DOCUMENT LIBRARY

FortiGate / FortiOS

FortiManager

FortiAnalyzer

Admin Guide

Introduction
Licensing and availability
- Subscription licensing
- Free licenses
- SMS licensing
- Email notification on license balance status
Support for EU GDPR
Architecture
Acronyms and abbreviations
Quickstart guide
- Getting started—FGT-FIC users
- Getting started—FAC-FIC users
Main features
Compatibility
- Compatible Fortinet applications
- Supported browsers
Important notes
- Trial account API request limit
- The same token for the same user on multiple applications
- A single FIC user in multiple applications
- Admin accounts and realms
- Supported OTP hard tokens
- Supported FIDO security key
- No SMS MFA with FAC as LDAP server
- FAC users' name issues on FIC GUI
- How to use FortiClient
- Enabling/Disabling FIC end users in FortiGate
- Account disablement and closure
FortiToken Mobile
- Supported FortiToken Mobile apps
- Activating FTM tokens
- Activating third-party tokens
- Using FTM tokens
Use cases
- One Token shared by different applications
- Changing separate tokens to a single token
- Independent token
- Auto-Alias features—using the same email address
- Splitting user quota among different realms
- FIC account lockout (2FA)
- Managing access to FIC
- Controlling risky conditions
- Synchronizing LDAP remote users in wildcard user group from FortiGate
- Transferring devices on FIC
- ZTNA HTTPS access proxy with FIC MFA
- Adding FIC MFA to remote access IPsec VPN
- Configuring FIC as Microsoft Entra external authentication service provider
- MFA authentication context handling
- Configuring FIC as the IdP proxy for FortiSASE
- FortiIdentity Cloud as OIDC provider
Maintenance
- Adding, syncing, and deleting users
- Adding, syncing, and deleting applications (FortiProducts)
- Service debugging
Applications
- Creating FortiProduct applications
- Transferring application (FC account lockout)
- Replacing an old FortiGate with a new one
- Applications in HA mode
- Applications for third-party usage
FortiCloud
- Logging into an OU account
- Launching FortiIdentity Cloud
FortiIdentity Cloud GUI
Dashboard
- Monitoring FIC status
- Pagination for accounts with multiple sub-admin users
Managing users
- Onboarding users
- Batch-adding users
- Enabling Auto-alias by Email
- Adding user aliases
- Auto-assigning FTKs to selected users
- Getting a new FTM token
- Hiding/showing full FortiAuthenticator username
- Viewing a user's applications
- Using a temporary token
- Editing a user
- Deleting users from FIC
Managing admin groups
- Creating a sub-admin group
- Adding users to the admin group
- Adding realms to the admin group
- Editing sub-admin group configuration
- Deleting a sub-admin group
FortiProducts
- Editing a FortiProduct
- Viewing additional information about an application
- Deleting a FortiProduct
- Assigning a FortiProduct to a realm
- Managing realms
Web Applications
- Adding a web app
- Regenerating API credentials
- Editing a web app
- Deleting a web app
- Configuring secret rotation policy
- Configuring per-SP authentication settings
Management Applications
- Creating a management application
- Regenerating management application secret
- Deleting a management application
SCIM client integration
- Features and benefits
- Supported SCIM client applications
- Use case
- Integrating FIC with SCIM clients
- Demo configurations
- Known issues and special notes
Using SSO applications
- Use Cases
- Configuring per-SP authentication settings
- OIDC Parameters
Adding user source
- Using Google social login as user source
- Support for LDAP/AD user source
Managing End-User Portal
- Configuring End-User Portal
- Configuring IdP user source
- Keeping SSO applications off End-User Portal
Configuring domain mapping
Managing device ownership
- Validating device ownership
- Transferring devices
- Transferring devices on FIC
- Managing device transfer
- Performing factory reset
Managing HA clusters
- Searching for a standalone device
- Adding devices to a cluster
- Moving devices between clusters
- Removing devices from a cluster
Using mobile tokens
Using hardware tokens
Using passkeys
Session monitor
Logs
- Usage data
- Authentication logs
- Management logs
- SMS logs
- Order logs
Using templates
- Creating a custom template
- Editing a template
- Using templates
- Deleting a template
- Alarms
  - Creating a user quota alarm
  - Creating an SMS credit balance alarm
Managing custom branding
- Creating an SSO application branding theme
- Creating an End-User Portal branding theme
- Applying custom branding theme to SSO application
- Applying custom branding theme to End-User Portal
- Deleting a branding scheme configuration
Managing global settings
- Multi-Realm Mode
- Share-Quota Mode
- Account Disable/Delete Notification
- Auto-Create Application
- Username Case & Accent Sensitive
Managing realm settings
- General settings
  - Enabling Auto-alias by Email
- Authentication scheme
- FTM MFA settings
- Email MFA settings
- SMS MFA settings
- Managing password policy
- Managing user verification
Alarm routing
- Configuring receiver groups
- Configuring receivers
- Adaptive authentication
Managing certificates
FortiOS CLI commands for FortiIdentity Cloud
- Global system configuration
- Accessing FIC management commands
- Configuring admin users
- Configuring local users
- Configuring local LDAP users for FIC service
- Configuring wildcard LDAP users for FIC service
- Configuring local RADIUS users for FIC service
- Diagnosing FortiIdentity Cloud
- Showing user ldap
Licenses
- Licenses
- Purchasing licenses with FortiPoints
Product documentation
FAQs
Release history
Technical support
Change log

