Fortinet black logo

Administration Guide

Home FortiPortal 7.0.1 Administration Guide
7.0.1
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.8
7.0.7
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.0.15
6.0.14
6.0.13
6.0.12
6.0.11
6.0.10
6.0.9
6.0.8
6.0.7
6.0.6
6.0.5
6.0.4
6.0.3
6.0.2
6.0.1
6.0.0
5.3.8
5.3.7
5.3.6
5.3.5
5.3.4
5.3.3
5.3.2
5.3.0
5.2.0
4.1.0
4.0.3
4.0.2
4.0.1
4.0.0

Authentication

Authentication

In the Authentication tab, you can configure the user authentication related settings for FortiPortal.

To configure authentication settings:
  1. Go to System > Settings > Authentication.

    The Authentication tab opens.

  2. In the Authentication tab, enter the following information:

    Settings

    Guidelines

    Authentication Access

    Select Local or Remote.

    By default, Authentication Access is set as Local.

    When you change the authentication configuration from local to remote or from remote to local, you must restart FortiPortal.

    See Authentication Access.

    Enable Two-factor Authentication

    Enable two-factor authentication for local or remote users.

    For 2FA, a FortiToken license needs to be applied and registered in the same account where the FortiPortal license is registered.

    Email information is mandatory for 2FA users.

    It is recommended that 2FA users use email as the user name.

    If the user name is the email and no Tenant Identification Attribute is set, the domain part of the email can be used for tenant identification.

    See 2FA in FortiPortal example.

    Allow Service Provider Usernames without Domain

    Enable allowing SP usernames without a domain.

    If you enable this field, the user can enter their user ID without a domain qualifier, and the system will try to authenticate the user credentials in each of the domains until a match is found.

    Note: This option is available only when Authentication Access is set as Remote.

    Remote Server

    Required. Select FortiAuthenticator, RADIUS, or SSO as the remote server.

    Note: This option is available only when Authentication Access is set as Remote.

    Remote Server Port

    Required.

    Port for the authentication server (default is 443)

    Note: This option is available only when Authentication Access is set as Remote and Remote Server is FortiAuthenticator or RADIUS.

    Remote Server IP Address

    Required. Enter the IP address of the authentication server.

    Note: This option is available only when Authentication Access is set as Remote and Remote Server is FortiAuthenticator or RADIUS.

    Remote Server Key

    Required. Secret key for REST API requests.

    Note: This option is available only when Authentication Access is set as Remote and Remote Server is FortiAuthenticator or RADIUS.

    Domains

    Enter a domain, URL, or URN attribute and then hit enter. The new domain appears in the list below the entry box. If you do not want to provide a domain for the site administrator, enable Allow Service Provider Usernames without Domain.

    Use this field to specify the domain, URL, or URN for the site administrator. To specify the domain for an organization, see General.

    The site administrator may allow administrative users to be defined in more than one authentication domain.

    Note: This option is available only when Authentication Access is set as Remote.

    Remote Server User

    Required. Administrator user name for the authentication server. This user must have sufficient permission to initiate REST API requests.

    Note: This option is available only when Authentication Access is set as Remote and Remote Server is FortiAuthenticator.

    Authentication Protocol

    Required. Select CHAP or PAP authentication protocols.

    Note: This option is available only when Authentication Access is set as Remote and Remote Server is RADIUS.

    View/Change Radius Roles

    Select to map the RADIUS roles with local roles. See Radius Roles.

    Note: This option is available only when Authentication Access is set as Remote and Remote Server is RADIUS.

    SSO IDP Entity URL

    Required. IDP Entity URL (ID) or URN for SAML provided by IDP server.

    Note: This option is available only when Authentication Access is set as Remote and Remote Server is SSO.

    IDP Sign On Service Endpoint URL

    Required. Endpoint URL for IDP (Post) provided by IDP server.

    Note: This option is available only when Authentication Access is set as Remote and Remote Server is SSO.

    IDP Sign On Service Redirect Endpoint URL

    Required. Endpoint URL for IDP (Redirect) provided by IDP server.

    Note: This option is available only when Authentication Access is set as Remote and Remote Server is SSO.

    SSO Application ID

    Required. SSO application provided by IDP.

    Note: This option is available only when Authentication Access is set as Remote and Remote Server is SSO.

    SSO Audience URL

    Required. URL used for audience within assertion (format: https://<FPC_PORTAL> /fpc/saml/SSO).

    Note: This option is available only when Authentication Access is set as Remote and Remote Server is SSO.

    Role Attribute

    Required. Attribute parameter name that maps to the corresponding role in FortiPortal.

    Note: This option is available only when Authentication Access is set as Remote and Remote Server is SSO.

    Tenant Identification Attribute

    Introduced with FortiPortal Version 3.2.1, this attribute specifies a 'string' value that FortiPortal uses under SSO to map a user to a specific customer.

    This feature works similar to the Tenant Identification Attribute in RADIUS, except that in SSO, FortiPortal allows you to configure the name of the attribute on the Administration Settings page.

