FortiGate / FortiOS

FortiManager

FortiAnalyzer

Admin Guide

Introduction
Licensing and availability
- Subscription licensing
- Free licenses
- SMS licensing
- Email notification on license balance status
Support for EU GDPR
Architecture
Acronyms and abbreviations
Quickstart guide
- Getting started—FGT-FIC users
- Getting started—FAC-FIC users
Main features
Compatibility
- Compatible Fortinet applications
- Supported browsers
Important notes
- Trial account API request limit
- The same token for the same user on multiple applications
- A single FIC user in multiple applications
- Admin accounts and realms
- Supported OTP hard tokens
- Supported FIDO security key
- No SMS MFA with FAC as LDAP server
- FAC users' name issues on FIC GUI
- How to use FortiClient
- Enabling/Disabling FIC end-users on FortiGate
- Account disablement and closure
FortiToken Mobile
- Supported FortiToken Mobile apps
- Activating FTM tokens
- Activating third-party tokens
- Using FTM tokens
Use cases
- One Token shared by different applications
- Changing separate tokens to a single token
- Independent token
- Auto-Alias features—using the same email address
- Splitting user quota among different realms
- FIC account lockout (2FA)
- Managing access to FIC
- Controlling risky conditions
- Synchronizing LDAP remote users in wildcard user group from FortiGate
- Transferring devices on FIC
- ZTNA HTTPS access proxy with FIC MFA
- Adding FIC MFA to remote access IPsec VPN
- Configuring FIC as Microsoft Entra external authentication service provider
- MFA authentication context handling
- Configuring FIC as the IdP proxy for FortiSASE
- FortiIdentity Cloud as OIDC provider
Maintenance
- Adding, syncing, and deleting users
- Adding, syncing, and deleting applications (FortiProducts)
- Service debugging
Applications
- Creating FortiProduct applications
- Transferring application (FC account lockout)
- Replacing an old FortiGate with a new one
- Applications in HA mode
- Applications for third-party usage
FortiCloud
- Logging into an OU account
- Launching FortiIdentity Cloud
FortiIdentity Cloud GUI
Dashboard
- Monitoring FIC status
- Pagination for accounts with multiple sub-admin users
Managing users
- Onboarding users
- Batch-adding users
- Enabling Auto-alias by Email
- Adding user aliases
- Auto-assigning FTKs to selected users
- Getting a new FTM token
- Hiding/showing full FortiAuthenticator username
- Viewing a user's applications
- Using a temporary token
- Editing a user
- Deleting users from FIC
Managing admin groups
- Creating a sub-admin group
- Adding users to the admin group
- Adding realms to the admin group
- Editing sub-admin group configuration
- Deleting a sub-admin group
FortiProducts
- Editing a FortiProduct
- Viewing additional information about an application
- Deleting a FortiProduct
- Assigning a FortiProduct to a realm
- Managing realms
Web Applications
- Adding a web app
- Regenerating API credentials
- Editing a web app
- Deleting a web app
- Configuring secret rotation policy
- Configuring per-SP authentication settings
Management Applications
- Creating a management application
- Regenerating management application secret
- Deleting a management application
SCIM client integration
- Features and benefits
- Supported SCIM client applications
- Use case
- Integrating FIC with SCIM clients
- Demo configurations
- Known issues and special notes
Using SSO applications
- Use Cases
- Configuring per-SP authentication settings
- OIDC Parameters
Adding user source
- Using Google social login as user source
- Support for LDAP/AD user source
Managing End-User Portal
- Configuring End-User Portal
- Configuring IdP user source
- Keeping SSO applications off End-User Portal
Configuring domain mapping
Managing device ownership
- Validating device ownership
- Transferring devices
- Transferring devices on FIC
- Managing device transfer
- Performing factory reset
Managing HA clusters
- Searching for a standalone device
- Adding devices to a cluster
- Moving devices between clusters
- Removing devices from a cluster
Using mobile tokens
Using hardware tokens
Using passkeys
Session monitor
Logs
- Usage data
- Authentication logs
- Management logs
- SMS logs
- Order logs
Using templates
- Creating a custom template
- Editing a template
- Using templates
- Deleting a template
- Alarms
  - Creating a user quota alarm
  - Creating an SMS credit balance alarm
Managing custom branding
- Creating an SSO application branding theme
- Creating an End-User Portal branding theme
- Applying custom branding theme to SSO application
- Applying custom branding theme to End-User Portal
- Deleting a branding scheme configuration
Managing global settings
- Multi-Realm Mode
- Share-Quota Mode
- Account Disable/Delete Notification
- Auto-Create Application
- Username Case & Accent Sensitive
Managing realm settings
- General settings
  - Enabling Auto-alias by Email
- Authentication scheme
- FTM MFA settings
- Email MFA settings
- SMS MFA settings
- Managing password policy
- Managing user verification
Alarm routing
- Configuring receiver groups
- Configuring receivers
Adaptive authentication
- Viewing adaptive authentication policies
- Creating an adaptive authentication policy
  - Creating a Bypass MFA policy
  - Creating an impossible-to-travel policy
- Editing an adaptive auth policy
- Deleting an adaptive auth policy
- Viewing adaptive auth profiles
- Creating an adaptive authentication profile
- Applying adaptive authentication profiles
- Editing an adaptive auth profile
- Deleting an adaptive authentication profile
Managing certificates
FortiOS CLI commands for FortiIdentity Cloud
- Global system configuration
- Accessing FIC management commands
- Configuring admin users
- Configuring local users
- Configuring local LDAP users for FIC service
- Configuring wildcard LDAP users for FIC service
- Configuring local RADIUS users for FIC service
- Diagnosing FortiIdentity Cloud
- Showing user ldap
Licenses
- Licenses
- Purchasing licenses with FortiPoints
Product documentation
FAQs
Release history
Technical support
Change log

