Authentication
In the Authentication tab, you can configure the user authentication (and related) settings.
To configure authentication settings:
-
Go to System > Settings > Authentication.
The Authentication tab opens.
-
In the Authentication tab, enter the following information:
Field
Required
Description
Authentication Access
N
Set to Local or Remote. After changing this setting, you must log in again.
By default, Authentication Access is set as Local.
If FortiPortal is operating as a scalable cluster, the system will restart when you change the authentication configuration from local to remote or from remote to local.
N
Enable or disable two-factor authentication (2FA) for local or remote users.
FortiPortal only supports using the FortiToken Mobile application as the 2FA method. SMS and email are not supported.
For 2FA, a FortiToken license needs to be applied and registered in the same account where the FortiPortal license is registered.
Email information is mandatory for 2FA users.
If the user name is the email and no Tenant Identification Attribute is set, the domain part of the email can be used for tenant identification.
Remote Server
Y
Select FortiAuthenticator, Radius, or SSO as the remote server type.
Note: This option is available only when Authentication Access is set as Remote.
Remote Server Port
Y
Enter the port for the authentication server (default is 443)
Note: This option is available only when Authentication Access is set as Remote and Remote Server is FortiAuthenticator or Radius.
Remote Server IP Address
Y
Enter the IP address of the authentication server.
Note: This option is available only when Authentication Access is set as Remote and Remote Server is FortiAuthenticator or Radius.
Remote Server Key
Y
Enter the secret key for REST API requests.
Note: This option is available only when Authentication Access is set as Remote and Remote Server is FortiAuthenticator or Radius.
Self Service Portal
N
Enter the URL of the SSO provider's user self service portal where users can manage their SSO settings, if applicable.
Note: This option is available only when Authentication Access is set as Remote.
Support Idp-Initiated SSO
Enable or disable IDP-Initiated SSO. This should be enabled when IDP-initiated SSO is enabled on your SAML server.
Note: This option is available only when Authentication Access is set as Remote and Remote Server is set as SSO.
Domains
N
Enter a domain and then press Enter or click on the Create <name> link displayed as you type. The new domain appears in the field.
Remove domains by clicking the X next to the domain.
Use this field to specify the domain, URL, or URN for the site administrator. To specify the domain for an organization, see General.
The site administrator may allow administrative users to be defined in more than one authentication domain.
Note: This option is available only when Authentication Access is set as Remote.
Remote Server User
Y
Administrator user name for the authentication server. This user must have sufficient permission to initiate REST API requests.
Note: This option is available only when Authentication Access is set as Remote and Remote Server is FortiAuthenticator.
Authentication Protocol
Y
Required. Select PAP, CHAP, or MSCHAPv2 authentication protocol.
Note: This option is available only when Authentication Access is set as Remote and Remote Server is Radius.
View/Change Radius Roles
Y
Click to map the RADIUS roles with local roles. See Radius Roles.
Note: This option is available only when Authentication Access is set as Remote and Remote Server is Radius.
SSO IDP Entity URL
Y
Enter the IDP Entity URL (ID) or URN for SAML provided by IDP server.
Note: This option is available only when Authentication Access is set as Remote and Remote Server is SSO.
IDP Sign On Service Endpoint URL
Y
ENter the endpoint URL for IDP (Post) provided by IDP server.
Note: This option is available only when Authentication Access is set as Remote and Remote Server is SSO.
IDP Sign On Service Redirect Endpoint URL
Y
Enter the endpoint URL for IDP (Redirect) provided by IDP server.
Note: This option is available only when Authentication Access is set as Remote and Remote Server is SSO.
SSO Application ID
Y
Enter the SSO application ID provided by the IDP.
Note: This option is available only when Authentication Access is set as Remote and Remote Server is SSO.
SSO Audience URL
Y
Enter the URL used for audience within the assertion (format:
https://<FPC_PORTAL> /fpc/saml/SSO
).Note: This option is available only when Authentication Access is set as Remote and Remote Server is SSO.
Role Attribute
Y
Enter the attribute parameter name that maps to the corresponding profile in FortiPortal.
Note: This option is available only when Authentication Access is set as Remote and Remote Server is SSO.
Tenant Identification Attribute
N
Enter or select a value that FortiPortal uses under SSO or RADIUS to map a user to a specific organization.
See Tenant identification and domains for more information about how this works with SSO.
This feature works similarly to the Tenant Identification Attribute in RADIUS, except that in SSO, FortiPortal allows you to enter the name of the attribute in this form.
If you configure “My Customer Id” as the attribute value, FortiPortal expects the following in the authentication response from the SSO server:
For a RADIUS server, the Tenant Identification Attribute value is a Fortinet Vendor Attribute value. The server will send “Fortinet” in the authentication response.
FortiPortal treats the attribute values from either RADIUS or SSO server equally.
Note: This option is available only when Authentication Access is set as Remote and Remote Server is SSO or Radius.