    If you configure “My Customer Id” as the attribute value, FortiPortal expects the following in the authentication response from the SSO server:

    <My Customer Id>Fortinet</My Customer Id>

    where Fortinet is the value returned by the SSO server.

    This value must have been supplied to Domains in the General.

    For a RADIUS server, the Tenant Identification Attribute value is a Fortinet Vendor Attribute value. The server will send “Fortinet” in the authentication response.

    FortiPortal treats the attribute values from either RADIUS or SSO server equally.

    Note: This option is available only when Authentication Access is set as Remote and Remote Server is SSO.

    SSO Error URL

    (Optional) Error URL provided by IDP.

    Note: This option is available only when Authentication Access is set as Remote and Remote Server is SSO.

    IDP Logout Service Endpoint

    Required. IDP logout URL provided by IDP.

    Note: This option is available only when Authentication Access is set as Remote and Remote Server is SSO.

    SSO Certificate

    Required. Certificate provided by IDP used by SP to decrypt the signed response.

    Note: This option is available only when Authentication Access is set as Remote and Remote Server is SSO.

    Site Attribute

    Attribute parameter name that specifies which sites the customer user can access.

    When the Remote Server is SSO, enter the site attribute.

    For example, an attribute name of "site" might have the values "site1" and "site2". A customer user assigned to "site" would be able to access "site1" and "site2".

    <saml:Attribute Name="site" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">

    <saml:AttributeValue xsi:type="xs:string">site1</saml:AttributeValue>

    <saml:AttributeValue xsi:type="xs:string">site2</saml:AttributeValue>

    </saml:Attribute>

    When the Remote Server is FortiAuthenticator or Radius, select a site attribute from the dropdown. By default, Fortinet-Fpc-Tenant-user-sites is available.

    You can select a different value if you define an attribute for a site on the FortiAuthenticator-side or the RADIUS server.

    Note: If the Site Attribute is empty, the customer user is assigned all the sites owned by the organization.

    Note: This option is available only when Authentication Access is set as Remote.

    Email Attribute

    The user-defined email attribute name.

    Note: This option is available only when Authentication Access is set as Remote and Remote Server is SSO.

    View/Change SSO Roles

    Select to map the SSO roles with the local roles. See SSO Roles.

    Note: This option is available only when Authentication Access is set as Remote and Remote Server is SSO.
  3. Click Save.

Authentication Access

If the authentication access is local, the administrator and customer user log-in credentials are checked in the local user databases. With the local option, you must add an SP user entry for each administrative user, and a user for each organization user.

If the authentication access is remote, the administrator and customer user log-in credentials are checked in the remote RADIUS server or FortiAuthenticator user database. Local customer users cannot be used when remote authentication is selected.

See Remote authentication: FortiAuthenticator, Remote authentication: RADIUS, and Remote authentication - SSO.

Radius Roles

Selecting View Radius Roles on the Authentication tab displays the Radius Roles window. Here, you can configure the mapping between FortiPortal roles and RADIUS roles. For each RADIUS role, the window displays the Role Name, Role Type (Service Provider or Customer) and a list of FPC (FortiPortal) roles that map to the RADIUS role.

The Radius Roles window contains the following options:

  • Create—open a dialog to create a RADIUS role.
  • Edit—edit a selected RADIUS role.
  • Delete—delete a selected RADIUS role.
  • Search—enter text to search for RADIUS role names containing that text.
  • Show x entries—sets the number of entries that are displayed at once (20 or 50).
  • Sort—allows you to sort columns in ascending or descending order.
To create a Radius Role:
  1. Go to System > Settings > Authentication.
  2. In Authentication Access, select Remote.
  3. In the Remote Server dropdown, select Radius.
  4. Select View/Change Radius Roles.

    The Radius Roles window opens.

  5. In the Radius Roles window, select Create.
  6. In the Create Role window, enter the following information:

    Settings

    Guidelines

    Role Name

    The RADIUS role name. The name must match a role name in the RADIUS server.

    Role Type

    Service Provider or Customer.

    FPC Roles

    Select the FortiPortal roles to associate with this RADIUS role.
  7. Click Save.

SSO Roles

Selecting the View SSO Roles button on the Authentication tab displays the SSO Roles window. Here, you can configure the mapping between FortiPortal roles and SSO roles. For each SSO role, the window displays Role Name, Role Type (Service Provider or Customer) and a list of FPC (FortiPortal) roles that map to the SSO role.

The SSO Roles window contains the following actions:

  • Create—open a dialog to add an SSO role.
  • Edit—edit a selected SSO role.
  • Delete—delete a selected SSO role.
  • Search—enter text to search for SSO role names containing that text.
  • Show x entries—sets the number of entries that are displayed at once (20 or 50).
  • Sort—allows you to sort columns in ascending or descending order.
To create an SSO Role:
  1. Go to System > Settings > Authentication.
  2. In Authentication Access, select Remote.
  3. In the Remote Server dropdown, select SSO.
  4. Select View SSO Roles.

