Settings (Account Management)
Use the settings tab to upload and upgrade PCAP encryption keys, enable and update SAML SSO settings, and enable multi-factor authentication.
SAML SSO
FortiNDR Cloud translates SAML authentication from the identity provider into the native authentication scheme. User login is the same regardless of whether the user has logged in using SAML or a password. The session state in FortiNDR Cloud is independent of the SAML session. Logging out of SAML does not log the user out of FortiNDR Cloud.
When enabling SAML SSO keep the following considerations in mind:
-
First time FortiNDR Cloud users will have a user record created automatically when they first authenticate using SAML. Users are required to have a first name, but the last name is optional. These users will initially have no permissions. An Admin will need to grant roles to these users using the normal Account Management UI.
-
When existing users authenticate using SAML, any changes to their first and last name will be updated in FortiNDR Cloud as well.
-
FortiNDR Cloud identifies users from SAML by their email address. If the user's email address has changed in the SAML SSO Provider, FortiNDR Cloud will create a new user record for that user the next
-
Disabling a user in FortiNDR Cloud also disables SAML authentication for that user. However, disabling a user in the SAML SSO Provider does not disable the user in FortiNDR Cloud. The user will still have access if they have a password or API token. Users need to be manually disabled in FortiNDR Cloud as well.
-
Users authenticating with SAML are also allowed to authenticate using passwords as well. Typically, at least one Admin in the account should have a password as a backup in case SAML authentication fails.
Failure Scenarios
There are a variety of reasons why SAML authentication may fail.
-
SAML has not been configured for the account.
-
SAML has been configured, but disabled.
-
The user is attempting to authenticate with the wrong account. For example, the user belongs to the Acme account but is trying to authenticate with the Acme Subsidiary account.
-
The user has been disabled in FortiNDR Cloud.
-
The user does not have a first name.
For security reasons, FortiNDR Cloud may not provide the exact reason for the failure. Please make sure that SAML is configured correctly for the account and the user.
To enable SAML login:
- Click the gear icon at the top-right of the page and select Account Management.
- Select an account.
- Click the Settings tab.
-
Click Set up SAML SSO. The SAML Single Sign-on (SSO) Initial Setup dialog opens.
- Copy the values from the Single Sign-On URL and Entity ID fields and paste them into the general settings of your SAML Provider configuration.
Entity ID may also be called Audience URI or SP Entity ID.
-
Set the application's subject or username to Email.
-
Add an attribute statement,
first_name
, with the value for a user's first name. -
Add an attribute statement, last_name, with the value for a user's last name.
-
Enter the following information from your SAML SSO Provider into the SAML Single Sign-on (SSO) Initial Setup dialog:
-
IdP Entity ID
-
X.509 Certificate (IdP Public Key)
-
-
Click Save.
To login with SAML SSO:
-
Navigate to your SAML SSO Provider's dashboard
-
Click the ThreatINSIGHT or FortiNDR Cloud button from the SAML SSO Provider's dashboard
|
To disable SAML SSO:
- Click the gear icon at the top-right of the page and select Account Management.
- Select an account.
- Click the Settings tab and click Disable SAML Settings.
- In the Confirmation Dialog, click Confirm.
Mandatory SSO
You can require all users to log into FortiNDR Cloud using SSO. Before enabling mandatory SSO, keep the following considerations in mind:
- Multi-Factor Authentication (MFA) is disabled.
- You can only edit API users
- Change my password and Enable MFA are disabled in Profile Settings > My Profile > Authentication
- Edit User and Email Password Reset are disabled in Account Management > Users > Actions.
Requirements:
- SAML SSO must be enabled.
- User must have account.sso_required.update permissions
To enable mandatory SSO:
- Click the gear icon at the top-right of the page and select Account Management.
- Select an account.
- Click the Settings tab.
- Under SAML SSO enable Require SSO Login (disable login with username/password). The Confirm enabling mandatory SSO login dialog opens.
- Click Confirm.
PCAP encryption keys
PCAP Encryption Keys are used in conjunction with Packet Capture. If an encryption key is uploaded, all PCAP files will be encrypted with the provided key. This prevents FortiNDR Cloud from having any visibility into the raw PCAP data that was captured. For more information, see Packet Capture.
The corresponding private key will be required to decrypt any downloaded PCAP files. If the private key is lost, the encrypted PCAP files cannot be recovered. |
To upload an encryption key:
- Click the gear icon at the top-right of the page and select Account Management.
- Select an account.
- Click the Settings tab.
- Under PCAP ENCRYPTION KEYS, click Set PCAP Encryption Key. The Set PCAP Encryption Key dialog opens.
- Paste the public key and click Set Key.
The key will take effect for any new PCAP files generated. Existing PCAP files are not retroactively encrypted.
Multi-factor authentication
Enable Multi-factor authentication (MFA) to require all users to enter an MFA token the next time they log in to FortiNDR Cloud. Users will not be able to navigate to any FortiNDR Cloud page until they confirm their MFA token.
To enable Multi-factor authentication:
- Click the gear icon at the top-right of the page and select Profile Settings.
- Under Authentication, click Enable MFA.
- Scan the QR code with a token application to validate and enable MFA.
User Activity Timeout
Automatically log out users who belong to the account you are in. Users who only have access to the account are not affected by this setting.
- Click the gear icon at the top-right of the page and select Account Management.
- Select an account.
- Click the Settings tab and scroll down to User Activity Timeout.
- Enter a value between 15 and 480 minutes.
- Click Update.
Disable an Account
Technical Success Managers can disable accounts that are either no longer in use or should no longer be in use. This option has the following effects:
-
Disables login for all users in the account.
-
Disables all notifications to those users.
-
Stops ingest of all data.
-
Removes the account from default account lists.
This can be completed by clicking the option icon in Account Management for a given account and then clicking on Disable.
Sensor email alerts
Administrators can create email notifications to alert you when sensor is offline or the event rate is low.
To create a sensor email alert:
- Click the gear icon at the top-right of the page and select Account Management.
- Select an account.
- Click the Settings tab and scroll down to Notification Emails.
- In the Email field, enter a recipient's email address.
- Select Sensor Offline Alert and/or Event Rate Low Alert.
- Click Update.
- Click Add Record to add another email address.
- Click X to delete an email address.