Home FortiIdentity Cloud Admin Guide

Example 7: Secure authentication for LDAP user source via ZTNA server

When a customer LDAP or Active Directory (AD) resides on premises, FIC requires a secure connection to access it for user authentication. This connection is established through a FortiGate (FGT) acting as a ZTNA Tunnel Server which provides a TLS-encrypted path between FIC and the customer’s internal LDAP/AD server.

This section covers the following topics

Secure communication path
FortiGate configuration
FortiIdentity Cloud configuration
FortiGate as ZTNA server for LDAP user source
Configuring ZTNA server in FortiGate

Secure communication path

FIC App > LDAP Client > ZTNA Proxy > FortiGate > LDAP Server

This setup provides a secure communication path that enables:

Secure LDAP authentication via LDAPS (port 636), LDAP + StartTLS (port 389) or mTLS
Certificate-based authentication for tunnel establishment
Full encryption and policy control over the communication channel

FortiGate configuration

Step 1: Configuring the FortiGate as a ZTNA server.

Configure on an external interface, making sure that it can reach FortiIdentity Cloud.
Map the service on the public interface to forward TCP traffic on a required port (i.e., 389 or 636) to the internal LDAP server configured on the FortiGate.

Step 2: Configuring an authentication rule.

Apply the rule to the external interface.
Use certificate-based authentication for security.
Restrict access to FIC’s source WAN IPs only.

Step 3: Configuring a firewall policy.

Allow traffic from the FIC source IP to the ZTNA tunnel address.
Ensure that the policy includes the required security profiles, if applicable.

For more information, see Basic ZTNA configuration.

FortiIdentity Cloud configuration

Navigate to Authentication > Tunnel.
Create a ZTNA tunnel object.
Click Save.

Parameter	Description
Name	ZTNA tunnel name, e.g., ZTNA-LDAP-Tunnel
Server IP/FQDN	External/public-facing interface address of the FortiGate
Server Port	Port number configured on the ZTNA server.
Client Certificate	Public/private key pair used by FIC as tunnel client which the certificate uploads to the FIC portal under Settings.
Server CA Cert	Used to validate the FortiGate server certificate, e.g., Default.

Once configured, enable the ZTNA tunnel using the toggle button whenever LDAP traffic should be routed through the FortiGate.

FortiGate as ZTNA server for LDAP user source

When you logging into the FortiGate that is configured as the ZTNA server for LDAP authentication, it provides a TLS-encrypted connection between FIC and your internal LDAP/AD server.

For initial configuration of the FortiGate, ensure that it is able to reach the FIC’s WAN IP addresses for your region:

Region	IP addresses
North America	154.52.17.20 184.94.113.100
Europe	209.40.97.128 154.52.13.228

Once you've validated the connection, you can move on to configure the FortiGate as the ZTNA server.

Configuring ZTNA server in FortiGate

Log into the FortiGate.
Validate the FIC’s WAN IP access via the FortiGate Web CLI.

Upon successful validation, configure the LDAP server IP address in the FortiGate.

FGVMULTM00000000 (root) # config firewall address 

FGVMULTM00000000 (address) # edit ldap-access

set uuid 6bb8c362-eb2d-51f0-8655-xxxxxxxxxxx
        set associated-interface "port1"
        set subnet 10.160.x.x 255.255.255.255
    next 
end

Once the LDAP server is configured, configure the authentication scheme.

FGVMULTM00000000 (root) # config authentication scheme 

FGVMULTM00000000 (scheme) # show
config authentication scheme
    edit "ztna-101"
        set method cert
        set user-cert enable
    next
end

Configure the authentication rule.

