Fortinet black logo

Administration Guide

Remote user sync rules

Remote user sync rules

Synchronization rules can be created to control how and when remote LDAP and SAML users are synchronized. To view a list of the remote user synchronization rules, go to Authentication > User Management > Remote User Sync Rules.

To create a new remote LDAP user synchronization rule:
  1. From the Remote User Sync Rules page, select LDAP users, and select Create New.
  2. Configure the following settings:
    Name Enter a name for the synchronization rule.
    Remote LDAP Select a remote LDAP server from the dropdown menu. To configure a remote LDAP server, see LDAP.
    Base distinguished name Base DN of the remote LDAP server that automatically populates when a remote LDAP server is selected above.
    LDAP filter Optionally, enter an LDAP filter. Select Test Filter to test that the filter functions as expected.
    Token-based authentication sync priorities Select the required authentication synchronization priorities.
    Drag the priorities up and down in the list change the priority order.

    Sync every

    Select the amount of time between synchronizations.

    Sync as Select to synchronize as a remote user or as a local user. Selecting either option opens a dialog box displaying the user fields that are synchronized for that selection.

    User Role

    Select the user role to assign to remote users. Users assigned the role of Administrator are granted full permissions.

    Group to associate users with Optionally, select a group from the dropdown menu with which to associate the users with, or select Create New to create a new user group. See User groups.
    Organization Optionally, select an organization from the dropdown menu with which to associate the users with, or select Create New to create a new organization. See Organizations.
    Certificate binding CA

    Certificate binding CA for users who use remote user sync rules.

    When the Certificate binding common name field is populated (under LDAP User Mapping Attributes) this field must also be specified.

    Do not delete synced users when they are no longer found on the remote server

    Select to ensure that synchronized users are not deleted when they are no longer found on the remote server. This option is only available when Proceed with rule even when response empty is disabled.

    Proceed with rule even when response empty

    Select to enforce the synchronization rule even when the LDAP response is empty. Use this option to delete all users from a FortiAuthenticator group when synchronization rule returns an empty response. This option is only available when Do not delete synced users when they are no longer found on the remote server is disabled.

    Warning: This option should be used with caution. An error from the administrator (e.g. a typo when changing the LDAP query) could cause the deletion of all existing synchronized users, requiring the administrator to reprovision any assigned FortiTokens.

    LDAP User Mapping Attributes Optionally, edit the remote LDAP user mapping attributes.

    Debugging Settings

    Optionally, log synchronization details, including LDAP query results. These log files can be downloaded under Debug Report > LDAP Sync. In addition, select whether to delete synchronized users when they are no longer found on the remote server.

    Preview Mapping Select to preview the LDAP user sync mappings in a new window.
    Show Sync Fields Select to view the user fields that will be synchronized.
  3. Select OK to create the new LDAP synchronization rule.
To create a new remote SAML user synchronization rule:
  1. From the Remote User Sync Rules page, select SAML users, select Create New.
  2. Configure the following settings:
    Name Enter a name for the synchronization rule.
    Remote SAML server Select a remote SAML server from the dropdown menu. To configure a remote SAML server, see SAML.
    SAML group Select a group from the SAML server. SAML groups are retrieved dynamically from the server.
    Token-based authentication sync priorities Select the required authentication synchronization priorities.
    Drag the priorities up and down in the list change the priority order.

    Sync every

    Select the amount of time between synchronizations.

    Group to associate users with Optionally, select a group from the dropdown menu with which to associate the users with. See User groups.
    Organization Optionally, select an organization from the dropdown menu with which to associate the users with, or select Create New to create a new organization. See Organizations.

    Do not delete synced users when they are no longer found on the remote server

    Select to ensure that synchronized users are not deleted when they are no longer found on the remote server. This option is only available when Proceed with rule even when response empty is disabled.

    SAML User Mapping Attributes Optionally, edit the remote SAML user mapping attributes.
  3. Select OK to create the new SAML synchronization rule.

