Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Administration Guide

    Home FortiGate / FortiOS 7.6.6 Administration Guide
    7.6.6
    7.6.6
    7.6.5
    7.6.4
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.11
    7.4.10
    7.4.9
    7.4.8
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.13
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.19
    7.0.18
    7.0.17
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.0

    SCIM servers

    SCIM servers

    System for Cross-domain Identity Management (SCIM) is an open-standard protocol that facilitates the exchange of identity data between platforms. See the following RFCs for more information:

    • See RFC 7642 for information about definitions, overview, concepts, and requirements.

    • See RFC 7643 for information about the core schema.

    • See RFC 7644 for information about the protocol.

    SCIM is based on a client-server model where the client is usually an identity provider (IdP) that maintains a directory of user identities, and the server is typically a service provider (SP). The client sends user and group information to the server, enabling automatic provisioning of users and groups between the SP and IdP.

    With SCIM servers, FortiGate can communicate with an Identity Provider (IdP) using the SCIM 2.0 protocol, which facilitates the automatic provisioning of users and groups on FortiGate. Once users and groups are provisioned on FortiGate, they can be used with SAML to provide user authentication.

    The config system global command includes SCIM settings:

    config system global
    set scim-http-port <integer>
    set scim-https-port <integer>
    set scim-server-cert <string>
end

    scim-http-port <integer>

    Specify the port on which the SCIM server will listen for HTTP requests (default = 44558).

    scim-https-port <integer>

    Specify the port on which the SCIM server will listen for HTTPS requests (default = 44559).

    scim-server-cert <string>

    Specify the certificate that will be used if the HTTPS protocol is being used to communicate with the SCIM client.

    The certificate used by FortiGate must be trusted by the SCIM client.
    To allow SCIM access in the GUI:

    1. Go to Network > Interfaces.

    2. Create or edit an interface.

    3. In the Administrative Access section, select SCIM.

    4. Click OK.

    To allow SCIM access in the CLI:

    For IPv4:

    config system interface 
    edit <name>
        append allowaccess scim
    next
end

    For IPv6:

    config system interface 
    edit <name>
        ...
        config ipv6
            append ip6-allowaccess scim
        end
    next
end
    To specify the SCIM server certificate and HTTP(S) port in the GUI:

    1. Go to System > Settings.

    2. In the SCIM Settings section, configure the HTTP port, HTTPS port, and Server certificate as required.

    3. Click Apply.

    To specify the SCIM server certificate and HTTP(S) port in the CLI:
    config system global
    set scim-http-port <port>
    set scim-https-port <port>
    set scim-server-cert <certificate>
end
    To configure SCIM clients in the GUI:

    1. Go to User & Authentication > SCIM Clients, and click Create New.

    2. Set Status to Enabled, enter a Name, then configure the remaining settings as needed.

    3. Click OK.

    To configure SCIM clients in the CLI:
    config user scim
    edit <name>
        set status {enable| disable} 
        set base-url <string>
        set authe-method {token | base} 
        set token-certificate <name>
        set secret <passwd> 
        set certificate <name>
        set client-identity-check {enable| disable}
    next
end

    status {enable| disable}

    Enable/disable System for Cross-domain Identity Management (SCIM).

    base-url <string>

    Server URL to receive SCIM create, read, update, delete (CRUD) requests.

    auth-method {token | base}

    TLS client authentication methods (default = bearer token).

    token-certificate <name>

    Certificate for token verification.

    secret <passwd>

    Secret for token verification or base authentication.

    certificate <name>

    Certificate for client verification during TLS handshake.

    client-identity-check {enable| disable}

    Enable/disable client identity check.
    To add a SCIM client to SAML server configuration in the GUI:

    1. Go to User & Authentication > Single Sign-On and edit an existing entry or click Create New to create a new single sign-on.

    2. In the Additional SAML Attributes section, enable SCIM client and select a SCIM client.

    3. Click OK.

    To add a SCIM client to SAML server configuration in the CLI:
    config user saml
    edit <name>
        set scim-client <name>
        set scim-group-attr-type {display-name | external-id}
    next
end

    Example

    In this example, FortiGate is configured as the SCIM server (SP), and FortiAuthenticator is configured as the SCIM client (IdP). Two groups are configured on FortiAuthenticator: IT and Pochiya clan. The groups contain the following users:

    • The IT group contains three users: admin, sk, and sy.

