Main features

FortiCloud SSO

Integration with FortiCloud provides unified single sign-on (SSO) access to all your Fortinet cloud service offerings.

Free trial licenses

FIC offers a 30-day free trial license which can support up to five FIC end users and five realms for FortiCloud accounts. (SMS messages are not included.)

Time-based annual subscriptions

FIC offers time-based subscriptions that are stackable and co-termed, giving you the flexibility to scale up your FIC MFA service with ease.

Authentication and Management logs

FIC provides comprehensive authentication and management logs to keep you informed of all authentication and management events that have happened in your account.

Global administrator and sub-admin support

FIC now enables the global admin to create sub-admin accounts to better allocate and manage resources across all the accounts under management.

Access to all accounts by admin users

Global admins are able to access all FIC accounts belonging to their organization, choose which of their accounts to open upon login, and switch to any of their other accounts during the session.

Realm support

FIC enables admin users to create realms to effectively allocate resources and better manage end users.

Multi-factor authentication (MFA) for FGT and FAC devices

FIC provides a cloud-based MFA solution for all your Fortinet products, such as FortiGate (FGT) and FortiAuthenticator (FAC), and third-party web apps as applications.

Integration with FOS

FIC works seamlessly with FortiOS (FOS). For more information, refer to Compatible Fortinet applications.

Support for MFA bypass and new token request

FIC admin users can allow end uses to bypass MFA and request new tokens on behalf of end users easily from the GUI.

Automatic lockout of users for excessive MFA failures

FIC automatically locks out end users when they have breached their specified MFA failure threshold, ensuring security and integrity of your account.

Temporary token

You can enable your end users to use temporary tokens for MFA authentication when they do not have their authentication devices with them, while leaving their existing authentication methods intact. If an end user forgets to carry his/her FTM device around and needs to log into the firewall or SSLVPN using MFA, you can enable the temporary token for the user and set the expiration time. The user can log into the firewall or SSL VPN using the temporary token until it expires. The user can get temporary tokens by email or SMS.

Disabling MFA after account disabled

FortiIdentity Cloud can enable existing users in disabled accounts to bypass MFA. There have been many customer cases when users are locked out due to expired licenses or exceeded quotas. With this feature, you are able to delete users by performing a user sync or delete a particular user. In the portal, you are able to change user settings, including bypass MFA. After MFA is bypassed, auth requests should succeed.

Secure, cross-platform token transfer

You can securely transfer your FIC and third-party tokens between iOS and Android devices using the FortiToken Mobile (FTM) app.

Support for remote FortiGate users

You can configure FortiGate wildcard LDAP users to use FIC for MFA.

Auto log-out

FIC automatically logs out a user if the GUI has been idle for more than ten minutes, safeguarding the security and integrity of your asset on FIC.

Real-time usage statistics

You can view daily, monthly, and current usage data easily from the GUI.

Support for HA clusters

FIC supports FGT and FAC HA cluster configuration. You can add or remove auth devices to or from the FIC portal. You can view your FGT and FAC devices in any cluster from the applications page.

Support for custom logo

You can upload custom logo images to replace the default Fortinet banner at the bottom of the FTM app on your end users' mobile devices.

Support for multiple MFA options

FIC offers four MFA methods —FTM (FortiToken Mobile), email, SMS, and FTK (FortiToken, which is a hardware token).

Auto-alias by email

Many FIC end-users have different usernames in different applications and different domains. For the same token, a single FIC user may have different usernames in different FIC applications. FIC now allows for different usernames to be attributed to the same user (i.e., same person) so that only one token (FTM or FTK) needs to be assigned to that same user. It does this by providing an Auto-alias by Email option, which, once turned on, enables FIC to automatically put usernames into an alias if they use the same email address.

Realm-based user quota

Global admins can allocate user quota by realm to effectively manage their assets and end users.

If you are a Managed Security Service Provider (MSSP), you can split out your user quota to sub-accounts. Sub-account holders can create their own passwords and have their private login portal. They can use MFA, bypass, block, and realm configurations to manage their own end users. An MSSP can manage all their sub-accounts from the FortiIdentity Cloud portal.

