (in addition to renewal time window and the certificate status settings):

    • The private key of the previous certificate signs the request.

    • The request password matches the configured challenge password for the renewed certificate.

  • If the certificate renewal request does not contain a password, FortiAuthenticator verifies that (in addition to renewal time window and the certificate status settings) the previous certificate's private key signs the request.

SAML IdP: IdP proxy for FortiProxy Cloud

FortiAuthenticator can now receive SAML authentication requests on an independent and configurable port.

A new Reverse proxy integration toggle when you configure SAML IdP portal settings in Authentication > SAML IdP > General.

New Listening port (default TCP/8144) and Reverse proxy URL fields available when you enable Reverse proxy integration.

A new SAML IdP Reverse Proxy toggle in Access Rights when you configure an interface in System > Network > Interfaces. It allows you to enable/disable the IdP reverse proxy port on the selected network interface.

Optional redundancy for TACACS+ servers

FortiAuthenticator now allows you to optionally configure a secondary TACACS+ server.

For optional redundancy, FortiAuthenticator attempts to connect to the secondary TACACS+ server only when there is a connection issue with the primary TACACS+ server.

FortiToken Mobile: Offline token activation

Air-gapped FortiAuthenticator devices can provision FortiToken Mobile tokens without connecting to the FortiCloud server.

Offline token provisioning can be done by scanning QR code or manually entering an activation code obtained within the FortiAuthenticator administrator GUI or using the self-service portal.

FortiToken Mobile license activation requires a temporary online connection to fortitokenmobile.fortinet.com.

FortToken Mobile token transfer (Enable token transfer feature) and push features are unavailable when operating in the FortiToken Mobile offline mode.

The FortiToken Mobile Transfer pane is renamed to FortiToken Mobile Provisioning in Authentication > User Account Policies > Tokens.

The following settings in System > Administration > FortiGuard have been moved to the FortiToken Mobile Provisioning pane in Authentication > User Account Policies > Tokens:

  • Activation timeout

  • Token size

  • Token algorithm

  • Time step

  • Require PIN

  • PIN Length

A new Provision mode setting is available in the FortiToken Mobile Provisioning pane in Authentication > User Account Policies > Tokens.

FortiAuthenticator rejects setting the Provision mode to Offline if :

  • An existing remote user synchronization rule is configured with FortiToken Mobile in the OTP method assignment priority, i.e., the FortiToken Mobile (assign an available token) option is enabled in Synchronization Attributes in Authentication > User Management > Remote User Sync Rules.

  • An existing user portal has Allow users to reconfigure their FortiToken Mobile option enabled (when FortiToken Revocation is enabled) in the Pre-Login Services pane in Authentication > Portals > Portals.

Previously available Seed encryption passphrase field in FortiTokens has been moved to the FortiToken Mobile Provisioning pane.

When editing a local/remote user with the Provision mode set to Offline:

  • The user account page only offers the Scan QR codeActivation delivery method for FortiToken Mobile (no Email or SMS options).

  • In the User Information pane, you are not required to add an Email.

When editing/creating a remote user synchronization rule in Authentication > User Management > Remote User Sync Rules with Provision mode set to Offline, FortiToken Mobile (assign an available token) in Synchronization Attributes cannot be enabled.

When editing/creating a portal in Authentication > Portals > Portals with Provision mode set to Offline, Allow users to reconfigure their FortiToken Mobile (when FortiToken Revocation is enabled) cannot be enabled.

When Provision mode is set to Offline, two-factor authentication self-provisioning page only offers Scan QR code activation delivery method for FortiToken Mobile.

SCIM server: Remote user synchronization rule functionality for the SCIM protocol

FortiAuthenticator now supports providing the remote sync rule functionality over SCIM protocol.

The SCIM client and provisioning settings can be configured by selecting the SCIM tab in Authentication > User Management > Remote User Sync Rules.

Note that when configuring a new remote SCIM user synchronization rule, FortiToken Mobile (assign an available token) option in OTP method assignment priority is not available.

Import/export user and user group data via CSV

FortiAuthenticator now allows you add, edit, and delete local, RADIUS, and SAML users and user groups via CSV files.

A new Advanced options settings when importing local users with options to keep, disable, or delete existing user accounts not in the CSV file.

New Import and Export options for RADIUS users.

New Export option for SAML users.

When importing SAML users, the Import SAML Users page now allows you to import SAML users from a SAML server or a CSV file.

New Import and Export options for user groups. User groups can be imported from the CSV file.

The following new options are available for auto provisioning local users and groups into the LDAP directory tree in Authentication > LDAP service > General:

  • Auto provision local groups from the following sources:

    • GUI (Imported local users)

    • API (Imported local users)

  • Provision users into the following container

CSV import of users and user groups generates a system log for every single user account or user group created, modified, or deleted.

FortiAuthenticator generates a summary log for each CSV import operation.

A new /csv/localusers/ endpoint available, see REST API Solutions Guide.

Fortinet SSO GUI reorganization

The previously available Fortinet SSO Methods > SSO menu has been reorganized as:

  • Fortinet SSO

    • Settings

      • FortiGate

      • Methods

      • User Group Membership

      • Tiered Architecture

      • Log Config

    • Methods

      • Web Services

      • SAML Authentication

      • Windows Event Log

      • RADIUS Accounting

      • Syslog

    • Filtering

      • SSO Users

      • SSO Groups

      • Fine-grained Controls

      • Domain Groupings

      • FortiGate

      • IP Rules