Fortinet black logo

EMS Administration Guide

Configuring user verification with SAML authentication and an LDAP domain user account

Configuring user verification with SAML authentication and an LDAP domain user account

To configure individual onboarding with SAML authentication using an LDAP domain user account:
  1. Configure EMS:
    1. In EMS, go to Endpoints > Manage Domains.
    2. Import the desired Active Directory domain. During the onboarding process, EMS authenticates user identities based on this domain. In this example, the domain is qatest0824.local.

    3. Go to User Management > SAML Configuration.
    4. Add a SAML configuration with the imported domain. For Authorization Type, select LDAP. From the Domain dropdown list, select the newly imported domain. In this configuration, EMS is the service provider (SP), and FortiAuthenticator is the identity provider (IdP). Under Identity Provider Settings, enter your FortiAuthenticator details. Click Save.

    5. In FortiAuthenticator, configure EMS as an SP.

    6. In EMS, go to User Management > Invitations. Configure the desired recipients to receive their invitation codes over email. For Verification Type, select SAML. From the SAML Config dropdown list, select the SAML configuration that you created. Click Save.

    7. Go to System Settings > EMS Settings. Enable Enforce User Verification. This forces FortiClient to register to EMS using user onboarding.

    8. Go to Zero Trust Tags > Zero Trust Tagging Rules. Add a Zero Trust tagging rule to tag registered endpoints with verified users.

  2. In FortiClient on an unregistered endpoint, attempt to register to EMS using the EMS fully qualified domain name. EMS rejects the connection attempt. FortiClient displays an error that EMS require an invitation code.

  3. Register FortiClient to EMS:
    1. Do one of the following to start the process of registering FortiClient to EMS:
      1. Open the invitation email. and click Register to EMS. Follow the instructions to register to EMS.

      2. Open the invitation email, and copy the invitation code. Enter the invitation code on the Zero Trust Telemetry tab, and click Connect.

    2. In the popup, provide your LDAP user credentials, then click Login. FortiClient proceeds with the registration process after authentication succeeds. After FortiClient successfully registers to EMS, the username in FortiClient changes to the verified user account, and a chain icon appears beside the username to indicate that FortiClient is registered with a verified user.

  4. Go to the About page to confirm that the Verified User tag displays.

  5. In EMS, go to Endpoint Policy & Components > Managed Policies. Create a policy to apply to the selected user. In the Users field, select the desired user. This policy takes priority over group-based policies that the endpoint may also be eligible for.
  6. Go to Endpoints > All Endpoints. Select the endpoint. Confirm that EMS applied the user-specific policy that you created to the endpoint.

  7. On the same endpoint, register FortiClient with a new user. the endpoint summary displays a new active user. As the endpoint is no longer eligible for the user-specific policy, EMS applies a group-based policy to the endpoint instead. You can view all registered users for that endpoint.

Configuring user verification with SAML authentication and an LDAP domain user account

To configure individual onboarding with SAML authentication using an LDAP domain user account:
  1. Configure EMS:
    1. In EMS, go to Endpoints > Manage Domains.
    2. Import the desired Active Directory domain. During the onboarding process, EMS authenticates user identities based on this domain. In this example, the domain is qatest0824.local.

    3. Go to User Management > SAML Configuration.
    4. Add a SAML configuration with the imported domain. For Authorization Type, select LDAP. From the Domain dropdown list, select the newly imported domain. In this configuration, EMS is the service provider (SP), and FortiAuthenticator is the identity provider (IdP). Under Identity Provider Settings, enter your FortiAuthenticator details. Click Save.

    5. In FortiAuthenticator, configure EMS as an SP.

    6. In EMS, go to User Management > Invitations. Configure the desired recipients to receive their invitation codes over email. For Verification Type, select SAML. From the SAML Config dropdown list, select the SAML configuration that you created. Click Save.

    7. Go to System Settings > EMS Settings. Enable Enforce User Verification. This forces FortiClient to register to EMS using user onboarding.

    8. Go to Zero Trust Tags > Zero Trust Tagging Rules. Add a Zero Trust tagging rule to tag registered endpoints with verified users.

  2. In FortiClient on an unregistered endpoint, attempt to register to EMS using the EMS fully qualified domain name. EMS rejects the connection attempt. FortiClient displays an error that EMS require an invitation code.

  3. Register FortiClient to EMS:
    1. Do one of the following to start the process of registering FortiClient to EMS:
      1. Open the invitation email. and click Register to EMS. Follow the instructions to register to EMS.

      2. Open the invitation email, and copy the invitation code. Enter the invitation code on the Zero Trust Telemetry tab, and click Connect.

    2. In the popup, provide your LDAP user credentials, then click Login. FortiClient proceeds with the registration process after authentication succeeds. After FortiClient successfully registers to EMS, the username in FortiClient changes to the verified user account, and a chain icon appears beside the username to indicate that FortiClient is registered with a verified user.

  4. Go to the About page to confirm that the Verified User tag displays.

  5. In EMS, go to Endpoint Policy & Components > Managed Policies. Create a policy to apply to the selected user. In the Users field, select the desired user. This policy takes priority over group-based policies that the endpoint may also be eligible for.
  6. Go to Endpoints > All Endpoints. Select the endpoint. Confirm that EMS applied the user-specific policy that you created to the endpoint.

  7. On the same endpoint, register FortiClient with a new user. the endpoint summary displays a new active user. As the endpoint is no longer eligible for the user-specific policy, EMS applies a group-based policy to the endpoint instead. You can view all registered users for that endpoint.