Individual onboarding process 7.0.6
EMS 7.0.6 introduces a new registration method: onboarding users. With this new individual onboarding process, you have the option to verify user identity during the registration process. You can enforce user verification during the onboarding process to secure the connection between EMS and endpoints, and block unknown users and endpoints from registering to EMS.
The following includes two examples:
- Individual onboarding process with SAML authentication using an LDAP domain user account
- Enforcing reauthentication for an onboarding user
While the first example uses SAML authentication as the verification type for the invitation, you can also configure local or LDAP verification.
Individual onboarding process with SAML authentication using an LDAP domain user account
To configure individual onboarding with SAML authentication using an LDAP domain user account:
- Configure EMS:
- In EMS, go to Endpoints > Manage Domains.
- Import the desired Active Directory domain. During the onboarding process, EMS authenticates user identities based on this domain. In this example, the domain is qatest0824.local.
- Go to User Management > SAML Configuration.
- Add a SAML configuration with the imported domain. For Authorization Type, select LDAP. From the Domain dropdown list, select the newly imported domain. In this configuration, EMS is the service provider (SP), and FortiAuthenticator is the identity provider (IdP). Under Identity Provider Settings, enter your FortiAuthenticator details. Click Save.
- In FortiAuthenticator, configure EMS as an SP.
- In EMS, go to User Management > Invitations. Configure the desired recipients to receive their invitation codes over email. For Verification Type, select SAML. From the SAML Config dropdown list, select the SAML configuration that you created. Click Save.
- Go to System Settings > EMS Settings. Enable Enforce User Verification. This forces FortiClient to register to EMS using user onboarding.
- Go to Zero Trust Tags > Zero Trust Tagging Rules. Add a Zero Trust tagging rule to tag registered endpoints with verified users.
- In FortiClient on an unregistered endpoint, attempt to register to EMS using the EMS fully qualified domain name. EMS rejects the connection attempt. FortiClient displays an error that EMS require an invitation code.
- Register FortiClient to EMS:
- Do one of the following to start the process of registering FortiClient to EMS:
- Open the invitation email. and click Register to EMS. Follow the instructions to register to EMS.
- Open the invitation email, and copy the invitation code. Enter the invitation code on the Zero Trust Telemetry tab, and click Connect.
- In the popup, provide your LDAP user credentials, then click Login. FortiClient proceeds with the registration process after authentication succeeds. After FortiClient successfully registers to EMS, the username in FortiClient changes to the verified user account, and a chain icon appears beside the username to indicate that FortiClient is registered with a verified user.
- Do one of the following to start the process of registering FortiClient to EMS:
- Go to the About page to confirm that the Verified User tag displays.
- In EMS, go to Endpoint Policy & Components > Managed Policies. Create a policy to apply to the selected user. In the Users field, select the desired user. This policy takes priority over group-based policies that the endpoint may also be eligible for.
- Go to Endpoints > All Endpoints. Select the endpoint. Confirm that EMS applied the user-specific policy that you created to the endpoint.
- On the same endpoint, register FortiClient with a new user. the endpoint summary displays a new active user. As the endpoint is no longer eligible for the user-specific policy, EMS applies a group-based policy to the endpoint instead. You can view all registered users for that endpoint.
Enforcing reauthentication for an onboarding user
You can enforce users to reauthenticate their identities at a configured timeout interval. If the user does reauthenticate before the timeout, the endpoint unregisters from EMS. In this example, the endpoint is registered to EMS with an invitation code using LDAP authentication.
To enforce reauthentication for an onboarding user:
- In EMS, go to System Settings > EMS Settings.
- Enable Enforce User Verification.
- Enable User Verification Period, and enter the desired number of days. This example sets the period to seven days. Click Save.
To reauthenticate your identity in FortiClient:
- A notification appears on FortiClient five days before the reauthentication timeout. Click Sign-in to initiate reauthentication.
- FortiClient displays an authentication dialog. The Username field is grayed out to prevent the user from reauthenticating as a different user. In the Password field, enter your password.
- Click Sign in. If you provide the correct password, FortiClient remains connected to EMS, and the warning disappears until the next reauthentication cycle. If reauthentication fails, the Telemetry status displays as Not reachable, the verified user logs off, and FortiClient displays a dialog to initiate the onboarding process. For a new onboarding process, the Username field is available.