Creating an authentication scheme
To create an authentication scheme:
- Go to Authentication > Scheme & Rules.
-
From the +Create New dropdown, select Authentication Scheme.
The New Authentication Scheme window opens.
-
Enter the following information:
Name
Name of the scheme.
Method
Select +, from Select Entries, select one or more of the following options and then click Close:
Basic
Basic HTTP authentication.
Certificate
Client certificate authentication.
Digest
Digest HTTP authentication.
Form-based
Form-based HTTP authentication.
Fortinet Single Sign-On (FSSO)
Fortinet Single Sign-On (FSSO) authentication.
Negotiate
Negotiate authentication.
NTLM
NTLM authentication.
RADIUS Single Sign-On (RSSO)
RADIUS Single Sign-On (RSSO) authentication.
SAML
SAML authentication.
SSH Public Key
Public key based SSH authentication.
Token Code
Token code-based authentication.
x-auth-user
User from HTTP x-authenticated-user header.
Use the search bar to look for a method.
User database
Select +, and in Select Entries, select remote servers (LDAP, RADIUS, TACACS+) and user groups then click Close.
You can also create a new remote servers and user groups by selecting +Create. See LDAP servers, RADIUS servers, and User groups.
Use the pen icon next to a server or user group to edit it.
User database is only available when the selected methods are either one or combinations of the following:
Basic
Digest
Form-based
SAML
SSH Public Key
x-auth-user
FSSO guest
Enable/disable FSSO-Guest user authentication.
Note: The option is disabled by default.
FSSO guest is only available when the selected methods are either one or a combination of the following:
Basic
Digest
Negotiate
NTLM
Two-factor authentication
Enable/disable two-factor authentication.
Note: The option is disabled by default.
Two-factor authentication is only available when the selected method is Form-based.
Negotiate NTLM
Enable/disable negotiate authentication for NTLM.
Note: The option is enabled by default.
Negotiate NTLM is only available when the selected method is Negotiate.
Kerberos keytab
From the dropdown, select a Kerberos Keytab or create a Kerberos Keytab. See Creating a new kerberos keytab.
Use the search bar to look for a Kerberos Keytab.
Kerberos keytab is only available when the selected method is Negotiate.
Domain Controller
Enable/disable adding domain controllers, and from the dropdown, select a domain controller or create a domain controller. See Creating a new domain controller.
Note: The option is disabled by default when the Method is Negotiate.
Use the search bar to look for a domain controller.
Domain Controller is only available when the selected method is Negotiate and/or NTLM.
FSSO Agent
Enable/disable using FSSO agent when the Method is Negotiate. From the dropdown, select an FSSO agent or create an FSSO agent. See Creating an FSSO agent.
Note: The option is disabled by default.
Use the search bar to look for an FSSO agent.
FSSO Agent is only available when the selected method is Negotiate.
SAML SSO server
From the dropdown, select a SAML SSO server.
Note: The option is only available when the Method is SAML.
Use the search bar to look for a SAML SSO server.
User database
From the dropdown, select a user database server or create a user database server.
Timeout
SAML authentication timeout in seconds.
Note: The option is only available when the Method is SAML.
SAML Timeout
Enter the SAML authentication timeout, in seconds (default = 120).
Note: The option is only available when the Method is SAML.
SSH local CA
From the dropdown, select an SSH local CA.
Note: The option is only available when the method is SSH Public Key.
Use the dropdown to look for an SSH local CA.
- Click OK.
Creating a new kerberos keytab
To create a new kerberos keytab:
- In step 3 when Creating an authentication scheme where the selected method is Negotiate, from the Kerberos keytab dropdown, select +Create.
The New Kerberos Keytab window opens:
- Enter the following information:
Name
Name of the kerberos keytab.
Principal
Enter the unique identity that Kerberos uses to assign tickets to.
Note: Use
/
to separate components of the principal.LDAP server
From the dropdown, select an LDAP server or create an LDAP server. See LDAP servers.
Use the search bar to look for an LDAP server.
Use the pen icon next to an LDAP server to edit it.
Keytab
Enter the pre-shared key, and select Upload to locate the Base64 coded keytab file on your local computer.
- Click OK.
Creating a new domain controller
To create a domain controller:
- In step 3 when Creating an authentication scheme where the selected method is Negotiate or NTLM, from the Domain Controller dropdown, select +Create.
If the Method is set as Negotiate, enable Domain Controller.
- Enter the following information:
Name
Name of the domain controller.
IP Address
The IP address of the domain controller.
Port
The port number for the port to be used to communicate with the domain controller (default = 445).
LDAP server
From the dropdown, select an LDAP server or create an LDAP server. See LDAP servers.
Use the search bar to look for an LDAP server.
Use the pen icon next to an LDAP server to edit it.
Domain Name
DNS name of the domain.
- Click OK.
Creating an FSSO agent
To create an FSSO agent:
- In step 3 when Creating an authentication scheme where the selected method is Negotiate, enable FSSO Agent.
- From the FSSO Agent dropdown, select +Create.
The New External Connector window opens.
- Select FSSO Agent on Windows AD.
- In the Connector Settings pane, enter the following information:
Name
Name of the FSSO agent.
Primary FSSO agent
The FSSO agent server IP address or name and Password.
Select + to add additional FSSO agents.
Trusted SSL certificate
Enable/disable using a trusted SSL certificate.
From the dropdown, select a certificate or import a certificate.
Note: The option is disabled by default.
To import a certificate:
- From the dropdown, select Import.
- In Upload, select +Upload, and locate the certificate on your local computer.
- Click OK.
User group source
Select either Collector Agent or Local:
Collector Agent: User groups are pushed to the FortiPAM from the collector agent.
Local: User groups are specified in the FortiGate configuration.
LDAP server
From the dropdown, select an LDAP server or create an LDAP server. See LDAP servers.
Note: The option is only available when the User group source is Local.
Use the search bar to look for an LDAP server.
Use the pen icon next to an LDAP server to edit it.
Proactively retrieve from LDAP server
Enable to configure the search filter and Interval (in minutes).
Note: The option is only available when the User group source is Local, and is disabled by default.
Users/Groups
Click Apply and Refresh to fetch group filters from the collector agent.
Note: The option is only available when the User group source is Collector Agent.
- Click OK.