Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    24.4.0
    24.4.0
    24.2.1
    24.1.1
    23.4.1
    23.3.1
    22.4.2
    22.4.1
    22.3.0
    22.2.0

    Admin Settings

    Admin Settings

    Domain setup (Standard level service / Free 25 user service)

    You may configure up to one learner domain. The default is set when you initialized your tenant. You can view this by selecting the log in screen tab.

    A screenshot of a website Description automatically generated

    In this example, the default domain name is ftntworld.us.ftnt.info. ftntworld is the custom domain input during the initialization. us refers to the location you chose to store your user data when you initialized your tenant.

    You may edit this custom domain after initialization. This domain will be the URL sent to and used by your learners when they are sent training invitations. It is the URL they will use when logging in to the system in order to complete training campaigns.

    Sub domain names may contain:

    • Lowercase only

    • At least one letter

    • At least three characters

    • No more than 64 characters

    • Only characters supported in domain names (such as hyphen)

    To edit the default learner domain after initialization:

    1. Select Settings from the navigation menu.

    2. Click Edit domain in the Domain setup section.

    3. For standard subscription licenses, you may edit the domain you provided when initializing your tenant by typing a new sub domain in the Edit domain field and select Confirm.

      You should see a green check mark next to the domain entry.

    Domain setup (Premium level service)

    Note

    This option is not available with the standard level service or the free 25 user service. Users of the standard level or free service will only be able to create a custom sub domain to our ftnt.info domain, such as ourdomain.ftnt.info.

    If you wish to create a custom domain subordinate to one of your verified domains, you should contact your distributor and request an upgrade to the premium level service.

    For premium license subscriptions, you can create a custom sub domain of your choice. This domain will be the URL sent to and used by your learners when they are sent training invitations. It is the URL they will use when logging in to the system to complete training campaigns.

    Sub domain names may contain:

    • Lowercase only

    • At least one letter

    • At least three characters

    • No more than 64 characters

    • Only characters supported in domain names (such as hyphen)

    To configure the domain of your choice as the primary domain:

    1. Select Settings from the navigation menu, then select Edit domain in the Domain setup section:

    2. Select the Use my own domain as primary option.

    3. Create the ‘A’ records for the desired name using each of the IP addresses listed on the screen (these will vary based on your learner data storage country).

      Note

      For example, if we wanted a custom domain of ‘infosec.ftnt.world’, we would create three ‘A’ records each containing infosec.ftnt.world and the listed IP addresses:

      • infosec.ftnt.world using IP: 54.69.103.145

      • infosec.ftnt.world using IP: 35.95.166.55

      • infosec.ftnt.world using IP: 52.38.136.80
      Note

      Always use the IP addresses presented in the service and not the ones listed in this document as they may differ depending on where your learner data is stored.

    4. After the A records have been created and propagated, you can enter the new domain (such as infosec.ftnt.world) into the Custom domain field and select the Confirm button.

      Note

      Propagation of the DNS TXT record may take up to 24 hours depending on your DNS System / Service Provider.

    5. If the ‘A’ records have been created correctly and the information has propagated, you should bet a green check mark beside the name of your custom domain.

    If your A Record does not verify after 24 hours, please use the following instructions to verify if you’re a record is available using Google Dig. See How to verify your DNS TXT and 'A' records have been added correctly and have been successfully propagated.

    You can delete this mapping and create a new one should you decide to change your custom domain in the future.

    Single sign-on (SSO)

    Note

    You should complete the Domain verification and Domain setup steps before completing this configuration. The links generated for the SSO configuration are built based on the Domain setup configuration. This will also allow you to manually add one of your users to test the SSO (SAML2) configuration after completing the configuration steps.

    These features are only available for premium service level licenses: Free 25 user Premium (for Partners only) and Premium (purchased by customer). It is not available for free and standard service level licenses.

    The Security Awareness and Training Service allows customers and partners to share meta data to establish a baseline of trust and interoperability using the XML based Security Assertion Markup Language (SAML) standard.

    Using one of your existing SAML2 single sign-on solutions to authenticate users when they log in to the system allows users to use an existing credential set, such as email, password, and MFA (optional), when logging in to the system. Users will not have to use a Fortinet assigned credential set when logging in to the service.

    Note

    Configuring a single sign-on solution allows users to authenticate to the Fortinet Security Awareness and Training Service. Before users can log in, they must first be imported into the service. See Creating and importing users.

    Currently, the service does not support account creation during the single sign-on log in process.

    Different solution providers have different configuration steps for configuring a SAML2 app for authentication with third-party services. Customers will need to work with their internal IT department or service provider to configure the SAML2 application for the Fortinet Security Awareness and Training Service.

