Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Identity & Access Management (IAM)

    Home FortiCloud Services 25.2.0 Identity & Access Management (IAM)
    25.2.0
    25.2.0

    FAQ

    FAQ

    General questions

    1. Can anyone access the IAM portal or does it require special permissions?

      Any Account Owner (the person who created the account, also known as the master user) can access the IAM portal. IAM users have access to the portal based on the permission profile assigned. See Permission profiles.

    2. Why are you changing user management?

      FortiCloud supports many cloud services all accessible with a unified FortiCloud account. IAM introduces granular access control for various cloud services and improved common user management for all services. For example, an IAM user can be created by an admin with access to specific services with a designated role such as admin or read only.

    3. What benefit does IAM offer me?

      IAM provides in-depth access and permission control for services. Permission profiles provide additional security and strong access control for account admins.

    IAM users

    1. Do I need to be a master user to create IAM users?

      Master users can create IAM users. IAM users with Admin/Read-Write permissions to the IAM portal can also create IAM users. See Adding IAM users.

    2. Which FortiCloud portals support IAM users?

      Most FortiCloud portals include IAM user support. Refer to the product portal administration guides for more information about IAM user support and permissions.

    3. What is the alias for IAM users?

      Each account is identified with a unique Account ID. Instead of remembering the Account ID, the account admin can set an alias (a unique string) to easily identify the account. An account alias can be used by IAM users when they log in to a portal.

    4. Is an alias required?

      Adding an account alias is optional. IAM users can use an Account ID or alias if set.

    5. Can I modify or change the alias?

      Yes, admins can update the alias from the My Account menu in the top menu bar.

      Note

      If you are using the legacy Sub User Model, only the master user can change the alias.

    6. How do I set a password for an IAM user?

      When creating an IAM user, the system generates a link to create a password which can be shared with the IAM user. After the IAM user is logged in, they can set a new password of their choice. See Adding IAM users.

    7. Do I have to provide new IAM users with the generated password file?

      You should provide the generated reset password link to the IAM user.

    8. Can admins update or edit an IAM user's permissions to portals or assets?

      Yes. An admin (master user or IAM user with Admin/Read-Write permissions) can change the permissions from IAM Portal after creating the IAM user.

    9. Can I change an IAM user's individual permissions in a user group?

      Once an IAM user is added to a user group, only the group permission profile applies. See Managing IAM users.

    10. How do IAM users log in to the FortiCloud account?

      On the Login screen, select IAM Login and enter the Account ID (or Alias), IAM username and password. See Logging in as an IAM user.

    External IdP roles

    1. After enabling external IdP, if the external IdP has any problem, is it possible to still access the FortiCloud account?

      The master user can always access the account even if external IdP is enabled. Using one user management method is recommended. That said, if a local IAM User is needed for some scenario, you can configure a co-exist date to use both the local IAM users and external IdP roles. See Setting a co-exist end date.

    2. Can I login directly to www.forticloud.com with the users in my external IdP?

      Users are stored in an external IdP (such as Azure, Okta, and so on) and FortiCloud does not store user information or credentials. Therefore, logging in directly to www.forticloud.com using the email or IAM login tab would not work. Only IAM users (and legacy sub-users) created under the master account can login directly through www.forticloud.com, however that access will expire when the co-exist period ends.

    3. How do you resolve the Receive Microsoft error: Authentication method by which the user authenticated with the service doesn’t match requested authentication method ‘Password, Protected Transport. Contact the FortiCloud Application owner error?

      Please contact your Fortinet Sales representative or the Customer Service team through a ticket with the screenshots of the error and URLs.

    4. Why does logging into FortiCloud as an IAM User or legacy sub-user no longer work?

      Once the transition period stated in the enrollment form is passed, only the master account will be able to log in directly. IAM users and sub users will not be able to log in anymore. The co-exist end date may be updated to allow for more transition time. See Setting a co-exist end date.

    5. How do you disable the External IdP feature?

      Contact your Fortinet Sales representative or the Customer Service team through a ticket to disable the feature.

    6. Do we need to reach out to Fortinet every time we want to add new users within external IdP?

      No. User management is handled on the external IdP (such as Azure, Okta, and so on) and permissions may be controlled through the Role attribute value mapping to corresponding external IdP role and permission profile in FortiCloud.

    7. Why does the FortiCloud account not show the option to add an external IdP role in the FortiCloud IAM portal?

      The option to add external IdP roles is displayed only for accounts enrolled for external IdP. If external IdP is enabled for the FortiCloud account, ensure that the user is logged in as the master user with the account ID matching that of the enrollment form.

    8. How do you update the certificate for External IdP when it is going to expire?

      Contact your Fortinet Sales representative or the Customer Service team through a ticket in advance with the new certificate. It may be updated on Fortinet side with specified date, time, and time zone.