Remote user sync rules

Synchronization rules can be created to control how and when remote LDAP and SAML users are synchronized. To view a list of the remote user synchronization rules, go to Authentication > User Management > Remote User Sync Rules.

To create a new remote LDAP user synchronization rule:
  1. From the Remote User Sync Rules page, select LDAP users, and select Create New.
  2. Configure the following settings:
    Name Enter a name for the synchronization rule.
    Remote LDAP Select a remote LDAP server from the dropdown menu. To configure a remote LDAP server, see LDAP.
    Base distinguished name Base DN of the remote LDAP server that automatically populates when a remote LDAP server is selected above.
    LDAP filter Optionally, enter an LDAP filter. Select Test Filter to test that the filter functions as expected.
    Token-based authentication sync priorities Select the required authentication synchronization priorities.
    Drag the priorities up and down in the list change the priority order.

    Sync every

    Select the amount of time between synchronizations.

    Sync as Select to synchronize as a remote user or as a local user. Selecting either option opens a dialog box displaying the user fields that are synchronized for that selection.

    User Role

    Select the user role to assign to remote users. Users assigned the role of Administrator are granted full permissions.

    Group to associate users with Optionally, select a group from the dropdown menu with which to associate the users with, or select Create New to create a new user group. See User groups.
    Organization Optionally, select an organization from the dropdown menu with which to associate the users with, or select Create New to create a new organization. See Organizations.
    Certificate binding CA

    Certificate binding CA for users who use remote user sync rules.

    When the Certificate binding common name field is populated (under LDAP User Mapping Attributes) this field must also be specified.

    Do not delete synced users when they are no longer found on the remote server

    Select to ensure that synchronized users are not deleted when they are no longer found on the remote server. This option is only available when Proceed with rule even when response empty is disabled.

    Proceed with rule even when response empty

    Select to enforce the synchronization rule even when the LDAP response is empty. Use this option to delete all users from a FortiAuthenticator group when synchronization rule returns an empty response. This option is only available when Do not delete synced users when they are no longer found on the remote server is disabled.

    Warning: This option should be used with caution. An error from the administrator (e.g. a typo when changing the LDAP query) could cause the deletion of all existing synchronized users, requiring the administrator to reprovision any assigned FortiTokens.

    LDAP User Mapping Attributes Optionally, edit the remote LDAP user mapping attributes.

    Debugging Settings

    Optionally, log synchronization details, including LDAP query results. These log files can be downloaded under Debug Report > LDAP Sync. In addition, select whether to delete synchronized users when they are no longer found on the remote server.

    Preview Mapping Select to preview the LDAP user sync mappings in a new window.
    Show Sync Fields Select to view the user fields that will be synchronized.
  3. Select OK to create the new LDAP synchronization rule.
To create a new remote SAML user synchronization rule:
  1. From the Remote User Sync Rules page, select SAML users, select Create New.
  2. Configure the following settings:
    Name Enter a name for the synchronization rule.
    Remote SAML server Select a remote SAML server from the dropdown menu. To configure a remote SAML server, see SAML.
    SAML group Select a group from the SAML server. SAML groups are retrieved dynamically from the server.
    Token-based authentication sync priorities Select the required authentication synchronization priorities.
    Drag the priorities up and down in the list change the priority order.

    Sync every

    Select the amount of time between synchronizations.

    Group to associate users with Optionally, select a group from the dropdown menu with which to associate the users with. See User groups.
    Organization Optionally, select an organization from the dropdown menu with which to associate the users with, or select Create New to create a new organization. See Organizations.

    Do not delete synced users when they are no longer found on the remote server

    Select to ensure that synchronized users are not deleted when they are no longer found on the remote server. This option is only available when Proceed with rule even when response empty is disabled.

    SAML User Mapping Attributes Optionally, edit the remote SAML user mapping attributes.
  3. Select OK to create the new SAML synchronization rule.