FGVMULTM00000000 (root) # config authentication rule 

FGVMULTM00000000 (rule) # show
config authentication rule
   edit "ztna-101"
     	set srcintf "port1"
       set srcaddr "all"
   set ip-based disable
   set active-auth-method "ztna-101"
    	next
end

Configure the authentication setting.

FGVMULTM00000000 (setting) # show
config authentication setting
   set update-time 2025-10-01 14:33:09
   set user-cert-ca "Fortinet_Sub_CA"
end

Configure the user certificate.

FGVMULTM00000000 (root) # config user certificate 

FGVMULTM00000000 (certificate) # show
config user certificate
    edit "ztna-101-ldapuser"
        set type single-certificate
        set common-name "fic.fortinet.com"
    next
end

Configure the firewall VIP.

FGVMULTM00000000 (root) # config firewall vip 

FGVMULTM00000000 (vip) # show
config firewall vip
    edit "ztna-test"
        set uuid c8d7756c-9ee7-51f0-997b-xxxxxxxxxxxx
        set type access-proxy
        set server-type https
        set extip 10.160.xx.xxx
        set extintf "port1"
        set extport 8443
        set ssl-certificate "Fortinet_Factory"
    next
end

Configure the firewall access-proxy.

FGVMULTM00000000 (root) # config firewall access-proxy 

FGVMULTM00000000 (access-proxy) # show
config firewall access-proxy
    edit "ztna-test"
        set vip "ztna-test"
        config api-gateway
            edit 2
                set url-map "/tcp"
                set service tcp-forwarding
                config realservers
                    edit 1
                        set address "ldap-access"
                        set mappedport 389 
                    next
                end
            next
        end
    next
end

Configure the firewall proxy-policy.

FGVMULTM00000000 (root) # config firewall proxy-policy 

FGVMULTM00000000 (proxy-policy) # show
config firewall proxy-policy
    edit 1
        set uuid d33d9df4-9f07-51f0-5a9d-xxxxxxxxxxxx
        set proxy access-proxy
        set access-proxy "ztna-test"
        set srcintf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set users "ztna-101-ldapuser"
    next
end

After the ZTNA server configuration in FortiGate is completed, log into the FIC portal and navigate to Authentication > Tunnel. Configure the ZTNA tunnel on the portal with the FortiGate ZTNA Server's IP/FQDN, Server Port, Client Certificate, and Server CA Cert.
Once the ZTNA tunnel is configured, validate the LDAP server access via the ZTNA server by providing the LDAP server IP & port (i.e., 389 or 636).
Now add the LDAP users to the FIC portal by navigating to User Management > Users >Batch Add.
Manually enter the user information that is configured in the LDAP user source, or use the Import tool to import all the users to the FIC portal.

For more information, see Onboarding users.

Once the users are added/imported into FIC, they can log into any SSO applications (such as End-user portal and FortiProducts) that the FIC admin has configured in the system.

Example 7: Secure authentication for LDAP user source via ZTNA server

This section covers the following topics

Secure communication path
FortiGate configuration
FortiIdentity Cloud configuration
FortiGate as ZTNA server for LDAP user source
Configuring ZTNA server in FortiGate

Secure communication path

FIC App > LDAP Client > ZTNA Proxy > FortiGate > LDAP Server

This setup provides a secure communication path that enables:

Secure LDAP authentication via LDAPS (port 636), LDAP + StartTLS (port 389) or mTLS
Certificate-based authentication for tunnel establishment
Full encryption and policy control over the communication channel

FortiGate configuration

Step 1: Configuring the FortiGate as a ZTNA server.

Configure on an external interface, making sure that it can reach FortiIdentity Cloud.
Map the service on the public interface to forward TCP traffic on a required port (i.e., 389 or 636) to the internal LDAP server configured on the FortiGate.

Step 2: Configuring an authentication rule.

Apply the rule to the external interface.
Use certificate-based authentication for security.
Restrict access to FIC’s source WAN IPs only.

Step 3: Configuring a firewall policy.

Allow traffic from the FIC source IP to the ZTNA tunnel address.
Ensure that the policy includes the required security profiles, if applicable.

For more information, see Basic ZTNA configuration.

FortiIdentity Cloud configuration

Navigate to Authentication > Tunnel.
Create a ZTNA tunnel object.
Click Save.

Parameter	Description
Name	ZTNA tunnel name, e.g., ZTNA-LDAP-Tunnel
Server IP/FQDN	External/public-facing interface address of the FortiGate
Server Port	Port number configured on the ZTNA server.
Client Certificate	Public/private key pair used by FIC as tunnel client which the certificate uploads to the FIC portal under Settings.
Server CA Cert	Used to validate the FortiGate server certificate, e.g., Default.

Once configured, enable the ZTNA tunnel using the toggle button whenever LDAP traffic should be routed through the FortiGate.

