Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 26.1.0
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Admin Guide

    Onboarding users

    Onboarding users

    This topic explains how to onboard end-users in FortiIdentity Cloud (FIC). FIC offers two ways for onboarding users: (1) after an end-user is added, the admin sets a password for the user and communicates it to the user by email or phone, and (2) once users are added, FIC automatically sends out email invitations to the users who then set their own passwords in the self-service End-User Portal.

    Onboarding users by sending passwords to end users

    To add users individually:
    1. Log into the FortiIdentity Cloud portal.
    2. Navigate to User Management > Users, and click Batch Add.
    3. Select a realm.
    4. Ensure the Activate by invitation toggle switch is turned off.
    5. Enter the user's Username, Email, and Mobile Phone.
    6. For Type, select Local User.
    7. Click the + sign.
    8. Click Save.

    All users you have entered are added to the Users page at once.

    Alternatively, you can add multiple users all at once by downloading the Users_template.csv file, filling it out with the required user information, and then uploading it to FIC.

    To batch-add users using the Users_template:
    1. Click User Management > Users > Batch Add.
    2. Click Download CSV Template.
    3. Open the Users_template.csv file, and populate it with the username, email address, mobile phone number of the user(s) to be added, and set the type as Local.
    4. Save the file.
    5. Click Upload CSV file.
    6. Ensure the Activate by invitation toggle switch is turned off.
    7. Click Save.

    Once the users are added to FIC, you must assign a password to each added user and then communicate the password to the user by email or phone. This can be useful for quickly adding a couple of users, but very inconvenient for adding a larger number of users. This is where the method of onboarding users by email invitation comes into play, as discussed in the following section.

    Onboarding users by email invitation

    Onboarding users by email invitation allows administrators to introduce a large number of users to FIC with minimal effort while maintaining security standards. The system handles the complexity of identity provider management and secure invitation delivery.

    Onboarding users by email invitation offers the following benefits:

    • Scalability — Easily onboards large numbers of users without manual intervention

    • Security — Eliminates the need to communicate passwords through potentially insecure channels

    • Efficiency — Reduces administrative overhead by automating user creation and invitation processes

    • Improved user experience — Provides a seamless onboarding experience for end users through self-service password creation in FIC's highly customizable End-User Portal.

    To onboard users by email invitation:
    1. Log into the FortiIdentity Cloud portal.
    2. Navigate to User Management > Users, and click Batch Add.
    3. Select a realm.
    4. Activate by invitation — When this option is enabled, the newly created user(s) will be disabled by default until they accept the invitation and complete the onboarding process successfully.

    5. If the Activate by invitation option in the previous step is enabled, the Send invitation automatically toggle switch will appear. Enabling this option will send the invitation email to the user right after the user is added.

      Note: This option can only be enabled when an end-user portal is configured for the realm.

    6. If Send invitation automatically in the previous step is enabled, the Enable Mobile Number Self-Enrollment toggle switch will appear along with an Invitation Link expiration drop-down for choosing an expiration duration for the invitation link.

    7. The Enable Mobile Number Self-Enrollment takes effect only when the Default Auth Method is set to SMS for the associated realm and the user does not have a phone number set.

      Note: When adding a user, the settings you choose for Enable Mobile Number Self-enrollment and Invitation Link expiration will override the same settings set at the realm level.

    8. Enter the username, email, mobile phone, and the type for the user (Remote or Local).

      Note: If no Local IdP user source exists in the specified realm, FortiIdentity Cloud will automatically create one when a Local user is first created in the realm. If a Local IdP user source already exists in the realm, the Local user will be automatically added to the existing Local IdP.

    9. Click Save and ensure all the users are successfully added.
    10. A CSV file with the user details can also be uploaded using the Upload CSV file button to bulk import users.
    11. If Send invitation automatically option was not enabled in Step 6, invitations can be sent by clicking the three vertical dots against the user and choosing Send Invite.
    12. To send bulk invites, the admin can choose the checkbox for the applicable users and click the Send Invite button.
    13. Once an invitation is sent to the user, it can be revoked by clicking the three vertical dots against the user and choosing Revoke invitation. Note that if multiple invitations are sent to the same user, only the latest sent invite will be active and the rest will be automatically revoked by the system.
    14. Bulk revocation can be done using the Revoke Invitation button at the top of the page.
    15. The options to send or revoke invites will not be visible after a user onboards successfully.
    16. If the admin wishes to send invitation again to a user already successfully onboarded, the admin can disable the user. Once the user is disabled, the Send invite option will be visible again for the user.

    End user experience

    1. Click Accept Invitation in the invitation email. The End-User Portal configured for the realm opens up and prompts the user to input the token code sent to their email. The email is the one configured by the admin during the user creation.
    2. Enter the token code sent to their email.
    3. After successfully verifying, if the user is a Local User, they can set a password that satisfies the requirement set by the admin. For Remote users, the step to set a password will not appear.
    4. If the MFA for the user is set as FTM by the admin, a QR code will be displayed on screen for the end user to scan and activate the FTM token.
    5. If the Admin had enabled the Enable Mobile Number Self-Enrollment option, the end-user will be prompted to add their phone number only when the Default Auth Method is set to SMS for the user and the user does not have a phone number set by the admin. A SMS verification code will be sent to the number to verify and complete the number enrollment.