    • The Pochiya clan group contains two users: naynay and kiki.

    Upon successful configuration, users and groups are provisioned on FortiGate. This setup can leverage SAML to provide access to authenticated users.

    To configure FortiGate as an SCIM server in the GUI:

    1. Allow SCIM access on an interface:

      1. Go to Network > Interfaces and edit the interface.

      2. In the Administrative Access section, select SCIM.

      3. Click OK.

    2. Specify the SCIM server certificate:

      1. Go to System > Settings.

      2. In the SCIM Settings section, set Server certificate.

      3. Click Apply.

    3. Configure SCIM client entries:

      1. Go to User & Authentication > SCIM Clients, and click Create New.

      2. Set Status to Enabled, enter a Name, then configure the remaining settings as needed.

      3. Click OK.

    To configure FortiGate as an SCIM server in the CLI:

    1. Allow SCIM access on an interface:

      In IPv4:

      config system interface 
    edit port2
        append allowaccess scim
    next
end

      In IPv6:

      config system interface 
    edit port2
        ...
        config ipv6
            append ip6-allowaccess scim
        end
    next
end

    2. Specify the SCIM server certificate:

      config system global
    set scim-server-cert SCIM-Demo-CA-SSL
end

    3. Configure SCIM client entries:

      config user scim
    edit "SCIM-server-to-FAC"
        set status enable 
        set base-url https://10.88.0.254/scim/v2
        set auth-method base
        set secret **********
        set certificate REMOTE_Cert_2
        set client-identity-check enable
    next
end
    To configure FortiAuthenticator as an SCIM client:

    1. On FortiAuthenticator, use your admin account to log in.

    2. Click Authentication > SCIM > Service Provider.

    3. Click Create New, and configure the following settings:

      Name

      Test-SCIM

      SCIM endpoint

      https://10.88.0.254:44559/scim/v2

      Access token

      **********

    4. Configure the remaining settings as required, and click Save.

    5. Once the setting is saved, double-click the newly created entry to open the settings pane, and click Sync to automatically add existing users to the SCIM server.

    See Service providers for more information

    Note

    The SCIM endpoint and access token must match the base-url and secret respectively, as configured on the FortiGate.

    Furthermore, an initial synchronization is necessary to commence provisioning for the first time. However, when alterations to identities occur in the IdP, including creation, updating, and deletion, these changes are automatically synchronized with SP in accordance with the SCIM protocol.
    To verify whether users and groups are provisioned on FortiGate:
    # diagnose test scim list-clients
There are 1 clients in vdom. 
id:1 name:SCIM-server-to-FAC

    # diagnose test scim list-groups SCIM-server-to-FAC

IT
pochiya clan
total:2

    # diagnose test scim list-users SCIM-server-to-FAC

admin
kiki
naynay
sk
sy
    To add a SCIM client to SAML server configuration in the GUI:

    1. Go to User & Authentication > Single Sign-On and edit an existing entry or click Create New to create a new single sign-on.

    2. In the Additional SAML Attributes section, enable SCIM client and select the SCIM client.

    3. Click OK.

    To add the SCIM group to a SAML server configuration in the CLI:
    config user saml
    edit "SCIM-SAML"
        set scim-client "SCIM-server-to-FAC" 
        set scim-group-attr-type {display-name | external-id}
    next
end

    Modify the SAML user group used in the firewall policy

    The configuration in this topic incorporates all the SCIM groups configured on FortiAuthenticator and enables all users to authenticate. However, if you want to limit authentication to users who belong to specific groups, such as the IT group, the following additional configuration is necessary:

    To modify the SAML user group used in the firewall policy in the GUI:

    1. Go to User & Authentication > User Groups and click Create New. Firewall is selected as the default Type.

    2. Enter the group name, such as saml-scim.

    3. In the Remote Groups section, click Add.

    4. Set Remote Server to the SAML user, SCIM-SAML.

    5. For the Groups, select Specify, then click the text box to see the groups pulled from SCIM client as Suggestions.

    6. Select the required group then click OK.

    To modify the SAML user group used in the firewall policy in the CLI:
    config user group
    edit saml-scim
        set member "SCIM-SAML"
        config match
            edit 1
                set server-name "SCIM-SAML"
                set group-name "IT"
            next
        end
    next
end
    Note

    For brevity, only the commands relevant to this enhancement are included. See SAML for more information about configuring SP and IdP.
    Previous
    Next

    SCIM servers

    SCIM servers

    System for Cross-domain Identity Management (SCIM) is an open-standard protocol that facilitates the exchange of identity data between platforms. See the following RFCs for more information:

    • See RFC 7642 for information about definitions, overview, concepts, and requirements.

