Fortinet white logo
Fortinet white logo

User Guide

Settings (Account Management)

Settings (Account Management)

Use the settings tab to upload and upgrade PCAP encryption keys, enable and update SAML SSO settings, and enable multi-factor authentication.

SAML SSO

FortiNDR Cloud translates SAML authentication from the identity provider into the native authentication scheme. User login is the same regardless of whether the user has logged in using SAML or a password. The session state in FortiNDR Cloud is independent of the SAML session. Logging out of SAML does not log the user out of FortiNDR Cloud.

When enabling SAML SSO keep the following considerations in mind:

  • First time FortiNDR Cloud users will have a user record created automatically when they first authenticate using SAML. Users are required to have a first name, but the last name is optional. These users will initially have no permissions. An Admin will need to grant roles to these users using the normal Account Management UI.

  • When existing users authenticate using SAML, any changes to their first and last name will be updated in FortiNDR Cloud as well.

  • FortiNDR Cloud identifies users from SAML by their email address. If the user's email address has changed in the SAML SSO Provider, FortiNDR Cloud will create a new user record for that user the next

  • Disabling a user in FortiNDR Cloud also disables SAML authentication for that user. However, disabling a user in the SAML SSO Provider does not disable the user in FortiNDR Cloud. The user will still have access if they have a password or API token. Users need to be manually disabled in FortiNDR Cloud as well.

  • Users authenticating with SAML are also allowed to authenticate using passwords as well. Typically, at least one Admin in the account should have a password as a backup in case SAML authentication fails.

Failure Scenarios

There are a variety of reasons why SAML authentication may fail.

  • SAML has not been configured for the account.

  • SAML has been configured, but disabled.

  • The user is attempting to authenticate with the wrong account. For example, the user belongs to the Acme account but is trying to authenticate with the Acme Subsidiary account.

  • The user has been disabled in FortiNDR Cloud.

  • The user does not have a first name.

For security reasons, FortiNDR Cloud may not provide the exact reason for the failure. Please make sure that SAML is configured correctly for the account and the user.

To enable SAML login:
  1. Click the gear icon in the top navigation and select Account Management.

    • If you have access to one account, the account page will appear.

    • If you have access to multiple accounts, select an account.

  2. Click the Settings tab.

  3. Click Set up SAML SSO. The "SAML Single Sign-on (SSO) Initial Setup" dialog opens.

    saml-modal

  4. Copy the values from the Single Sign-On URL and Entity ID fields and paste them into the general settings of your SAML Provider configuration.
    Note

    Entity ID" may also be called "Audience URI" or "SP Entity ID.

  5. Set the application's subject or username to Email. For example, in the Okta setup, select Email from the Application username field.

  6. Add an attribute statement, first_name, with the value for a user's first name. For example in Okta's Attribute Statements settings, enter first_name in the Name field and then select user.firstName from the Value field.

  7. Add an attribute statement, last_name, with the value for a user's last name.

  8. Supply the following information from your SAML SSO Provider into the SAML Single Sign-on (SSO) Initial Setup dialog:

    • IdP Entity ID

    • X.509 Certificate (IdP Public Key)

  9. Click Save.

To login with SAML SSO:
  1. Navigate to your SAML SSO Provider's dashboard

  2. Click the ThreatINSIGHT or FortiNDR Cloud button from the SAML SSO Provider's dashboard

Note
  • FortiNDR Cloud only supports IdP (identity-provider) initiated logins where the user will need to initiate login from their SAML SSP Provider's dashboard.
  • If you are a new user logging into FortiNDR Cloud for the first time, you will see a message indicating that you do not have permission to use this application. This means that your roles have not yet been granted. Contact your administrator to assign your roles.
To disable SAML SSO:
  1. Click the gear icon in the top navigation and select Account Management.

    • If you have access to one account, the account page will appear.

    • If you have access to multiple accounts, select an account.

  2. Click the Settings tab and click Disable SAML Settings.

  3. In the Confirmation Dialog, click Confirm.

Mandatory SSO

You can require all users to log into FortiNDR Cloud using SSO. Before enabling mandatory SSO, keep the following considerations in mind:

  • Multi-Factor Authentication (MFA) is disabled.
  • You can only edit API users
  • Change my password and Enable MFA are disabled in Profile Settings > My Profile > Authentication
  • Edit User and Email Password Reset are disabled in Account Management > Users > Actions.
Requirements:
  • SAML SSO must be enabled.
  • User must have account.sso_required.update permissions
To enable mandatory SSO:
  1. Click the gear icon in the top navigation and select Account Management.

    • If you have access to one account, the account page will appear.

    • If you have access to multiple accounts, select an account.