    9. Can I have multiple Role values for a single user?

      Yes, multiple values of the Role attribute can be passed to FortiCloud. When multiple roles are configured, users will be prompted by a screen to select a role to proceed. Each value of Role must have a corresponding external IdP role in the master account.

    10. Can I use External IdP to log into a FortiGate?

      No. SSO on devices from external IdP is not supported for now. Instead, the external IdP can be configured directly onto the device. See Configuring SAML SSO login for FortiGate administrators with Entra ID acting as SAML IdP.

    11. How do I link a different account number to my external IdP?

      Provide your account number and Fortinet SAML URLs to your Fortinet Sales representative or the Customer Service team through a ticket.

    12. How do I update the IdP meta data?

      Contact your Fortinet Sales representative or the Customer Service team through a ticket with the new IdP metadata file and Fortinet SAML URLs.

    13. Can I have both external IdP users and IAM users?

      It is recommended to use one method of managing users. However, a co-exist date may be updated until the customer feels ready to transition to external IdP fully.

    14. Will the master user access expire after the co-exist period ends?

      No. The master user access with email and password credentials to the FortiCloud account is not impacted by co-exist period. You can always login with master user and update co-exist period if needed.

    15. What do I do if the URL is not redirecting to IdP login page?

      Try the login in incognito mode and use the portal URL provided by Fortinet team: https://customersso1.fortinet.com/saml-idp/proxy/{ext-idp-Id}/login/

    16. Is External IdP supported when using FortiCloud Organization?

      External IdP works with FortiCloud Organizations.

      Please ensure the following:

      • The external IdP is connected to the organization root account.

      • The permission profile is set to type Organizations. See Permission scope.

      • The external IdP role type is also set to Organizations with required scope.

    Legacy sub accounts

    1. Can I still create traditional sub accounts?

      Yes, however we strongly recommend migrating your users to the IAM portal to take advantage of the security features. The IAM portal includes a sub user migration wizard for easy migration.

    2. Will you stop supporting sub accounts, and if so, when?

      While both models co-exist currently, the legacy user management model is expected to be deprecated in the near future. The timeline for deprecation will be communicated later.

    3. What limitations do legacy sub accounts have?

      Legacy sub accounts have limited permission controls. The IAM permission model enhances the access control with fine grained permissions for various cloud products and services.

    Previous
    Next

    FAQ

    FAQ

    General questions

    1. Can anyone access the IAM portal or does it require special permissions?

      Any Account Owner (the person who created the account, also known as the master user) can access the IAM portal. IAM users have access to the portal based on the permission profile assigned. See Permission profiles.

    2. Why are you changing user management?

      FortiCloud supports many cloud services all accessible with a unified FortiCloud account. IAM introduces granular access control for various cloud services and improved common user management for all services. For example, an IAM user can be created by an admin with access to specific services with a designated role such as admin or read only.

    3. What benefit does IAM offer me?

      IAM provides in-depth access and permission control for services. Permission profiles provide additional security and strong access control for account admins.

    IAM users

    1. Do I need to be a master user to create IAM users?

      Master users can create IAM users. IAM users with Admin/Read-Write permissions to the IAM portal can also create IAM users. See Adding IAM users.

    2. Which FortiCloud portals support IAM users?

      Most FortiCloud portals include IAM user support. Refer to the product portal administration guides for more information about IAM user support and permissions.

    3. What is the alias for IAM users?

      Each account is identified with a unique Account ID. Instead of remembering the Account ID, the account admin can set an alias (a unique string) to easily identify the account. An account alias can be used by IAM users when they log in to a portal.

    4. Is an alias required?

      Adding an account alias is optional. IAM users can use an Account ID or alias if set.

    5. Can I modify or change the alias?

      Yes, admins can update the alias from the My Account menu in the top menu bar.

      Note

      If you are using the legacy Sub User Model, only the master user can change the alias.

    6. How do I set a password for an IAM user?

      When creating an IAM user, the system generates a link to create a password which can be shared with the IAM user. After the IAM user is logged in, they can set a new password of their choice. See Adding IAM users.

    7. Do I have to provide new IAM users with the generated password file?

      You should provide the generated reset password link to the IAM user.

    8. Can admins update or edit an IAM user's permissions to portals or assets?

      Yes. An admin (master user or IAM user with Admin/Read-Write permissions) can change the permissions from IAM Portal after creating the IAM user.

    9. Can I change an IAM user's individual permissions in a user group?

      Once an IAM user is added to a user group, only the group permission profile applies. See Managing IAM users.