SSO Error URL
N
If your SSO IDP provides an error URL where users can find additional help if an SSO error occurs, enter the URL. Not all IDPs provide an error URL. FortiPortal does not send any additional information to this URL.
Note: This option is available only when Authentication Access is set as Remote and Remote Server is SSO.
IDP Logout Service Endpoint
Y
Enter the IDP logout URL provided by IDP.
Note: This option is available only when Authentication Access is set as Remote and Remote Server is SSO.
SSO Certificate
Y
Enter the certificate provided by the IDP used to decrypt the signed response.
Note: This option is available only when Authentication Access is set as Remote and Remote Server is SSO.
Site Attribute
N
Enter the attribute parameter name that specifies which sites the customer user can access.
When the Remote Server is SSO, enter the site attribute.
For example, an attribute name of "site" might have the values "site1" and "site2". A customer user assigned to "site" would be able to access "site1" and "site2".
<saml:Attribute
Name="site"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xsi:type="xs:string">site1</saml:AttributeValue>
<saml:AttributeValue xsi:type="xs:string">site2</saml:AttributeValue>
</saml:Attribute>
When the Remote Server is FortiAuthenticator or Radius, select a site attribute from the dropdown. By default,
Fortinet-Fpc-Tenant-user-sites
is available.You can select a different value if you define an attribute for a site on the FortiAuthenticator or the RADIUS server.
Note: If the Site Attribute is empty, the customer user is assigned all the sites owned by the organization.
Note: This option is available only when Authentication Access is set as Remote.
Email Attribute
N
Enter the user-defined email attribute name.
Note: This option is available only when Authentication Access is set as Remote and Remote Server is SSO.
View/Change SSO Roles
N
Click to map the SSO roles with the local roles. See SSO Roles.
Note: This option is available only when Authentication Access is set as Remote and Remote Server is SSO.
- Click Save.
Authentication Access
If the authentication access is local, the administrator and customer user log-in credentials are checked in the local user databases. With the local option, you must add an SP user entry for each administrative user, and a user for each organization user.
If the authentication access is remote, the administrator and customer user log-in credentials are checked in the remote RADIUS server, FortiAuthenticator user database, or SSO IDP database. Local customer users cannot be used when remote authentication is selected.
See Remote authentication: FortiAuthenticator, Remote authentication: RADIUS, and Remote authentication: SSO.
Radius Roles
Click View Radius Roles in the Authentication tab to configure the mapping between FortiPortal profiles and RADIUS roles. For each RADIUS role mapping, the window displays the Role Name, Role Type (Service Provider or Customer) and a list of FPC (FortiPortal) roles that map to the RADIUS role.
In previous versions, profiles were referred to as "roles". In the GUI, "roles" is still occasionally used, and is synonymous with "profiles". |
The Radius Roles window contains the following options:
- Create: Create a RADIUS role mapping.
- Edit: Edit the selected RADIUS role mapping.
- Delete: Delete one or more selected RADIUS role mappings.
- Search: Search for RADIUS role mappings by name.
- Show x entries: Limit the number of entries that are displayed at once (20 or 50).
- Sort: Sort columns in ascending or descending order.
To create a RADIUS role mapping:
- Go to System > Settings > Authentication.
- Set Authentication Access to Remote.
- In the Remote Server dropdown, select Radius.
- Click View/Change Radius Roles.
The Radius Roles window opens.
- In the Radius Roles window, click Create.
- In the Create Role window, enter the following information:
Field
Required
Description
Role Name
Y
The RADIUS role name. The name must match a role name on the RADIUS server.
Role Type
Y
Service Provider or Customer.
FPC Roles
Y
Select the FortiPortal profile to associate with this RADIUS role.
- Click Save.
SSO Roles
Click View SSO Roles in the Authentication tab to configure the mapping between FortiPortal profiles and SSO roles. For each SSO role mapping, the window displays Role Name, Role Type (Service Provider or Customer) and a list of (FortiPortal) profiles that map to the SSO role.
The SSO Roles window contains the following actions:
- Create:Create an SSO role mapping.
- Edit: Edit the selected SSO role mapping.
- Delete: Delete one or more selected SSO role mappings.
- Search: Search for SSO role mappings by name.
- Show x entries: Limit the number of entries that are displayed at once (20 or 50).
- Sort: Sort columns in ascending or descending order.
To create an SSO role mapping:
- Go to System > Settings > Authentication.
- Set Authentication Accessto Remote.
- In the Remote Server dropdown, select SSO.
- click View SSO Roles.
The SSO Roles window opens.
- In the SSO Roles window, click Create.
- In the Create Role window, enter the following information:
-
Field
Required
Description
Role Name
Y
The SSO role name. The name must match a role name on the SSO server.
Role Type
Y
Service Provider or Customer.
FPC Roles
Y
Select the FortiPortal profile to associate with this SSO role.
- Click Save.