Home FortiIdentity Cloud 26.1.a Admin Guide

26.1.a

Example 6: ZTNA application gateway with SAML as SP

Complete the initial setup by following the instructions in Configure ZTNA HTTPS access proxy.
Create a new SAML user/server on FortiGate GUI:
1. On the FortiGate, click User & Authentication > Single Sign-On.
2. Click Create New.
3. Set Address to webserver.ztnademo.com:9443.
  Note: The Entity ID, Assertion consumer service URL, and Single logout service URL will be updated.
4. Take note of the aforementioned updates, for you will be prompted to enter them into FIC.
5. Enable Certificate, and select the certificate used for the client.
  In this example, the ztna-wildcard certificate is a local certificate that is used to sign SAML messages that are exchanged between the client and the FortiGate SP.
6. Click Next.
7. Use the settings from FIC to fill the custom Identity Provider Details. On FIC, go to Applications > SSO > Add SSO Application, and get the IdP Metadata details from the page:
  - Where the REMOTE_Cert_1 certificate is a remote certificate that is used to identify the IdP. You’ll want to use the certificate you get from after you create the FIC SSO application if you click the tool icon, select Details , and click to download the Signing Certificate.
  - In the meantime, on FIC fill out the SP Metadata section with the Entity ID, Assertion consumer service URL and Single logout service URL:
8. Set Attribute used to identify users to username. (Note: Attributes to identify users and groups are case-sensitive.)
9. Click Submit to save the settings.
Create a user group for the SAML user object:
1. Click User & Authentication > User Groups > Create New.
2. Set Name to ztna-saml-users.
3. Under Remote Groups, click Add.
4. For Remote Server, select ZTNA-FAC-SAML.
5. Click OK.
6. Click OK again to save the settings.
Apply the SAML sever to proxy authentication:
1. Go to Policy & Objects > Authentication Rules.
2. Click Create New > Authentication Scheme.
3. Set Name to ZTNA-SAML-scheme.
4. Set Method to SAML.
5. Set SAML SSO server to ZTNA-FAC-SAML.
6. Click OK.
7. Go to Policy & Objects > Authentication Rules.
8. Click Create New > Authentication Rule.
9. Set Name to ZTNA-SAML-rule.
10. Set Source Address to all.
11. Set Incoming Interface to port3.
12. Set Protocol to HTTP.
13. Enable Authentication Scheme and select ZTNA-SAML-scheme.
14. Set IP-based Authentication to Disable.
15. Click OK.
Configure the active authentication scheme and captive portal:
1. Go to User Authentication > Authentication Settings.
2. Enable Authentication scheme.
3. Select ZTNA-SAML-scheme.
4. Set Captive portal type to FQDN.
5. Enable Captive Portal.
6. Select the firewall address webserver.ztnademo.com. (Note: Choose this firewall address if you have not already done so.)
7. Click Apply to save the configuration.
Configure a ZTNA application gateway to allow SAML authentication requests to the SP:
1. Configure the ZTNA server:
  1. Go to Policy & Objects > ZTNA > ZTNA Servers > Create New.
  2. Configure the following:
    Parameter
    Description
    Name ZTNA-access
    Interface Any
    IP 10.0.3.10
    Port 9443
    SAML Enabled
    SAML SSO Server ZTNA-FAC-SAML
    Default certificate
    ztna-wildcard
  3. Click OK.
2. Define the full ZTNA policy to allow access tto the ZTNA server:
  1. Go to Policy & Objects > Proxy policy > Create New.
  2. Configure the following:
    Parameter Description
    Name ZTNA-Rule
    Type ZTNA
    Incoming Interface port3
    Source (Address) all
    Source (User) ztna-saml-users
    Destination all
    ZTNA Server
    ZTNA-access
    Action
    Accept
    Log Allowed Traffic
    All Sessions
  3. Click OK.
  Once all of the aforementioned configurations are completed on your FGT and the SAML application and User Source(s) are set up on FIC, end-users should be able to start going through the FIC SAML login process when trying to access web servers through ZTNA.