    10. How do IAM users log in to the FortiCloud account?

      On the Login screen, select IAM Login and enter the Account ID (or Alias), IAM username and password. See Logging in as an IAM user.

    External IdP roles

    1. After enabling external IdP, if the external IdP has any problem, is it possible to still access the FortiCloud account?

      The master user can always access the account even if external IdP is enabled. Using one user management method is recommended. That said, if a local IAM User is needed for some scenario, you can configure a co-exist date to use both the local IAM users and external IdP roles. See Setting a co-exist end date.

    2. Can I login directly to www.forticloud.com with the users in my external IdP?

      Users are stored in an external IdP (such as Azure, Okta, and so on) and FortiCloud does not store user information or credentials. Therefore, logging in directly to www.forticloud.com using the email or IAM login tab would not work. Only IAM users (and legacy sub-users) created under the master account can login directly through www.forticloud.com, however that access will expire when the co-exist period ends.

    3. How do you resolve the Receive Microsoft error: Authentication method by which the user authenticated with the service doesn’t match requested authentication method ‘Password, Protected Transport. Contact the FortiCloud Application owner error?

      Please contact your Fortinet Sales representative or the Customer Service team through a ticket with the screenshots of the error and URLs.

    4. Why does logging into FortiCloud as an IAM User or legacy sub-user no longer work?

      Once the transition period stated in the enrollment form is passed, only the master account will be able to log in directly. IAM users and sub users will not be able to log in anymore. The co-exist end date may be updated to allow for more transition time. See Setting a co-exist end date.

    5. How do you disable the External IdP feature?

      Contact your Fortinet Sales representative or the Customer Service team through a ticket to disable the feature.

    6. Do we need to reach out to Fortinet every time we want to add new users within external IdP?

      No. User management is handled on the external IdP (such as Azure, Okta, and so on) and permissions may be controlled through the Role attribute value mapping to corresponding external IdP role and permission profile in FortiCloud.

    7. Why does the FortiCloud account not show the option to add an external IdP role in the FortiCloud IAM portal?

      The option to add external IdP roles is displayed only for accounts enrolled for external IdP. If external IdP is enabled for the FortiCloud account, ensure that the user is logged in as the master user with the account ID matching that of the enrollment form.

    8. How do you update the certificate for External IdP when it is going to expire?

      Contact your Fortinet Sales representative or the Customer Service team through a ticket in advance with the new certificate. It may be updated on Fortinet side with specified date, time, and time zone.

    9. Can I have multiple Role values for a single user?

      Yes, multiple values of the Role attribute can be passed to FortiCloud. When multiple roles are configured, users will be prompted by a screen to select a role to proceed. Each value of Role must have a corresponding external IdP role in the master account.

    10. Can I use External IdP to log into a FortiGate?

      No. SSO on devices from external IdP is not supported for now. Instead, the external IdP can be configured directly onto the device. See Configuring SAML SSO login for FortiGate administrators with Entra ID acting as SAML IdP.

    11. How do I link a different account number to my external IdP?

      Provide your account number and Fortinet SAML URLs to your Fortinet Sales representative or the Customer Service team through a ticket.

    12. How do I update the IdP meta data?

      Contact your Fortinet Sales representative or the Customer Service team through a ticket with the new IdP metadata file and Fortinet SAML URLs.

    13. Can I have both external IdP users and IAM users?

      It is recommended to use one method of managing users. However, a co-exist date may be updated until the customer feels ready to transition to external IdP fully.

    14. Will the master user access expire after the co-exist period ends?

      No. The master user access with email and password credentials to the FortiCloud account is not impacted by co-exist period. You can always login with master user and update co-exist period if needed.

    15. What do I do if the URL is not redirecting to IdP login page?

      Try the login in incognito mode and use the portal URL provided by Fortinet team: https://customersso1.fortinet.com/saml-idp/proxy/{ext-idp-Id}/login/

    16. Is External IdP supported when using FortiCloud Organization?

      External IdP works with FortiCloud Organizations.

      Please ensure the following:

      • The external IdP is connected to the organization root account.

      • The permission profile is set to type Organizations. See Permission scope.

      • The external IdP role type is also set to Organizations with required scope.

    Legacy sub accounts

    1. Can I still create traditional sub accounts?

      Yes, however we strongly recommend migrating your users to the IAM portal to take advantage of the security features. The IAM portal includes a sub user migration wizard for easy migration.

    2. Will you stop supporting sub accounts, and if so, when?

      While both models co-exist currently, the legacy user management model is expected to be deprecated in the near future. The timeline for deprecation will be communicated later.

    3. What limitations do legacy sub accounts have?

      Legacy sub accounts have limited permission controls. The IAM permission model enhances the access control with fine grained permissions for various cloud products and services.

    Previous
    Next