Synchronizing LDAP Active Directory users to FortiToken Cloud using the two-factor filter

To synchronize Active Directory users and apply two-factor authentication using FortiToken Cloud, two-factor authentication can be enabled in the user ldap object definition in FortiProxy. By default, FortiProxy retrieves all Active Directory users in the LDAP server with a valid email or mobile number (mail and mobile attributes), and synchronizes the users to FortiToken Cloud. Users are then created on FortiToken Cloud and activation is sent out using email or SMS.

Two-factor filters can be used to reduce the number of the Active Directory users returned, and only synchronize the users who meet the filter criteria.

config user ldap
    edit <name>
        set dn <string> 
        set two-factor {disable | fortitoken-cloud}
        set two-factor-filter <string> 
    next
end

dn <string>	Set the distinguished name used to look up entries on the LDAP server. The search for users and groups starts here based on what is defined.
two-factor {disable | fortitoken-cloud}	Enable/disable two-factor authentication: disable: disable two-factor authentication fortitoken-cloud: use the FortiToken Cloud service
two-factor-filter <string>	Set the filter used to synchronize users to FortiToken Cloud.

When configuring an LDAP connection to an Active Directory server, an administrator must provide Active Directory user credentials. To secure this connection, use LDAPS on both the Active Directory server and FortiProxy. See Create or edit an LDAP server and Setting up an authentication captive portal using client certificate. Apply the principle of least privilege. For the LDAP regular bind operation, do not use credentials that provide full administrative access to the Windows server when using credentials. See Creating an administrator that can be authenticated by an LDAP server.

Two-factor filter examples

In the following examples, a user ldap object is defined to connect to an Active Directory on a Windows server. The search will begin in the root of the fortinet-fsso.com directory.

To configure a default LDAP server configuration without a two-factor filter:

config user ldap
    edit "ad-ldap-auth"
        set server <ip_address>
        set cnid "cn"
        set dn "dc=fortinet-fsso,dc=com" 
        set type regular
        set two-factor fortitoken-cloud
        set username "cn=Administrator,cn=users,dc=fortinet-fsso,dc=com"
        set password **********
    next
end

When a two-factor filter is not used, all users in the Active Directory with a valid email or mobile number will be retrieved.

Example 1: specific users and email address with wildcard

With this two-factor-filter, users under fortinet-fsso.com that have oliver* in their username and *fortinet* in their email will be matched.

config user ldap
    edit "ad-ldap-auth"
        set two-factor-filter "(&(SAMAccountName=oliver*)(mail=*fortinet*))"
    next
end

Example 2: all users with matching email

With this two-factor-filter, all users under fortinet-fsso.com with *fortinet* in their email will be matched.

config user ldap
    edit "ad-ldap-auth"
        set two-factor-filter "(&(SAMAccountName=*)(mail=*fortinet*))"
    next
end

Example 3: all users in a group

With this two-factor-filter, all users within the group fortinet-fsso.com > Testing > ftc-users will be matched.

config user ldap
    edit "ad-ldap-auth"
        set two-factor-filter "(&(objectCategory=Person)(sAMAccountName=*)( memberOf=cn=ftc-users,ou=Testing,dc=fortinet-fsso,DC=com))"
    next
end

Example configuration

In this example, Active Directory users are configured to be synchronized to FortiToken Cloud. The same two-factor filter is used from example 1 and searches the Active Directory for users named oliver* with email *fortinet*.

Before configuring the FortiProxy:

1. Gather the information to connect to the Active Directory server through LDAP. Include all necessary fields, such as the server IP, port, CN name identifier, DN for the start of the search, bind type, and username associated with a regular bind.

2. Consider the users or groups that require two-factor authentication and should be synchronized. If necessary, group the users under the same group in the Active Directory.

3. If using a two-factor filter, formulate the two-factor-filter string to limit the match. For this example, (&(SAMAccountName=oliver*)(mail=*fortinet*)).

4. Test the filter by using the FortiProxy CLI to perform a quick LDAP search:

   # diagnose test authserver ldap-search <server_ip> 389 "ou=Testing,dc=fortinet-fsso,DC=com" cn Administrator@fortinet-fsso.com PASSWORD 0 '(&(SAMAccountName=oliver*)(mail=*fortinet*))' 2
   
   searching 'ou=Testing,dc=fortinet-fsso,DC=com, cn=cn' on 10.1.100.131:389 for (Administrator@fortinet-fsso.com, PASSWORD), secure(0), filter((&(SAMAccountName=oliver*)(mail=*fortinet*))), flag(0x2), page_no(0)...
   CN=oliver2022,OU=Testing,DC=Fortinet-FSSO,DC=COM (oliver2022, 0 entries)

   The user, oliver2022, was found.

5. Estimate how many users will be retrieved, and ensure that the FortiToken Cloud account has enough user licenses to support the number of users.

To configure Active Directory users to be synchronized to FortiToken Cloud:

1. Configure the user LDAP settings:

   config user ldap
       edit "ad-ldap-auth"
           set server "10.1.100.131"
           set cnid "cn"
           set dn "dc=fortinet-fsso,dc=com" 
           set type regular
           set two-factor fortitoken-cloud
           set username "cn=Administrator,cn=users,dc=fortinet-fsso,dc=com"
           set password **********
           set two-factor-filter "(&(SAMAccountName=oliver*)(mail=*fortinet*))"
       next
   end

2. In the background, the FortiProxy FAS daemon scans the LDAP server for users to be synchronized based on the two-factor filter pattern, but will not send them to the FortiToken Cloud server yet. Optionally, verify the users that are retrieved from the Active Directory based on the filter:

   # diagnose fortitoken-cloud debug enable
   # diagnose debug enable
   # diagnose fortitoken-cloud sync
   ...  
   fas_sync_ftc[2788]: Sending packet to FTC server: "IP-of-FTC-server" Port: 8686(length:444)
   fas_sync_ftc[2792]: FTC User Sync Packet(length:444):
   POST /api/v1/user_sync HTTP/1.1
   Host: ftc.fortinet.com
   Connection: keep-alive
   User-Agent: FortiProxy-400G v7.4.4,build****
   Content-Type: application/json
   Content-Length: 246
   {"users":[{"username":"oliver2022","vdom":"vdom1","email":"o****@fortinet.com","mobile_number":"XXXXXXXXXXX","user_data":1,"action":"create"}],"sn":"FG4H1E5819900000","cluster_members":[ "FG4H1E5819900000" ],"group_name":"FGT400D","group_id":"0"}
   Reminder: User sync packet not actually sent out because of diagnose purpose!

   As expected, only the user that matches the current filter is returned.

3. Manually trigger the synchronization process with FortiToken Cloud:

   # execute fortitoken-cloud sync

   The user is added to FortiToken Cloud, and an activation email or SMS message is sent to the user.

4. In FortiToken Cloud, go to Users to verify that the user was added.

   

   If the activation email was sent, but user has not downloaded and activated the mobile token yet, a pending symbol appears in the Status column (such as for the admin, test6, and test3 users).

5. In FortiProxy, add the ad-ldap-auth object in a user group. The user group can be used for VPN, firewall authentication, and so on.

   The ldap user object should not be used in remote LDAP user groups that require group matching because it is not supported.