Export of logs in .CSV

You can export FIC authentication and management logs in .CSV format for record-keeping and sharing.

SMS usage

The SMS Log page enables you to view your SMS usage.

Device ownership transfer

You can transfer device ownership with or without device data.

Replay protection

You have three (high, medium, and low) levels of MFA replay protection to choose from when configuring realm settings.

Effective end-user management

You can effectively monitor and manage your end users from the FIC portal.

Support for pagination

Pagination enables you to limit the number of records returned in each API request. This ensures that the system can respond to API requests faster, and present information in a more organized and user-friendly manner. For more information, refer to the FortiIdentity Cloud API.

SMS usage restriction

This mechanism prevents users from using FIC's SMS function if the destination is a restricted country by law. Once implemented, FIC will automatically pop up a message on its GUI, informing users of the restriction when it detects the SMS messages that are being sent to a restricted country.

IdP Proxy

Identity Provider Proxy (IdP) combines the capability of IdP and Service Provider (SP) in one. With FortiIdentity Cloud providing the SAML and OIDC interface, applications can be part of the FIC SaaS service and take full advantage of the existing SSO protocol to integrate with not only the Forti-ecosystem, but third-party applications and IdPs as well.

Passkeys

FIC supports passkeys using Webauth, which is a core component of FIDO Alliance’s FIDO2 set of specifications. The web-based API allows websites to update their login pages to add FIDO-based authentication on supported browsers and platforms. This enables end users to leverage common devices to easily authenticate to online services in both mobile and desktop environments.

SCIM

SCIM provides a standardized, secure methodology for exchanging information between IT systems. It ensures interoperability across domains without expensive custom integrations. SCIM auto-provisioning can free up valuable IT resources for critical tasks while boosting productivity across the entire organization.

Migrate FTM tokens from FortiGate and FortiAuthenticator

FortiGate and FortiAuthenticator (FAC) administrators can migrate their FTM tokens to FIC. Upon completion of migration, FIC automatically generates a one-year free transfer license for the migrated account to cover the number of end users corresponding to the total number of FTM tokens that have been transferred. For more information, visit Migrate FTM tokens to FortiIdentity Cloud.

Batch-add User

This features enables admin users to batch-add end-users from different realms manually or by importing end-user information in .cvs files.

User group

This feature enables admin users to set up authorization groups of users, grant different access rights to users by user group.

Integration with Microsoft Entra ID

FIC now can be configured as an Entra MFA external authentication method (EAM) method provider. See Configuring FIC as Microsoft Entra external authentication service provider.

End-user Portals

This feature enables end users to update their profiles, phone numbers, and MFA methods and register FIDO tokens on their own based on the permissions granted by the administrator. See Managing End-User Portal.

FortiSASE VPN user SSO through FortiIdentity Cloud

Working in tandem with FortiClient, this feature enables customers to use FIC MFA to manage their FortiSASE VPN users SSO. See Configuring FIC as the IdP proxy for FortiSASE .

Allow end users to use additional MFA methods

This feature enables end users to use MFA methods other than the default set in their realm to authenticate, especially when they are unable to access or use the default MFA method, for example, mobile phones. If email is chosen as an additional MFA method, FIC will automatically switch from SMS to email when SMS service becomes unavailable (for instance, due to no or inadequate SMS quota or geographical limitation or restrictions). See .

Support for Local IdP

FortiIdentity Cloud's local IdP feature enables end users to log into their End-user Portal and applications using their user username and password local to FortiIdentity Cloud rather than any external identity provider, such as Google, Azure, etc.

Support for OIDC Provider

FortiIdentity Cloud can be configured as an OpenID Provider (OP) for authenticating users and issuing tokens to a Relying Party (RP). When configured in tandem with its local IdP, FIC can be the authentication source and provide end-to-end OP functionality. For more information, see FortiIdentity Cloud as OIDC provider.

Allow rooted device

This features enables administrators to effectively manage rooted devices in their environment. For more information, see General settings.

Support for subdomain for End-user Portal

This feature enables you to create the End-user Portal using your custom URL rather than the URL generated by FortiIdentity Cloud. For more information, see Configuring End-User Portal.