FortiGate as ZTNA server for LDAP user source

When you logging into the FortiGate that is configured as the ZTNA server for LDAP authentication, it provides a TLS-encrypted connection between FIC and your internal LDAP/AD server.

For initial configuration of the FortiGate, ensure that it is able to reach the FIC’s WAN IP addresses for your region:

Region	IP addresses
North America	154.52.17.20 184.94.113.100
Europe	209.40.97.128 154.52.13.228

Once you've validated the connection, you can move on to configure the FortiGate as the ZTNA server.

Configuring ZTNA server in FortiGate

Log into the FortiGate.
Validate the FIC’s WAN IP access via the FortiGate Web CLI.

Upon successful validation, configure the LDAP server IP address in the FortiGate.

FGVMULTM00000000 (root) # config firewall address 

FGVMULTM00000000 (address) # edit ldap-access

set uuid 6bb8c362-eb2d-51f0-8655-xxxxxxxxxxx
        set associated-interface "port1"
        set subnet 10.160.x.x 255.255.255.255
    next 
end

Once the LDAP server is configured, configure the authentication scheme.

FGVMULTM00000000 (root) # config authentication scheme 

FGVMULTM00000000 (scheme) # show
config authentication scheme
    edit "ztna-101"
        set method cert
        set user-cert enable
    next
end

Configure the authentication rule.

FGVMULTM00000000 (root) # config authentication rule 

FGVMULTM00000000 (rule) # show
config authentication rule
   edit "ztna-101"
     	set srcintf "port1"
       set srcaddr "all"
   set ip-based disable
   set active-auth-method "ztna-101"
    	next
end

Configure the authentication setting.

FGVMULTM00000000 (setting) # show
config authentication setting
   set update-time 2025-10-01 14:33:09
   set user-cert-ca "Fortinet_Sub_CA"
end

Configure the user certificate.

FGVMULTM00000000 (root) # config user certificate 

FGVMULTM00000000 (certificate) # show
config user certificate
    edit "ztna-101-ldapuser"
        set type single-certificate
        set common-name "fic.fortinet.com"
    next
end

Configure the firewall VIP.

FGVMULTM00000000 (root) # config firewall vip 

FGVMULTM00000000 (vip) # show
config firewall vip
    edit "ztna-test"
        set uuid c8d7756c-9ee7-51f0-997b-xxxxxxxxxxxx
        set type access-proxy
        set server-type https
        set extip 10.160.xx.xxx
        set extintf "port1"
        set extport 8443
        set ssl-certificate "Fortinet_Factory"
    next
end

Configure the firewall access-proxy.

FGVMULTM00000000 (root) # config firewall access-proxy 

FGVMULTM00000000 (access-proxy) # show
config firewall access-proxy
    edit "ztna-test"
        set vip "ztna-test"
        config api-gateway
            edit 2
                set url-map "/tcp"
                set service tcp-forwarding
                config realservers
                    edit 1
                        set address "ldap-access"
                        set mappedport 389 
                    next
                end
            next
        end
    next
end

Configure the firewall proxy-policy.

FGVMULTM00000000 (root) # config firewall proxy-policy 

FGVMULTM00000000 (proxy-policy) # show
config firewall proxy-policy
    edit 1
        set uuid d33d9df4-9f07-51f0-5a9d-xxxxxxxxxxxx
        set proxy access-proxy
        set access-proxy "ztna-test"
        set srcintf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set users "ztna-101-ldapuser"
    next
end

After the ZTNA server configuration in FortiGate is completed, log into the FIC portal and navigate to Authentication > Tunnel. Configure the ZTNA tunnel on the portal with the FortiGate ZTNA Server's IP/FQDN, Server Port, Client Certificate, and Server CA Cert.
Once the ZTNA tunnel is configured, validate the LDAP server access via the ZTNA server by providing the LDAP server IP & port (i.e., 389 or 636).
Now add the LDAP users to the FIC portal by navigating to User Management > Users >Batch Add.
Manually enter the user information that is configured in the LDAP user source, or use the Import tool to import all the users to the FIC portal.

For more information, see Onboarding users.

Once the users are added/imported into FIC, they can log into any SSO applications (such as End-user portal and FortiProducts) that the FIC admin has configured in the system.

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

Web Application / API Protection

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions

All Products

Admin Guide

Example 7: Secure authentication for LDAP user source via ZTNA server

Example 7: Secure authentication for LDAP user source via ZTNA server

Secure communication path

FortiGate configuration

FortiIdentity Cloud configuration

FortiGate as ZTNA server for LDAP user source

Configuring ZTNA server in FortiGate

Example 7: Secure authentication for LDAP user source via ZTNA server

Example 7: Secure authentication for LDAP user source via ZTNA server

Secure communication path

FortiGate configuration