    • See RFC 7643 for information about the core schema.

    • See RFC 7644 for information about the protocol.

    SCIM is based on a client-server model where the client is usually an identity provider (IdP) that maintains a directory of user identities, and the server is typically a service provider (SP). The client sends user and group information to the server, enabling automatic provisioning of users and groups between the SP and IdP.

    With SCIM servers, FortiGate can communicate with an Identity Provider (IdP) using the SCIM 2.0 protocol, which facilitates the automatic provisioning of users and groups on FortiGate. Once users and groups are provisioned on FortiGate, they can be used with SAML to provide user authentication.

    The config system global command includes SCIM settings:

    config system global
    set scim-http-port <integer>
    set scim-https-port <integer>
    set scim-server-cert <string>
end

    scim-http-port <integer>

    Specify the port on which the SCIM server will listen for HTTP requests (default = 44558).

    scim-https-port <integer>

    Specify the port on which the SCIM server will listen for HTTPS requests (default = 44559).

    scim-server-cert <string>

    Specify the certificate that will be used if the HTTPS protocol is being used to communicate with the SCIM client.

    The certificate used by FortiGate must be trusted by the SCIM client.
    To allow SCIM access in the GUI:

    1. Go to Network > Interfaces.

    2. Create or edit an interface.

    3. In the Administrative Access section, select SCIM.

    4. Click OK.

    To allow SCIM access in the CLI:

    For IPv4:

    config system interface 
    edit <name>
        append allowaccess scim
    next
end

    For IPv6:

    config system interface 
    edit <name>
        ...
        config ipv6
            append ip6-allowaccess scim
        end
    next
end
    To specify the SCIM server certificate and HTTP(S) port in the GUI:

    1. Go to System > Settings.

    2. In the SCIM Settings section, configure the HTTP port, HTTPS port, and Server certificate as required.

    3. Click Apply.

    To specify the SCIM server certificate and HTTP(S) port in the CLI:
    config system global
    set scim-http-port <port>
    set scim-https-port <port>
    set scim-server-cert <certificate>
end
    To configure SCIM clients in the GUI:

    1. Go to User & Authentication > SCIM Clients, and click Create New.

    2. Set Status to Enabled, enter a Name, then configure the remaining settings as needed.

    3. Click OK.

    To configure SCIM clients in the CLI:
    config user scim
    edit <name>
        set status {enable| disable} 
        set base-url <string>
        set authe-method {token | base} 
        set token-certificate <name>
        set secret <passwd> 
        set certificate <name>
        set client-identity-check {enable| disable}
    next
end

    status {enable| disable}

    Enable/disable System for Cross-domain Identity Management (SCIM).

    base-url <string>

    Server URL to receive SCIM create, read, update, delete (CRUD) requests.

    auth-method {token | base}

    TLS client authentication methods (default = bearer token).

    token-certificate <name>

    Certificate for token verification.

    secret <passwd>

    Secret for token verification or base authentication.

    certificate <name>

    Certificate for client verification during TLS handshake.

    client-identity-check {enable| disable}

    Enable/disable client identity check.
    To add a SCIM client to SAML server configuration in the GUI:

    1. Go to User & Authentication > Single Sign-On and edit an existing entry or click Create New to create a new single sign-on.

    2. In the Additional SAML Attributes section, enable SCIM client and select a SCIM client.

    3. Click OK.

    To add a SCIM client to SAML server configuration in the CLI:
    config user saml
    edit <name>
        set scim-client <name>
        set scim-group-attr-type {display-name | external-id}
    next
end

    Example

    In this example, FortiGate is configured as the SCIM server (SP), and FortiAuthenticator is configured as the SCIM client (IdP). Two groups are configured on FortiAuthenticator: IT and Pochiya clan. The groups contain the following users:

    • The IT group contains three users: admin, sk, and sy.

    • The Pochiya clan group contains two users: naynay and kiki.