    If you require assistance configuring the authentication component, send an email to infosec_awareness@fortinet.com. A Deployment Specialist will reach out to request times that work and will schedule a meeting with our team, and, if necessary, the support team from your SSO vendor.

    To configure SSO by adding Fortinet as a SAML service provider:

    1. Select Add Fortinet as a SAML service provider (SP).

    2. In your SSO/SAML2 application configuration, enter the Assertion Consumer service (ACS) URL and the Service Provider metadata (SP Entity ID) in the appropriate fields.

    3. Select Continue. The Configure your SAML attributes screen is presented.

    4. Enter the SAML attributes you will configure in the third-party application. You can choose whatever name you desire, however, you must map the same attributes in your SAML application.

    5. Select Continue. The Upload your Identity Provider Metadata page is displayed.

      You can cut and paste the Input metadata URL (such as Microsoft), Upload your Identity Provider Metadata (such as Google Workspace), or Configure manually using the matching values provided by your third-party application configuration.

      Note

      For Microsoft Entra/Azure/O365 implementations you must replace the IDP Logout URL under the Configure Manually tab with: https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0

    6. Select Complete.

    You should now test that your custom URL redirects to the configured provider login screen.

    Manually create a test user (you cannot use the Tenant Administrator account since it must use the FortiCloud SSO login) and verify that the user can log in through the third-party identity provider.

    If you require assistance configuring the Authentication component, send an email to infosec_awareness@fortinet.com. A Deployment Specialist will reach out to request times that work and will schedule a meeting with our team, and, if necessary, the support team from your SSO vendor.

    See the following articles for configuration of SSO/SAML2 for Microsoft Azure/Entra and Google Workspace:

    Name of User Profile Field

    Mapped SAML Attributes

    Examples

    Name ID Format

    N/A

    Google: Email

    Unique User Identifier (Microsoft only)

    N/A

    Microsoft: user.mail

    Email

    The name of the attribute varies depending on SSO/SAML2 solution (should be mapped to the primary email attribute).

    Google: Email or Primary Email

    Microsoft: user.mail

    First_name

    The name of the attribute varies depending on SSO/SAML2 solution (should be mapped to the primary First Name attribute).

    Google: First Name

    Microsoft: user.givenName

    Last_name

    The name of the attribute varies depending on SSO/SAML2 solution (should be mapped to the Last Name attribute).

    Google: Last Name

    Microsoft: user.surname (or sn)
    Note

    For Google configurations, see How do I Configure SAML2 Single Sign-on (Authentication) to use Google Workspace SSO?

    For Microsoft configurations, you will need to first delete the existing entries and create new entries using the table above. You can also refer to your Microsoft documentation (Federated Services / Azure (Entra)).

    If you wish to configure access to the service through the user apps (Microsoft and Google), sometimes called the Start URL, see How do I configure Google Workspace so that learners can access the Security Awareness and Training Service from the Google Apps Icon?

    You will need to open a ticket in order to get your tenant name. Email infosec_awareness@fortinet.com asking for your tenant name. The URL will be: https://app.training.fortinet.com/local/bridge/launch.php?name=<tenant_name

    Ensure that you add the users you wish to access the app through your SSO/SAML2 configuration interface.

    If you are getting errors when accessing the link, then your SAML2 configuration on the SSO solution is incorrect.

    If you are able to access the log in page for your configured SAML2 SSO solution, but get errors when attempting to log in, then your attributes are likely not configured properly. To troubleshoot this issue, you can use Chrome and the SAML-tracer plug in to verify the correct attributes and attribute values are being passed. See Authentication: SAML2 (SSO) Troubleshooting Guide.

    SMTP settings

    The SMTP settings allow you to use an email account from your organization to send all emails from the service.

    If you do not configure SMTP settings, all emails will be sent from noreply@ftnt.info. In order to ensure these emails are not blocked as spam or sent to the learners spam or junk folder, ensure you allowlist the noreply@ftnt.info email address.

    To configure SMTP settings:

    1. Select Settings from the navigation menu:

      The Settings page is displayed.

    2. Click Configure in the SMTP settings section.

      The SMTP settings page is displayed.

    3. Complete the form and click Connect.

      If the settings are correct, you should see a green Connected status.

    4. To verify the settings, click Send a testing email. You should see a Test email has been sent confirmation and verify the email is received.

    Assets Access

    This setting grants all users access to the available assets in the learner experience.

    To grant access to assets:

    1. Select Settings from the navigation menu.

      The Settings page is displayed.

    2. Enable the Assets Access toggle, then click Save.

      An assets access permission updated message is displayed.