    Best Practices

    • Plan your realm structure — Organize realms logically to align with your business structure and/or locations.
    • Validate user contact information — Ensure that email addresses and mobile numbers are accurate before sending invitation.
    • Configure appropriate MFA policies — Require user MFA enrollment to enhance security.
    Previous
    Next

    Related Videos

    sidebar video

    FortiIdentity Cloud: User Onboarding

    • 0 views
    • 3 months ago

    Onboarding users

    Onboarding users

    This topic explains how to onboard end-users in FortiIdentity Cloud (FIC). FIC offers two ways for onboarding users: (1) after an end-user is added, the admin sets a password for the user and communicates it to the user by email or phone, and (2) once users are added, FIC automatically sends out email invitations to the users who then set their own passwords in the self-service End-User Portal.

    Onboarding users by sending passwords to end users

    To add users individually:
    1. Log into the FortiIdentity Cloud portal.
    2. Navigate to User Management > Users, and click Batch Add.
    3. Select a realm.
    4. Ensure the Activate by invitation toggle switch is turned off.
    5. Enter the user's Username, Email, and Mobile Phone.
    6. For Type, select Local User.
    7. Click the + sign.
    8. Click Save.

    All users you have entered are added to the Users page at once.

    Alternatively, you can add multiple users all at once by downloading the Users_template.csv file, filling it out with the required user information, and then uploading it to FIC.

    To batch-add users using the Users_template:
    1. Click User Management > Users > Batch Add.
    2. Click Download CSV Template.
    3. Open the Users_template.csv file, and populate it with the username, email address, mobile phone number of the user(s) to be added, and set the type as Local.
    4. Save the file.
    5. Click Upload CSV file.
    6. Ensure the Activate by invitation toggle switch is turned off.
    7. Click Save.

    Once the users are added to FIC, you must assign a password to each added user and then communicate the password to the user by email or phone. This can be useful for quickly adding a couple of users, but very inconvenient for adding a larger number of users. This is where the method of onboarding users by email invitation comes into play, as discussed in the following section.

    Onboarding users by email invitation

    Onboarding users by email invitation allows administrators to introduce a large number of users to FIC with minimal effort while maintaining security standards. The system handles the complexity of identity provider management and secure invitation delivery.

    Onboarding users by email invitation offers the following benefits:

    • Scalability — Easily onboards large numbers of users without manual intervention

    • Security — Eliminates the need to communicate passwords through potentially insecure channels

    • Efficiency — Reduces administrative overhead by automating user creation and invitation processes

    • Improved user experience — Provides a seamless onboarding experience for end users through self-service password creation in FIC's highly customizable End-User Portal.

    To onboard users by email invitation:
    1. Log into the FortiIdentity Cloud portal.
    2. Navigate to User Management > Users, and click Batch Add.
    3. Select a realm.
    4. Activate by invitation — When this option is enabled, the newly created user(s) will be disabled by default until they accept the invitation and complete the onboarding process successfully.

    5. If the Activate by invitation option in the previous step is enabled, the Send invitation automatically toggle switch will appear. Enabling this option will send the invitation email to the user right after the user is added.

      Note: This option can only be enabled when an end-user portal is configured for the realm.

    6. If Send invitation automatically in the previous step is enabled, the Enable Mobile Number Self-Enrollment toggle switch will appear along with an Invitation Link expiration drop-down for choosing an expiration duration for the invitation link.

    7. The Enable Mobile Number Self-Enrollment takes effect only when the Default Auth Method is set to SMS for the associated realm and the user does not have a phone number set.

      Note: When adding a user, the settings you choose for Enable Mobile Number Self-enrollment and Invitation Link expiration will override the same settings set at the realm level.

    8. Enter the username, email, mobile phone, and the type for the user (Remote or Local).

      Note: If no Local IdP user source exists in the specified realm, FortiIdentity Cloud will automatically create one when a Local user is first created in the realm. If a Local IdP user source already exists in the realm, the Local user will be automatically added to the existing Local IdP.

    9. Click Save and ensure all the users are successfully added.
    10. A CSV file with the user details can also be uploaded using the Upload CSV file button to bulk import users.
    11. If Send invitation automatically option was not enabled in Step 6, invitations can be sent by clicking the three vertical dots against the user and choosing Send Invite.
    12. To send bulk invites, the admin can choose the checkbox for the applicable users and click the Send Invite button.
    13. Once an invitation is sent to the user, it can be revoked by clicking the three vertical dots against the user and choosing Revoke invitation. Note that if multiple invitations are sent to the same user, only the latest sent invite will be active and the rest will be automatically revoked by the system.
    14. Bulk revocation can be done using the Revoke Invitation button at the top of the page.
    15. The options to send or revoke invites will not be visible after a user onboards successfully.
    16. If the admin wishes to send invitation again to a user already successfully onboarded, the admin can disable the user. Once the user is disabled, the Send invite option will be visible again for the user.

    End user experience

    1. Click Accept Invitation in the invitation email. The End-User Portal configured for the realm opens up and prompts the user to input the token code sent to their email. The email is the one configured by the admin during the user creation.
    2. Enter the token code sent to their email.
    3. After successfully verifying, if the user is a Local User, they can set a password that satisfies the requirement set by the admin. For Remote users, the step to set a password will not appear.
    4. If the MFA for the user is set as FTM by the admin, a QR code will be displayed on screen for the end user to scan and activate the FTM token.
    5. If the Admin had enabled the Enable Mobile Number Self-Enrollment option, the end-user will be prompted to add their phone number only when the Default Auth Method is set to SMS for the user and the user does not have a phone number set by the admin. A SMS verification code will be sent to the number to verify and complete the number enrollment.

    Best Practices

    • Plan your realm structure — Organize realms logically to align with your business structure and/or locations.
    • Validate user contact information — Ensure that email addresses and mobile numbers are accurate before sending invitation.
    • Configure appropriate MFA policies — Require user MFA enrollment to enhance security.
    Previous
    Next