  2. Click the Settings tab.
  3. Under SAML SSO enable Require SSO Login (disable login with username/password). The Confirm enabling mandatory SSO login dialog opens.

  4. Click Confirm

PCAP encryption keys

PCAP Encryption Keys are used in conjunction with Packet Capture. If an encryption key is uploading, all PCAP files will be encrypted with the provided key. This prevents FortiNDR Cloud from having any visibility into the raw PCAP data that was captured. For more information, see Packet Capture.

Note

The corresponding private key will be required to decrypt any downloaded PCAP files. If the private key is lost, the encrypted PCAP files cannot be recovered.

To upload an encryption key:
  1. Click the gear icon in the top navigation and select Account Management.

    • If you have access to one account, the account page will appear.

    • If you have access to multiple accounts, select an account.

  2. Click the Settings tab.
  3. Under PCAP ENCRYPTION KEYS, click Set PCAP Encryption Key. The Set PCAP Encryption Key dialog opens.
  4. Paste the public key and click Set Key.

The key will take effect for any new PCAP files generated. Existing PCAP files are not retroactively encrypted.

Multi-factor authentication

Enable Multi-factor authentication (MFA) require all users to enter an MFA token the next time they log in to FortiNDR Cloud. Users will not be able to navigate to any FortiNDR Cloud page until they confirm their MFA token.

To enable Multi-factor authentication:
  1. Click the gear icon at the top-right of the page and select Profile Settings.

  2. Under Authentication, click Enable MFA.

  3. Scan the QR code with a token application to validate and enable MFA.

Disable an Account

Technical Success Managers can disable accounts that are either no longer in use or should no longer be in use. This option has the following effects:

  • Disables login for all users in the account.

  • Disables all notifications to those users.

  • Stops ingest of all data.

  • Removes the account from default account lists.

This can be completed by clicking the option icon in Account Management for a given account and then clicking on Disable.

Sensor email alerts

Administrators can create email notifications to alert you when sensor is offline or the event rate is low.

To create a sensor email alert:
  1. Click the gear icon in the top navigation and select Account Management.

    • If you have access to one account, the account page will appear.

    • If you have access to multiple accounts, select an account.

  2. Click the Settings tab and scroll down to Notification Emails.
  3. In the Email field, enter a recipient's email address.
  4. Select Sensor Offline Alert and/or Event Rate Low Alert.
  5. Click Update.
  6. Click Add Record to add another email address.
  7. Click X to delete an email address.

Settings (Account Management)

Settings (Account Management)

Use the settings tab to upload and upgrade PCAP encryption keys, enable and update SAML SSO settings, and enable multi-factor authentication.

SAML SSO

FortiNDR Cloud translates SAML authentication from the identity provider into the native authentication scheme. User login is the same regardless of whether the user has logged in using SAML or a password. The session state in FortiNDR Cloud is independent of the SAML session. Logging out of SAML does not log the user out of FortiNDR Cloud.

When enabling SAML SSO keep the following considerations in mind:

  • First time FortiNDR Cloud users will have a user record created automatically when they first authenticate using SAML. Users are required to have a first name, but the last name is optional. These users will initially have no permissions. An Admin will need to grant roles to these users using the normal Account Management UI.

  • When existing users authenticate using SAML, any changes to their first and last name will be updated in FortiNDR Cloud as well.

  • FortiNDR Cloud identifies users from SAML by their email address. If the user's email address has changed in the SAML SSO Provider, FortiNDR Cloud will create a new user record for that user the next

  • Disabling a user in FortiNDR Cloud also disables SAML authentication for that user. However, disabling a user in the SAML SSO Provider does not disable the user in FortiNDR Cloud. The user will still have access if they have a password or API token. Users need to be manually disabled in FortiNDR Cloud as well.

  • Users authenticating with SAML are also allowed to authenticate using passwords as well. Typically, at least one Admin in the account should have a password as a backup in case SAML authentication fails.

Failure Scenarios

There are a variety of reasons why SAML authentication may fail.

  • SAML has not been configured for the account.

  • SAML has been configured, but disabled.

  • The user is attempting to authenticate with the wrong account. For example, the user belongs to the Acme account but is trying to authenticate with the Acme Subsidiary account.

  • The user has been disabled in FortiNDR Cloud.

  • The user does not have a first name.

For security reasons, FortiNDR Cloud may not provide the exact reason for the failure. Please make sure that SAML is configured correctly for the account and the user.

To enable SAML login:
  1. Click the gear icon in the top navigation and select Account Management.

    • If you have access to one account, the account page will appear.

    • If you have access to multiple accounts, select an account.

