FortiAuthenticator standalone IAM
Certificate lifecycle management, multi-factor authentication, WiFi onboarding, and advanced identity scenarios using FortiAuthenticator as a standalone IAM device.
-
Example
Description
Configure FortiAuthenticator as a root CA to sign X.509 certificates, then use a signed certificate to secure FortiGate administrator GUI access across Chrome, Internet Explorer, and Firefox clients.
Issue an intermediate CA certificate from FortiAuthenticator and apply it to a FortiGate SSL/SSH full-inspection profile, enabling deep inspection of HTTPS traffic without browser certificate warnings.
FortiAuthenticator certificate with SSL inspection using an HSM
Extend the SSL inspection workflow by backing the signing CA with a SafeNet Luna V7 Hardware Security Module (HSM), so all private-key operations are performed inside the HSM rather than on the FortiAuthenticator file system.
Enable the SCEP service on a FortiAuthenticator private CA so that FortiGate can automatically submit a CSR and receive a signed device certificate (covering use cases such as VPN tunnel rotation, EAP-TLS WiFi, and GUI certificate renewal).
Integrate Microsoft Intune (UEM/MDM) with FortiAuthenticator to provision SCEP-issued certificates to Windows endpoints, enabling certificate-based device authentication managed through Microsoft Entra ID.
-
Authentication and User management
Example
Description
Configure FortiAuthenticator as a RADIUS server that delivers FortiToken Mobile push notifications for two-factor Agentless VPN authentication, so users can accept or deny login requests from their mobile device.
Configure MAC Authentication Bypass (MAB) on a third-party switch (EX2200) with FortiAuthenticator as the RADIUS back-end to demonstrate cross-vendor interoperability and dynamic VLAN assignment for wired network devices.
Set up a self-registration portal where users can request their own accounts; an administrator approves each request by email before the account is activated, covering SMTP configuration, portal policies, and FQDN/NTP prerequisites.
Computer authentication using FortiAuthenticator with MS AD Root CA
Configure 802.1X EAP-TLS computer certificate authentication where the certificate chain roots in a Microsoft Active Directory CA, using FortiAuthenticator as the RADIUS server for a FortiGate-managed FortiAP SSID with VLAN assignment.
Logging in to FortiGate as an administrator using FIDO2 authentication
Enable phishing-resistant FIDO2 hardware-key authentication for FortiGate administrator logins, with FortiAuthenticator acting as the FIDO2 identity provider.
Set up an Agentless VPN tunnel where end users authenticate with a FortiToken 410 FIDO2 hardware key, with FortiAuthenticator configured as the SAML IdP for FortiGate.
-
Example
Description
Demonstrate automated WiFi onboarding through FortiAuthenticator Smart Connect, supporting both Google Workspace and Microsoft Azure identity sources so devices receive certificates and SSID configuration with minimal user interaction.
-
Example
Description
Accessing an AD server with a zero trust tunnel on FortiAuthenticator
Use a FortiAuthenticator zero trust tunnel to securely reach an on-premise LDAP/AD server from the public internet over TCP, with FortiAuthenticator acting as a local CA and issuing the client certificate for the tunnel.
Configure FortiAuthenticator as a SCIM client against AWS as the service provider, automating cross-domain user identity synchronisation using the open SCIM standard.
Install and configure the FortiClient SSO Mobility Agent (SSOMA) so that Windows login events against an Active Directory LDAP server are captured by FortiAuthenticator and forwarded to FortiGate for FSSO-based policy enforcement.
FortiAuthenticator SSOMA for native Microsoft Entra ID joined workstation
Extend SSOMA to cloud-native endpoints joined to Microsoft Entra ID, so FortiAuthenticator receives identity and IP updates from SSOMA including seamless handoff when a device switches from wired to wireless and propagates them to FortiGate.