Parameter	Description
Name	ZTNA-access
Interface	Any
IP	10.0.3.10
Port	9443
SAML	Enabled
SAML SSO Server	ZTNA-FAC-SAML
Default certificate	ztna-wildcard

Parameter	Description
Name	ZTNA-Rule
Type	ZTNA
Incoming Interface	port3
Source (Address)	all
Source (User)	ztna-saml-users
Destination	all
ZTNA Server	ZTNA-access
Action	Accept
Log Allowed Traffic	All Sessions

Example 6: ZTNA application gateway with SAML as SP

Complete the initial setup by following the instructions in Configure ZTNA HTTPS access proxy.
Create a new SAML user/server on FortiGate GUI:
1. On the FortiGate, click User & Authentication > Single Sign-On.
2. Click Create New.
3. Set Address to webserver.ztnademo.com:9443.
  Note: The Entity ID, Assertion consumer service URL, and Single logout service URL will be updated.
4. Take note of the aforementioned updates, for you will be prompted to enter them into FIC.
5. Enable Certificate, and select the certificate used for the client.
  In this example, the ztna-wildcard certificate is a local certificate that is used to sign SAML messages that are exchanged between the client and the FortiGate SP.
6. Click Next.
7. Use the settings from FIC to fill the custom Identity Provider Details. On FIC, go to Applications > SSO > Add SSO Application, and get the IdP Metadata details from the page:
  - Where the REMOTE_Cert_1 certificate is a remote certificate that is used to identify the IdP. You’ll want to use the certificate you get from after you create the FIC SSO application if you click the tool icon, select Details , and click to download the Signing Certificate.
  - In the meantime, on FIC fill out the SP Metadata section with the Entity ID, Assertion consumer service URL and Single logout service URL:
8. Set Attribute used to identify users to username. (Note: Attributes to identify users and groups are case-sensitive.)
9. Click Submit to save the settings.
Create a user group for the SAML user object:
1. Click User & Authentication > User Groups > Create New.
2. Set Name to ztna-saml-users.
3. Under Remote Groups, click Add.
4. For Remote Server, select ZTNA-FAC-SAML.
5. Click OK.
6. Click OK again to save the settings.
Apply the SAML sever to proxy authentication:
1. Go to Policy & Objects > Authentication Rules.
2. Click Create New > Authentication Scheme.
3. Set Name to ZTNA-SAML-scheme.
4. Set Method to SAML.
5. Set SAML SSO server to ZTNA-FAC-SAML.
6. Click OK.
7. Go to Policy & Objects > Authentication Rules.
8. Click Create New > Authentication Rule.
9. Set Name to ZTNA-SAML-rule.
10. Set Source Address to all.
11. Set Incoming Interface to port3.
12. Set Protocol to HTTP.
13. Enable Authentication Scheme and select ZTNA-SAML-scheme.
14. Set IP-based Authentication to Disable.
15. Click OK.
Configure the active authentication scheme and captive portal:
1. Go to User Authentication > Authentication Settings.
2. Enable Authentication scheme.
3. Select ZTNA-SAML-scheme.
4. Set Captive portal type to FQDN.
5. Enable Captive Portal.
6. Select the firewall address webserver.ztnademo.com. (Note: Choose this firewall address if you have not already done so.)
7. Click Apply to save the configuration.
Configure a ZTNA application gateway to allow SAML authentication requests to the SP:
1. Configure the ZTNA server:
  1. Go to Policy & Objects > ZTNA > ZTNA Servers > Create New.
  2. Configure the following:
    Parameter
    Description
    Name ZTNA-access
    Interface Any
    IP 10.0.3.10
    Port 9443
    SAML Enabled
    SAML SSO Server ZTNA-FAC-SAML
    Default certificate
    ztna-wildcard
  3. Click OK.
2. Define the full ZTNA policy to allow access tto the ZTNA server:
  1. Go to Policy & Objects > Proxy policy > Create New.
  2. Configure the following:
    Parameter Description
    Name ZTNA-Rule
    Type ZTNA
    Incoming Interface port3
    Source (Address) all
    Source (User) ztna-saml-users
    Destination all
    ZTNA Server
    ZTNA-access
    Action
    Accept
    Log Allowed Traffic
    All Sessions
  3. Click OK.
  Once all of the aforementioned configurations are completed on your FGT and the SAML application and User Source(s) are set up on FIC, end-users should be able to start going through the FIC SAML login process when trying to access web servers through ZTNA.

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

Web Application / API Protection

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions

All Products

Admin Guide

Example 6: ZTNA application gateway with SAML as SP

Example 6: ZTNA application gateway with SAML as SP

Example 6: ZTNA application gateway with SAML as SP

Example 6: ZTNA application gateway with SAML as SP