  2. Click the Settings tab.

  3. Click Set up SAML SSO. The "SAML Single Sign-on (SSO) Initial Setup" dialog opens.

    saml-modal

  4. Copy the values from the Single Sign-On URL and Entity ID fields and paste them into the general settings of your SAML Provider configuration.
    Note

    Entity ID" may also be called "Audience URI" or "SP Entity ID.

  5. Set the application's subject or username to Email. For example, in the Okta setup, select Email from the Application username field.

  6. Add an attribute statement, first_name, with the value for a user's first name. For example in Okta's Attribute Statements settings, enter first_name in the Name field and then select user.firstName from the Value field.

  7. Add an attribute statement, last_name, with the value for a user's last name.

  8. Supply the following information from your SAML SSO Provider into the SAML Single Sign-on (SSO) Initial Setup dialog:

    • IdP Entity ID

    • X.509 Certificate (IdP Public Key)

  9. Click Save.

To login with SAML SSO:
  1. Navigate to your SAML SSO Provider's dashboard

  2. Click the ThreatINSIGHT or FortiNDR Cloud button from the SAML SSO Provider's dashboard

Note
  • FortiNDR Cloud only supports IdP (identity-provider) initiated logins where the user will need to initiate login from their SAML SSP Provider's dashboard.
  • If you are a new user logging into FortiNDR Cloud for the first time, you will see a message indicating that you do not have permission to use this application. This means that your roles have not yet been granted. Contact your administrator to assign your roles.
To disable SAML SSO:
  1. Click the gear icon in the top navigation and select Account Management.

    • If you have access to one account, the account page will appear.

    • If you have access to multiple accounts, select an account.

  2. Click the Settings tab and click Disable SAML Settings.

  3. In the Confirmation Dialog, click Confirm.

Mandatory SSO

You can require all users to log into FortiNDR Cloud using SSO. Before enabling mandatory SSO, keep the following considerations in mind:

  • Multi-Factor Authentication (MFA) is disabled.
  • You can only edit API users
  • Change my password and Enable MFA are disabled in Profile Settings > My Profile > Authentication
  • Edit User and Email Password Reset are disabled in Account Management > Users > Actions.
Requirements:
  • SAML SSO must be enabled.
  • User must have account.sso_required.update permissions
To enable mandatory SSO:
  1. Click the gear icon in the top navigation and select Account Management.

    • If you have access to one account, the account page will appear.

    • If you have access to multiple accounts, select an account.

  2. Click the Settings tab.
  3. Under SAML SSO enable Require SSO Login (disable login with username/password). The Confirm enabling mandatory SSO login dialog opens.

  4. Click Confirm

PCAP encryption keys

PCAP Encryption Keys are used in conjunction with Packet Capture. If an encryption key is uploading, all PCAP files will be encrypted with the provided key. This prevents FortiNDR Cloud from having any visibility into the raw PCAP data that was captured. For more information, see Packet Capture.

Note

The corresponding private key will be required to decrypt any downloaded PCAP files. If the private key is lost, the encrypted PCAP files cannot be recovered.

To upload an encryption key:
  1. Click the gear icon in the top navigation and select Account Management.

    • If you have access to one account, the account page will appear.

    • If you have access to multiple accounts, select an account.

  2. Click the Settings tab.
  3. Under PCAP ENCRYPTION KEYS, click Set PCAP Encryption Key. The Set PCAP Encryption Key dialog opens.
  4. Paste the public key and click Set Key.

The key will take effect for any new PCAP files generated. Existing PCAP files are not retroactively encrypted.

Multi-factor authentication

Enable Multi-factor authentication (MFA) require all users to enter an MFA token the next time they log in to FortiNDR Cloud. Users will not be able to navigate to any FortiNDR Cloud page until they confirm their MFA token.

To enable Multi-factor authentication:
  1. Click the gear icon at the top-right of the page and select Profile Settings.

  2. Under Authentication, click Enable MFA.

  3. Scan the QR code with a token application to validate and enable MFA.

Disable an Account

Technical Success Managers can disable accounts that are either no longer in use or should no longer be in use. This option has the following effects:

  • Disables login for all users in the account.

  • Disables all notifications to those users.

  • Stops ingest of all data.

  • Removes the account from default account lists.

This can be completed by clicking the option icon in Account Management for a given account and then clicking on Disable.

Sensor email alerts

Administrators can create email notifications to alert you when sensor is offline or the event rate is low.

To create a sensor email alert:
  1. Click the gear icon in the top navigation and select Account Management.

    • If you have access to one account, the account page will appear.

    • If you have access to multiple accounts, select an account.

  2. Click the Settings tab and scroll down to Notification Emails.
  3. In the Email field, enter a recipient's email address.
  4. Select Sensor Offline Alert and/or Event Rate Low Alert.
  5. Click Update.
  6. Click Add Record to add another email address.
  7. Click X to delete an email address.