Fortinet white logo
Fortinet white logo

Administration Guide

Remote authentication: FortiAuthenticator

Remote authentication: FortiAuthenticator

You need to set up both FortiAuthenticator and FortiPortal before you can use FortiAuthenticator for remote authentication.

Configuring FortiAuthenticator

Before using FortiAuthenticator for remote authentication, go to System > Messaging > SMTP Servers in FortiAuthenticator and make certain that the SMTP server is working. If the SMTP server is not working, configure a new SMTP server and then select it in System > Messaging > Email Services.

To configure FortiAuthenticator:
  1. Configure an administrator user or use the default admin user with a valid email address.
  2. Enable Web service access.

    Tooltip

    When Force password change on next logon is enabled, FortiPortal will require the user to change their password after their first login.


  3. Save the REST API key that you will receive by email.
Configuring FortiPortal

When you configure Authentication Access as Remote in System > Settings > Authentication, the remote server is set to FortiAuthenticator by default, and the system displays additional settings to configure.

To configure FortiPortal:
  1. Go to System > Settings > Authentication.

  2. Configure the settings as follows:

    Field

    Required

    Description

    Authentication Access

    N

    Set to Remote.

    Enable Two-factor Authentication

    N

    Enable or disable two-factor authentication (2FA).

    FortiPortal only supports using the FortiToken Mobile application as the 2FA method. SMS and email are not supported.

    For 2FA, a FortiToken license needs to be applied and registered in the same account where the FortiPortal license is registered.

    Email information is mandatory for 2FA users.

    If the user name is the email and no Tenant Identification Attribute is set, the domain part of the email can be used for tenant identification.

    See Two-factor authentication in FortiPortal example.

    Remote Server

    Y

    Select FortiAuthenticator as the remote server type.

    Remote Server Port

    Y

    Enter the port for the authentication server (default is 443)

    Remote Server IP Address

    Y

    Enter the IP address of the authentication server.

    Remote Server Key

    Y

    Enter the secret key for REST API requests.

    Self Service Portal

    N

    Enter the URL of the FortiAuthenticator user self service portal where users can manage their remote account settings, if applicable.

    Domains

    N

    Enter a domain and then press Enter or click on the Create <name> link displayed as you type. The new domain appears in the field.

    For example, if the user is abc@test.com, add test.com in Domains.

    Remove domains by clicking the X next to the domain.

    Use this field to specify the domain, URL, or URN for the site administrator. To specify the domain for an organization, see General.

    The site administrator may allow administrative users to be defined in more than one authentication domain.

    Remote Server User

    Y

    Administrator user name for the authentication server. This user must have sufficient permission to initiate REST API requests.

    Site Attribute

    N

    Enter the attribute parameter name that specifies which sites the customer user can access.

    Select a site attribute from the dropdown. By default, Fortinet-Fpc-Tenant-user-sites is available.

    You can select a different value if you define an attribute for a site on the FortiAuthenticator.

    Note: If the Site Attribute is empty, the customer user is assigned all the sites owned by the organization.

  3. Click Save.

Remote authentication: FortiAuthenticator

Remote authentication: FortiAuthenticator

You need to set up both FortiAuthenticator and FortiPortal before you can use FortiAuthenticator for remote authentication.

Configuring FortiAuthenticator

Before using FortiAuthenticator for remote authentication, go to System > Messaging > SMTP Servers in FortiAuthenticator and make certain that the SMTP server is working. If the SMTP server is not working, configure a new SMTP server and then select it in System > Messaging > Email Services.

To configure FortiAuthenticator:
  1. Configure an administrator user or use the default admin user with a valid email address.
  2. Enable Web service access.

    Tooltip

    When Force password change on next logon is enabled, FortiPortal will require the user to change their password after their first login.


  3. Save the REST API key that you will receive by email.
Configuring FortiPortal

When you configure Authentication Access as Remote in System > Settings > Authentication, the remote server is set to FortiAuthenticator by default, and the system displays additional settings to configure.

To configure FortiPortal:
  1. Go to System > Settings > Authentication.

  2. Configure the settings as follows:

    Field

    Required

    Description

    Authentication Access

    N

    Set to Remote.

    Enable Two-factor Authentication

    N

    Enable or disable two-factor authentication (2FA).

    FortiPortal only supports using the FortiToken Mobile application as the 2FA method. SMS and email are not supported.

    For 2FA, a FortiToken license needs to be applied and registered in the same account where the FortiPortal license is registered.

    Email information is mandatory for 2FA users.

    If the user name is the email and no Tenant Identification Attribute is set, the domain part of the email can be used for tenant identification.

    See Two-factor authentication in FortiPortal example.

    Remote Server

    Y

    Select FortiAuthenticator as the remote server type.

    Remote Server Port

    Y

    Enter the port for the authentication server (default is 443)

    Remote Server IP Address

    Y

    Enter the IP address of the authentication server.

    Remote Server Key

    Y

    Enter the secret key for REST API requests.

    Self Service Portal

    N

    Enter the URL of the FortiAuthenticator user self service portal where users can manage their remote account settings, if applicable.

    Domains

    N

    Enter a domain and then press Enter or click on the Create <name> link displayed as you type. The new domain appears in the field.

    For example, if the user is abc@test.com, add test.com in Domains.

    Remove domains by clicking the X next to the domain.

    Use this field to specify the domain, URL, or URN for the site administrator. To specify the domain for an organization, see General.

    The site administrator may allow administrative users to be defined in more than one authentication domain.

    Remote Server User

    Y

    Administrator user name for the authentication server. This user must have sufficient permission to initiate REST API requests.

    Site Attribute

    N

    Enter the attribute parameter name that specifies which sites the customer user can access.

    Select a site attribute from the dropdown. By default, Fortinet-Fpc-Tenant-user-sites is available.

    You can select a different value if you define an attribute for a site on the FortiAuthenticator.

    Note: If the Site Attribute is empty, the customer user is assigned all the sites owned by the organization.

  3. Click Save.