    Refer to My Assets to learn more about My assets content.

    Previous
    Next

    Admin Settings

    Admin Settings

    Domain setup (Standard level service / Free 25 user service)

    You may configure up to one learner domain. The default is set when you initialized your tenant. You can view this by selecting the log in screen tab.

    A screenshot of a website Description automatically generated

    In this example, the default domain name is ftntworld.us.ftnt.info. ftntworld is the custom domain input during the initialization. us refers to the location you chose to store your user data when you initialized your tenant.

    You may edit this custom domain after initialization. This domain will be the URL sent to and used by your learners when they are sent training invitations. It is the URL they will use when logging in to the system in order to complete training campaigns.

    Sub domain names may contain:

    • Lowercase only

    • At least one letter

    • At least three characters

    • No more than 64 characters

    • Only characters supported in domain names (such as hyphen)

    To edit the default learner domain after initialization:

    1. Select Settings from the navigation menu.

    2. Click Edit domain in the Domain setup section.

    3. For standard subscription licenses, you may edit the domain you provided when initializing your tenant by typing a new sub domain in the Edit domain field and select Confirm.

      You should see a green check mark next to the domain entry.

    Domain setup (Premium level service)

    Note

    This option is not available with the standard level service or the free 25 user service. Users of the standard level or free service will only be able to create a custom sub domain to our ftnt.info domain, such as ourdomain.ftnt.info.

    If you wish to create a custom domain subordinate to one of your verified domains, you should contact your distributor and request an upgrade to the premium level service.

    For premium license subscriptions, you can create a custom sub domain of your choice. This domain will be the URL sent to and used by your learners when they are sent training invitations. It is the URL they will use when logging in to the system to complete training campaigns.

    Sub domain names may contain:

    • Lowercase only

    • At least one letter

    • At least three characters

    • No more than 64 characters

    • Only characters supported in domain names (such as hyphen)

    To configure the domain of your choice as the primary domain:

    1. Select Settings from the navigation menu, then select Edit domain in the Domain setup section:

    2. Select the Use my own domain as primary option.

    3. Create the ‘A’ records for the desired name using each of the IP addresses listed on the screen (these will vary based on your learner data storage country).

      Note

      For example, if we wanted a custom domain of ‘infosec.ftnt.world’, we would create three ‘A’ records each containing infosec.ftnt.world and the listed IP addresses:

      • infosec.ftnt.world using IP: 54.69.103.145

      • infosec.ftnt.world using IP: 35.95.166.55

      • infosec.ftnt.world using IP: 52.38.136.80
      Note

      Always use the IP addresses presented in the service and not the ones listed in this document as they may differ depending on where your learner data is stored.

    4. After the A records have been created and propagated, you can enter the new domain (such as infosec.ftnt.world) into the Custom domain field and select the Confirm button.

      Note

      Propagation of the DNS TXT record may take up to 24 hours depending on your DNS System / Service Provider.

    5. If the ‘A’ records have been created correctly and the information has propagated, you should bet a green check mark beside the name of your custom domain.

    If your A Record does not verify after 24 hours, please use the following instructions to verify if you’re a record is available using Google Dig. See How to verify your DNS TXT and 'A' records have been added correctly and have been successfully propagated.

    You can delete this mapping and create a new one should you decide to change your custom domain in the future.

    Single sign-on (SSO)

    Note

    You should complete the Domain verification and Domain setup steps before completing this configuration. The links generated for the SSO configuration are built based on the Domain setup configuration. This will also allow you to manually add one of your users to test the SSO (SAML2) configuration after completing the configuration steps.

    These features are only available for premium service level licenses: Free 25 user Premium (for Partners only) and Premium (purchased by customer). It is not available for free and standard service level licenses.

    The Security Awareness and Training Service allows customers and partners to share meta data to establish a baseline of trust and interoperability using the XML based Security Assertion Markup Language (SAML) standard.

    Using one of your existing SAML2 single sign-on solutions to authenticate users when they log in to the system allows users to use an existing credential set, such as email, password, and MFA (optional), when logging in to the system. Users will not have to use a Fortinet assigned credential set when logging in to the service.

    Note

    Configuring a single sign-on solution allows users to authenticate to the Fortinet Security Awareness and Training Service. Before users can log in, they must first be imported into the service. See Creating and importing users.

    Currently, the service does not support account creation during the single sign-on log in process.

    Different solution providers have different configuration steps for configuring a SAML2 app for authentication with third-party services. Customers will need to work with their internal IT department or service provider to configure the SAML2 application for the Fortinet Security Awareness and Training Service.

