Fortinet white logo
Fortinet white logo

Administration Guide

Create or edit an authentication scheme

Create or edit an authentication scheme

To create an authentication scheme:
  1. In the authentication scheme list, select Create New > Authentication Schemes from the toolbar.

  2. Configure the following:

    Name

    Enter the name of the authentication scheme.

    Method

    Select the authentication methods:

    • Basic

    • Certificate

    • Digest

    • Form-based

    • Fortinet Single Sign-On (FSSO)

    • Negotiate

    • NTLM

    • RADIUS Single-Sign-On (RSSO)

    • SAML

    • SSH Public Key

    Multi-methods supports Basic, NTLM, and Negotiate.

    For agentless NTML authentication, see Agentless NTLM support.

    Negotiate NTLM

    Enable/disable authentication negotiation for NTLM. When disabled, access is limited for non-domain users while using proxy authentication.

    This option is only available when the method includes Negotiate.

    Kerberos keytab

    Select the file containing the shared secret for Kerberos authentication.

    Domain Controller

    If you selected NTLM, select the domain controller.

    User database

    Select which user database to use.

    Two-factor authentication

    Move the slider to control whether two-factor authentication is required.

    FSSO Agent

    Move the slider to select the FSSO agent to use.

    FSSO guest

    Move the slider to control whether FSSO-guest authentication is required.

    SSH local CA

    Select which CA certificate to use.

    API Preview

    The API Preview allows you to view all REST API requests being used by the page. You can make changes on the page that are reflected in the API request preview. This feature is not available if the user is logged in as an administrator that has read-only GUI permissions.

  3. Click OK to create the new authentication scheme.

To use the API Preview:
  1. Click API Preview. The API Preview pane opens, and the values for the fields are visible (data). If a new object is being created, the POST request is shown.
  2. Enable Show modified changes only to show the modified changes instead of the full configuration in the preview.
  3. Click Copy to Clipboard to copy the JSON code shown on the preview screen to the clipboard.
  4. Click Close to leave the preview.
To edit an authentication scheme:
  1. Select the authentication scheme you want to edit and then click Edit from the toolbar or double-click on the scheme in the scheme table.
  2. Edit the scheme information as required and click OK to apply your changes.
To create an authentication scheme in the CLI:

config authentication scheme

edit <name>

set method {ntlm | basic | digest | form | negotiate | fsso | rsso | ssh-publickey | cert | saml | saml-sp}

set domain-controller <string>

set fsso-agent-for-ntlm <string>

set fsso-guest {enable | disable}

set kerberos-keytab <string>

set negotiate {enable | disable}

set negotiate-ntlm {enable | disable}

set require-tfa {enable | disable}

set saml-ipd-portal <string>

set ssh-ca <string>

set user-database <auth_server>

next

end

The following methods are available:

  • basic—Basic HTTP authentication. This is the default method.

  • digest—Digest HTTP authentication.

  • ntlm—NTLM authentication. For agentless NTML authentication, see Agentless NTLM support. To configure the domain source when doing NTML authentication, see Domain name source when doing NTLM authentication.

  • form—Form-based HTTP authentication.

  • negotiate—Negotiate authentication.

  • fsso—FSSO authentication.

  • rsso—RADIUS Single Sign-On authentication.

  • saml—SAML-IDP authentication (requires external FortiAuthenticator).

  • saml-sp—SAML-IDP authentication with FortiProxy as the service provider.

  • publickey—Public-key-based SSH authentication.

  • x-auth-user—User from HTTP x-authenticated-user header.

Create or edit an authentication scheme

Create or edit an authentication scheme

To create an authentication scheme:
  1. In the authentication scheme list, select Create New > Authentication Schemes from the toolbar.

  2. Configure the following:

    Name

    Enter the name of the authentication scheme.

    Method

    Select the authentication methods:

    • Basic

    • Certificate

    • Digest

    • Form-based

    • Fortinet Single Sign-On (FSSO)

    • Negotiate

    • NTLM

    • RADIUS Single-Sign-On (RSSO)

    • SAML

    • SSH Public Key

    Multi-methods supports Basic, NTLM, and Negotiate.

    For agentless NTML authentication, see Agentless NTLM support.

    Negotiate NTLM

    Enable/disable authentication negotiation for NTLM. When disabled, access is limited for non-domain users while using proxy authentication.

    This option is only available when the method includes Negotiate.

    Kerberos keytab

    Select the file containing the shared secret for Kerberos authentication.

    Domain Controller

    If you selected NTLM, select the domain controller.

    User database

    Select which user database to use.

    Two-factor authentication

    Move the slider to control whether two-factor authentication is required.

    FSSO Agent

    Move the slider to select the FSSO agent to use.

    FSSO guest

    Move the slider to control whether FSSO-guest authentication is required.

    SSH local CA

    Select which CA certificate to use.

    API Preview

    The API Preview allows you to view all REST API requests being used by the page. You can make changes on the page that are reflected in the API request preview. This feature is not available if the user is logged in as an administrator that has read-only GUI permissions.

  3. Click OK to create the new authentication scheme.

To use the API Preview:
  1. Click API Preview. The API Preview pane opens, and the values for the fields are visible (data). If a new object is being created, the POST request is shown.
  2. Enable Show modified changes only to show the modified changes instead of the full configuration in the preview.
  3. Click Copy to Clipboard to copy the JSON code shown on the preview screen to the clipboard.
  4. Click Close to leave the preview.
To edit an authentication scheme:
  1. Select the authentication scheme you want to edit and then click Edit from the toolbar or double-click on the scheme in the scheme table.
  2. Edit the scheme information as required and click OK to apply your changes.
To create an authentication scheme in the CLI:

config authentication scheme

edit <name>

set method {ntlm | basic | digest | form | negotiate | fsso | rsso | ssh-publickey | cert | saml | saml-sp}

set domain-controller <string>

set fsso-agent-for-ntlm <string>

set fsso-guest {enable | disable}

set kerberos-keytab <string>

set negotiate {enable | disable}

set negotiate-ntlm {enable | disable}

set require-tfa {enable | disable}

set saml-ipd-portal <string>

set ssh-ca <string>

set user-database <auth_server>

next

end

The following methods are available:

  • basic—Basic HTTP authentication. This is the default method.

  • digest—Digest HTTP authentication.

  • ntlm—NTLM authentication. For agentless NTML authentication, see Agentless NTLM support. To configure the domain source when doing NTML authentication, see Domain name source when doing NTLM authentication.

  • form—Form-based HTTP authentication.

  • negotiate—Negotiate authentication.

  • fsso—FSSO authentication.

  • rsso—RADIUS Single Sign-On authentication.

  • saml—SAML-IDP authentication (requires external FortiAuthenticator).

  • saml-sp—SAML-IDP authentication with FortiProxy as the service provider.

  • publickey—Public-key-based SSH authentication.

  • x-auth-user—User from HTTP x-authenticated-user header.