    Upon successful configuration, users and groups are provisioned on FortiGate. This setup can leverage SAML to provide access to authenticated users.

    To configure FortiGate as an SCIM server in the GUI:

    1. Allow SCIM access on an interface:

      1. Go to Network > Interfaces and edit the interface.

      2. In the Administrative Access section, select SCIM.

      3. Click OK.

    2. Specify the SCIM server certificate:

      1. Go to System > Settings.

      2. In the SCIM Settings section, set Server certificate.

      3. Click Apply.

    3. Configure SCIM client entries:

      1. Go to User & Authentication > SCIM Clients, and click Create New.

      2. Set Status to Enabled, enter a Name, then configure the remaining settings as needed.

      3. Click OK.

    To configure FortiGate as an SCIM server in the CLI:

    1. Allow SCIM access on an interface:

      In IPv4:

      config system interface 
    edit port2
        append allowaccess scim
    next
end

      In IPv6:

      config system interface 
    edit port2
        ...
        config ipv6
            append ip6-allowaccess scim
        end
    next
end

    2. Specify the SCIM server certificate:

      config system global
    set scim-server-cert SCIM-Demo-CA-SSL
end

    3. Configure SCIM client entries:

      config user scim
    edit "SCIM-server-to-FAC"
        set status enable 
        set base-url https://10.88.0.254/scim/v2
        set auth-method base
        set secret **********
        set certificate REMOTE_Cert_2
        set client-identity-check enable
    next
end
    To configure FortiAuthenticator as an SCIM client:

    1. On FortiAuthenticator, use your admin account to log in.

    2. Click Authentication > SCIM > Service Provider.

    3. Click Create New, and configure the following settings:

      Name

      Test-SCIM

      SCIM endpoint

      https://10.88.0.254:44559/scim/v2

      Access token

      **********

    4. Configure the remaining settings as required, and click Save.

    5. Once the setting is saved, double-click the newly created entry to open the settings pane, and click Sync to automatically add existing users to the SCIM server.

    See Service providers for more information

    Note

    The SCIM endpoint and access token must match the base-url and secret respectively, as configured on the FortiGate.

    Furthermore, an initial synchronization is necessary to commence provisioning for the first time. However, when alterations to identities occur in the IdP, including creation, updating, and deletion, these changes are automatically synchronized with SP in accordance with the SCIM protocol.
    To verify whether users and groups are provisioned on FortiGate:
    # diagnose test scim list-clients
There are 1 clients in vdom. 
id:1 name:SCIM-server-to-FAC

    # diagnose test scim list-groups SCIM-server-to-FAC

IT
pochiya clan
total:2

    # diagnose test scim list-users SCIM-server-to-FAC

admin
kiki
naynay
sk
sy
    To add a SCIM client to SAML server configuration in the GUI:

    1. Go to User & Authentication > Single Sign-On and edit an existing entry or click Create New to create a new single sign-on.

    2. In the Additional SAML Attributes section, enable SCIM client and select the SCIM client.

    3. Click OK.

    To add the SCIM group to a SAML server configuration in the CLI:
    config user saml
    edit "SCIM-SAML"
        set scim-client "SCIM-server-to-FAC" 
        set scim-group-attr-type {display-name | external-id}
    next
end

    Modify the SAML user group used in the firewall policy

    The configuration in this topic incorporates all the SCIM groups configured on FortiAuthenticator and enables all users to authenticate. However, if you want to limit authentication to users who belong to specific groups, such as the IT group, the following additional configuration is necessary:

    To modify the SAML user group used in the firewall policy in the GUI:

    1. Go to User & Authentication > User Groups and click Create New. Firewall is selected as the default Type.

    2. Enter the group name, such as saml-scim.

    3. In the Remote Groups section, click Add.

    4. Set Remote Server to the SAML user, SCIM-SAML.

    5. For the Groups, select Specify, then click the text box to see the groups pulled from SCIM client as Suggestions.

    6. Select the required group then click OK.

    To modify the SAML user group used in the firewall policy in the CLI:
    config user group
    edit saml-scim
        set member "SCIM-SAML"
        config match
            edit 1
                set server-name "SCIM-SAML"
                set group-name "IT"
            next
        end
    next
end
    Note

    For brevity, only the commands relevant to this enhancement are included. See SAML for more information about configuring SP and IdP.
    Previous
    Next