Creating an authentication scheme

To create an authentication scheme:

1. Go to Authentication > Scheme & Rules.
2. From the +Create New dropdown, select Authentication Scheme.

   The New Authentication Scheme window opens.

   

3. Enter the following information:

   Name	Name of the scheme.
   Method	Select +, from Select Entries, select one or more of the following options and then click Close: Basic Basic HTTP authentication. Certificate Client certificate authentication. Digest Digest HTTP authentication. Form-based Form-based HTTP authentication. Fortinet Single Sign-On (FSSO) Fortinet Single Sign-On (FSSO) authentication. Negotiate Negotiate authentication. NTLM NTLM authentication. RADIUS Single Sign-On (RSSO) RADIUS Single Sign-On (RSSO) authentication. SAML SAML authentication. SSH Public Key Public key based SSH authentication. Token Code Token code-based authentication. x-auth-user User from HTTP x-authenticated-user header. Use the search bar to look for a method.
   User database	Select +, and in Select Entries, select remote servers (LDAP, RADIUS, TACACS+) and user groups then click Close. You can also create a new remote servers and user groups by selecting +Create. See LDAP servers, RADIUS servers, and User groups. Use the pen icon next to a server or user group to edit it. User database is only available when the selected methods are either one or combinations of the following: Basic Digest Form-based SAML SSH Public Key x-auth-user
   FSSO guest	Enable/disable FSSO-Guest user authentication. Note: The option is disabled by default. FSSO guest is only available when the selected methods are either one or a combination of the following: Basic Digest Negotiate NTLM
   Two-factor authentication	Enable/disable two-factor authentication. Note: The option is disabled by default. Two-factor authentication is only available when the selected method is Form-based.
   Negotiate NTLM	Enable/disable negotiate authentication for NTLM. Note: The option is enabled by default. Negotiate NTLM is only available when the selected method is Negotiate.
   Kerberos keytab	From the dropdown, select a Kerberos Keytab or create a Kerberos Keytab. See Creating a new kerberos keytab. Use the search bar to look for a Kerberos Keytab. Kerberos keytab is only available when the selected method is Negotiate.
   Domain Controller	Enable/disable adding domain controllers, and from the dropdown, select a domain controller or create a domain controller. See Creating a new domain controller. Note: The option is disabled by default when the Method is Negotiate. Use the search bar to look for a domain controller. Domain Controller is only available when the selected method is Negotiate and/or NTLM.
   FSSO Agent	Enable/disable using FSSO agent when the Method is Negotiate. From the dropdown, select an FSSO agent or create an FSSO agent. See Creating an FSSO agent. Note: The option is disabled by default. Use the search bar to look for an FSSO agent. FSSO Agent is only available when the selected method is Negotiate.
   SAML SSO server	From the dropdown, select a SAML SSO server. Note: The option is only available when the Method is SAML. Use the search bar to look for a SAML SSO server.
   User database	From the dropdown, select a user database server or create a user database server.
   Timeout	SAML authentication timeout in seconds. Note: The option is only available when the Method is SAML.
   SAML Timeout	Enter the SAML authentication timeout, in seconds (default = 120). Note: The option is only available when the Method is SAML.
   SSH local CA	From the dropdown, select an SSH local CA. Note: The option is only available when the method is SSH Public Key. Use the dropdown to look for an SSH local CA.

4. Click OK.

Creating a new kerberos keytab

To create a new kerberos keytab:

1. In step 3 when Creating an authentication scheme where the selected method is Negotiate, from the Kerberos keytab dropdown, select +Create.

   The New Kerberos Keytab window opens:

   

2. Enter the following information:

   Name	Name of the kerberos keytab.
   Principal	Enter the unique identity that Kerberos uses to assign tickets to. Note: Use / to separate components of the principal.
   LDAP server	From the dropdown, select an LDAP server or create an LDAP server. See LDAP servers. Use the search bar to look for an LDAP server. Use the pen icon next to an LDAP server to edit it.
   Keytab	Enter the pre-shared key, and select Upload to locate the Base64 coded keytab file on your local computer.

3. Click OK.

Creating a new domain controller

To create a domain controller:

1. In step 3 when Creating an authentication scheme where the selected method is Negotiate or NTLM, from the Domain Controller dropdown, select +Create.

   If the Method is set as Negotiate, enable Domain Controller.

2. Enter the following information:

   Name	Name of the domain controller.
   IP Address	The IP address of the domain controller.
   Port	The port number for the port to be used to communicate with the domain controller (default = 445).
   LDAP server	From the dropdown, select an LDAP server or create an LDAP server. See LDAP servers. Use the search bar to look for an LDAP server. Use the pen icon next to an LDAP server to edit it.
   Domain Name	DNS name of the domain.

3. Click OK.

Creating an FSSO agent

To create an FSSO agent:

1. In step 3 when Creating an authentication scheme where the selected method is Negotiate, enable FSSO Agent.
2. From the FSSO Agent dropdown, select +Create.

   The New External Connector window opens.

3. Select FSSO Agent on Windows AD.
4. In the Connector Settings pane, enter the following information:

   Name	Name of the FSSO agent.
   Primary FSSO agent	The FSSO agent server IP address or name and Password. Select + to add additional FSSO agents.
   Trusted SSL certificate	Enable/disable using a trusted SSL certificate. From the dropdown, select a certificate or import a certificate. Note: The option is disabled by default. To import a certificate: From the dropdown, select Import. In Upload, select +Upload, and locate the certificate on your local computer. Click OK.
   User group source	Select either Collector Agent or Local: Collector Agent: User groups are pushed to the FortiPAM from the collector agent. Local: User groups are specified in the FortiGate configuration.
   LDAP server	From the dropdown, select an LDAP server or create an LDAP server. See LDAP servers. Note: The option is only available when the User group source is Local. Use the search bar to look for an LDAP server. Use the pen icon next to an LDAP server to edit it.
   Proactively retrieve from LDAP server	Enable to configure the search filter and Interval (in minutes). Note: The option is only available when the User group source is Local, and is disabled by default.
   Users/Groups	Click Apply and Refresh to fetch group filters from the collector agent. Note: The option is only available when the User group source is Collector Agent.

5. Click OK.