FortiAuthenticator 6.6.0
The following list contains new and expanded features added in FortiAuthenticator 6.6.0.
FSSO: Include LDAP user groups defined on FortiAuthenticator
FortiAuthenticator can now mark some of the remote LDAP groups to be included in FSSO.
When creating or editing a remote LDAP user group in Authentication > User Management > User Groups, a new Include for FSSO option is available. The option is available only when User retrieval is set to Set a list of imported remote LDAP users. The option is disabled by default. See User groups
Also, FortiGate filters now include FortiAuthenticator LDAP groups (remote LDAP user groups with User retrieval set to Set a list of imported remote LDAP users).
When creating or editing a FortiGate filter in Fortinet SSO > Filtering > FortiGate, selecting the Select from SSO users/groups option in the SSO Filtering Objects pane offers a new Remote LDAP Groups option to select the FortiAuthenticator LDAP groups. See FortiGate.
The feature can be enabled/disabled using the new Include locally-defined remote LDAP groups option (disabled by default) in Fortinet SSO > Settings > User Group Membership. See User group membership.
RADIUS: Option to send FortiToken push without an Access-Challenge
A new Trigger push without RADIUS challenge (warning: NOT recommended if using with FortiGate RADIUS clients) option (disabled by default) available when creating a RADIUS policy in Authentication > RADIUS Service > Policies.
When the option is enabled, FortiAuthenticator triggers the FortiToken Mobile push notification once the password is verified without requiring the end-user to respond "push" to a RADIUS challenge.
See Policies.
OAuth: Add PKCE to authorization code flow
When creating or editing a relying party in Authentication > OAuth Service > Relying Party, a new Authorization code with PKCE authorization grant type is available when the Client type is Public. See Relying Party.
-
When this grant type is selected, FortiAuthenticator applies the following modifications to the standard Authorization code grant type:
-
The
client_secret
field is ignored in requests to the/oauth/authorize/
endpoint. -
New
code_challenge_method
andcode_challenge
fields are required in requests to the/oauth/authorize/
endpoint. -
A new
code_verifier
field is required in the requests to the/oauth/token/
endpoint. -
FortiAuthenticator rejects requests to the
/oauth/token/
endpoint if the SHA256 digest forcode_verifier
does not match thecode_challenge
provided when thecode
was issued by the/oauth/authorize/
endpoint.
The following new fields have been introduced to the
oauth/authorize/
endpoint:code_challenge_method
-
code_challenge
The following new fields have been introduced to the
/oauth/token/
endpoint:code_verifier
-
code
See the FortiAuthenticator 6.6.0 REST API Solution Guide for updates to the FortiAuthenticator REST API.
-
Captive portal: New "No authentication" authentication type
FortiAuthenticator now offers a new No authentication authentication type when creating or editing a captive portal policy. For the new No authentication authentication type you do not require login credentials. See Captive portal policies.
RADIUS: Limit the number of concurrent MAC devices per user
When creating or editing a usage profile in Authentication > User Management > Usage Profile, a new Max. devices per user option is available in the Devices pane. See Usage profile.
The option allows you to set the maximum number of different MAC device addresses allowed concurrently for every user in the active RADIUS accounting sessions.
By default, the Max. devices per user is set to 0
. When set to 0
, MAC devices control is disabled, i.e., there is no limit on the number of concurrent MAC devices per user.
Also, RADIUS attribute for user IP and the RADIUS attribute options previously available in Authentication > RADIUS Service > Policies are now available in Authentication > RADIUS Service > Clients. See Clients.
SAML IdP: Extend login sessions
Login session timeout in Authentication > SAML IdP > General can now be configured with a value between 5 minutes to 120 days. See General.
Support custom user account attributes in SAML SP assertions
Custom fields configured in Authentication > User Account Policies > Custom User Fields are now available in the User attribute dropdown in the Assertion Attributes pane in Authentication > SAML IdP > Service Providers. See Custom user fields and Service providers.
Captive portal: Expiry for tracked devices
The portal configuration settings in Authentication > Portals > Portals now includes a new Remove MAC devices after option to control the MAC device expiry.
By default, the option is set to 7 days (1 - 365 days). See Portals.
LB HA: Wider and customizable configuration subsets
The HA configuration page in System > Administration > High Availability now offers new Synced settings (load-balancing) to select which subsets of the configuration to include in the LB HA sync. Synced settings (load-balancing) is available only when the Role is Standalone Primary. See High availability.
Exporting the admin user list for audit reports
FortiAuthenticator user audit reports generated from Logging > Audit Reports > Users Audit now include a new Only include administrator & sponsor accounts option. Enabling the option allows you only to include administrator and sponsor accounts in the user audit report.
The following new columns are included in the CSV file generated as part of the audit report:
-
lb synced
-
trusted subnets
-
password auth
See Audit reports.
FortiToken Cloud: Migrating FortiToken Mobile to FortiToken Cloud
FortiAuthenticator now allows you to migrate FortiToken Mobile tokens from a FortiToken Mobile license to FortiToken Cloud using the following CLI command:
execute fortitoken-cloud ftm-migrate <FTM license number>
Once the FortiToken Mobile license and its tokens are migrated to FortiToken Cloud: • The original FortiToken Mobile license is invalidated and the migration cannot be reversed. • Your perpetual license changes to an annual subscription license. |
Certificate enrollment via CMPv2
FortiAuthenticator now provides CMPv2 server functionality.
CMPv2 is a Certificate Management Protocol designed by Safenet for the secure signing of digital certificates and complete certificate life cycle management.
A new CMP menu is available in Certificate Management. CMP contains the following two tabs:
-
General
-
Enrollment Requests
See CMP.
Support for SCIM client
FortiAuthenticator now supports SCIM client service.
You can now configure a SCIM service provider in Authentication > SCIM > Service Provider. See Service providers.
OAuth: Support for IAM
A new IAM login option in the Identity sources tab to enable IAM logins when configuring an OAuth policy in Authentication > OAuth Service > Policies. See Policies.
When creating or editing an OAuth relying party, you can now include OIDC claims that return IAM account name, IAM account alias, and/or IAM username when the grant type is Authorization code (with/without PKCE). See Relying Party.
The OAuth login page (Login Page replacement message) now offers a Sign-in as IAM user link when IAM login is enabled.
The OAuth service now offers a new OAuth IAM Login Page replacement message used as the login form when the Sign-in as IAM user link is clicked on the OAuth login page.
The following new fields have been introduced to the /oauth/token
endpoint:
iam_account
-
iam_user
See the FortiAuthenticator 6.6.0 REST API Solution Guide for updates to the FortiAuthenticator REST API.
FSSO: New field for FortiGate expected LDAP username attribute
When editing the SSO configuration in Fortinet SSO > Settings > FortiGate, a new Username attribute field is available. When the Username attribute field is configured, the attribute value is obtained from the user LDAP lookup and is used as the username instead of the user login username.
See FortiGate.
Support custom user account attributes in OAuth relying parties
Custom fields configured in Authentication > User Account Policies > Custom User Fields are now available in the User Attribute dropdown in the Claims pane in Authentication > OAuth Service > Relying Party. See Custom user fields and Relying Party.
New fields for local, LDAP, and RADIUS users endpoints
The following new fields have been introduced to the /localusers/
, /ldapusers/
, and /radiususers/
endpoints:
-
company
-
department
See the FortiAuthenticator 6.6.0 REST API Solution Guide for updates to the FortiAuthenticator REST API.