    If you require assistance configuring the authentication component, send an email to infosec_awareness@fortinet.com. A Deployment Specialist will reach out to request times that work and will schedule a meeting with our team, and, if necessary, the support team from your SSO vendor.

    To configure SSO by adding Fortinet as a SAML service provider:

    1. Select Add Fortinet as a SAML service provider (SP).

    2. In your SSO/SAML2 application configuration, enter the Assertion Consumer service (ACS) URL and the Service Provider metadata (SP Entity ID) in the appropriate fields.

    3. Select Continue. The Configure your SAML attributes screen is presented.

    4. Enter the SAML attributes you will configure in the third-party application. You can choose whatever name you desire, however, you must map the same attributes in your SAML application.

    5. Select Continue. The Upload your Identity Provider Metadata page is displayed.

      You can cut and paste the Input metadata URL (such as Microsoft), Upload your Identity Provider Metadata (such as Google Workspace), or Configure manually using the matching values provided by your third-party application configuration.

      Note

      For Microsoft Entra/Azure/O365 implementations you must replace the IDP Logout URL under the Configure Manually tab with: https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0

    6. Select Complete.

    You should now test that your custom URL redirects to the configured provider login screen.

    Manually create a test user (you cannot use the Tenant Administrator account since it must use the FortiCloud SSO login) and verify that the user can log in through the third-party identity provider.

    If you require assistance configuring the Authentication component, send an email to infosec_awareness@fortinet.com. A Deployment Specialist will reach out to request times that work and will schedule a meeting with our team, and, if necessary, the support team from your SSO vendor.

    See the following articles for configuration of SSO/SAML2 for Microsoft Azure/Entra and Google Workspace:

    Name of User Profile Field

    Mapped SAML Attributes

    Examples

    Name ID Format

    N/A

    Google: Email

    Unique User Identifier (Microsoft only)

    N/A

    Microsoft: user.mail

    Email

    The name of the attribute varies depending on SSO/SAML2 solution (should be mapped to the primary email attribute).

    Google: Email or Primary Email

    Microsoft: user.mail

    First_name

    The name of the attribute varies depending on SSO/SAML2 solution (should be mapped to the primary First Name attribute).

    Google: First Name

    Microsoft: user.givenName

    Last_name

    The name of the attribute varies depending on SSO/SAML2 solution (should be mapped to the Last Name attribute).

    Google: Last Name

    Microsoft: user.surname (or sn)
    Note

    For Google configurations, see How do I Configure SAML2 Single Sign-on (Authentication) to use Google Workspace SSO?

    For Microsoft configurations, you will need to first delete the existing entries and create new entries using the table above. You can also refer to your Microsoft documentation (Federated Services / Azure (Entra)).

    If you wish to configure access to the service through the user apps (Microsoft and Google), sometimes called the Start URL, see How do I configure Google Workspace so that learners can access the Security Awareness and Training Service from the Google Apps Icon?

    You will need to open a ticket in order to get your tenant name. Email infosec_awareness@fortinet.com asking for your tenant name. The URL will be: https://app.training.fortinet.com/local/bridge/launch.php?name=<tenant_name

    Ensure that you add the users you wish to access the app through your SSO/SAML2 configuration interface.

    If you are getting errors when accessing the link, then your SAML2 configuration on the SSO solution is incorrect.

    If you are able to access the log in page for your configured SAML2 SSO solution, but get errors when attempting to log in, then your attributes are likely not configured properly. To troubleshoot this issue, you can use Chrome and the SAML-tracer plug in to verify the correct attributes and attribute values are being passed. See Authentication: SAML2 (SSO) Troubleshooting Guide.

    SMTP settings

    The SMTP settings allow you to use an email account from your organization to send all emails from the service.

    If you do not configure SMTP settings, all emails will be sent from noreply@ftnt.info. In order to ensure these emails are not blocked as spam or sent to the learners spam or junk folder, ensure you allowlist the noreply@ftnt.info email address.

    To configure SMTP settings:

    1. Select Settings from the navigation menu:

      The Settings page is displayed.

    2. Click Configure in the SMTP settings section.

      The SMTP settings page is displayed.

    3. Complete the form and click Connect.

      If the settings are correct, you should see a green Connected status.

    4. To verify the settings, click Send a testing email. You should see a Test email has been sent confirmation and verify the email is received.

    Assets Access

    This setting grants all users access to the available assets in the learner experience.

    To grant access to assets:

    1. Select Settings from the navigation menu.

      The Settings page is displayed.

    2. Enable the Assets Access toggle, then click Save.

      An assets access permission updated message is displayed.

    Refer to My Assets to learn more about My assets content.

    Previous
    Next