    The SSO Roles window opens.

  5. In the SSO Roles window, select Create.
  6. In the Create Role window, enter the following information:

    Settings

    Guidelines

    Role Name

    The SSO role name. The name must match a role name in the SSO server.

    Role Type

    Service Provider or Customer.

    FPC Roles

    Select the FortiPortal roles to associate with this SSO role.
  7. Click Save.
Previous
Next

Authentication

In the Authentication tab, you can configure the user authentication related settings for FortiPortal.

To configure authentication settings:
  1. Go to System > Settings > Authentication.

    The Authentication tab opens.

  2. In the Authentication tab, enter the following information:

    Settings

    Guidelines

    Authentication Access

    Select Local or Remote.

    By default, Authentication Access is set as Local.

    When you change the authentication configuration from local to remote or from remote to local, you must restart FortiPortal.

    See Authentication Access.

    Enable Two-factor Authentication

    Enable two-factor authentication for local or remote users.

    For 2FA, a FortiToken license needs to be applied and registered in the same account where the FortiPortal license is registered.

    Email information is mandatory for 2FA users.

    It is recommended that 2FA users use email as the user name.

    If the user name is the email and no Tenant Identification Attribute is set, the domain part of the email can be used for tenant identification.

    See 2FA in FortiPortal example.

    Allow Service Provider Usernames without Domain

    Enable allowing SP usernames without a domain.

    If you enable this field, the user can enter their user ID without a domain qualifier, and the system will try to authenticate the user credentials in each of the domains until a match is found.

    Note: This option is available only when Authentication Access is set as Remote.

    Remote Server

    Required. Select FortiAuthenticator, RADIUS, or SSO as the remote server.

    Note: This option is available only when Authentication Access is set as Remote.

    Remote Server Port

    Required.

    Port for the authentication server (default is 443)

    Note: This option is available only when Authentication Access is set as Remote and Remote Server is FortiAuthenticator or RADIUS.

    Remote Server IP Address

    Required. Enter the IP address of the authentication server.

    Note: This option is available only when Authentication Access is set as Remote and Remote Server is FortiAuthenticator or RADIUS.

    Remote Server Key

    Required. Secret key for REST API requests.

    Note: This option is available only when Authentication Access is set as Remote and Remote Server is FortiAuthenticator or RADIUS.

    Domains

    Enter a domain, URL, or URN attribute and then hit enter. The new domain appears in the list below the entry box. If you do not want to provide a domain for the site administrator, enable Allow Service Provider Usernames without Domain.

    Use this field to specify the domain, URL, or URN for the site administrator. To specify the domain for an organization, see General.

    The site administrator may allow administrative users to be defined in more than one authentication domain.

    Note: This option is available only when Authentication Access is set as Remote.

    Remote Server User

    Required. Administrator user name for the authentication server. This user must have sufficient permission to initiate REST API requests.

    Note: This option is available only when Authentication Access is set as Remote and Remote Server is FortiAuthenticator.

    Authentication Protocol

    Required. Select CHAP or PAP authentication protocols.

    Note: This option is available only when Authentication Access is set as Remote and Remote Server is RADIUS.

    View/Change Radius Roles

    Select to map the RADIUS roles with local roles. See Radius Roles.

    Note: This option is available only when Authentication Access is set as Remote and Remote Server is RADIUS.

    SSO IDP Entity URL

    Required. IDP Entity URL (ID) or URN for SAML provided by IDP server.

    Note: This option is available only when Authentication Access is set as Remote and Remote Server is SSO.

    IDP Sign On Service Endpoint URL

    Required. Endpoint URL for IDP (Post) provided by IDP server.

    Note: This option is available only when Authentication Access is set as Remote and Remote Server is SSO.

    IDP Sign On Service Redirect Endpoint URL

    Required. Endpoint URL for IDP (Redirect) provided by IDP server.

    Note: This option is available only when Authentication Access is set as Remote and Remote Server is SSO.

    SSO Application ID

    Required. SSO application provided by IDP.

    Note: This option is available only when Authentication Access is set as Remote and Remote Server is SSO.

    SSO Audience URL

    Required. URL used for audience within assertion (format: https://<FPC_PORTAL> /fpc/saml/SSO).

    Note: This option is available only when Authentication Access is set as Remote and Remote Server is SSO.

    Role Attribute

    Required. Attribute parameter name that maps to the corresponding role in FortiPortal.

    Note: This option is available only when Authentication Access is set as Remote and Remote Server is SSO.

    Tenant Identification Attribute

    Introduced with FortiPortal Version 3.2.1, this attribute specifies a 'string' value that FortiPortal uses under SSO to map a user to a specific customer.

    This feature works similar to the Tenant Identification Attribute in RADIUS, except that in SSO, FortiPortal allows you to configure the name of the attribute on the Administration Settings page.

    If you configure “My Customer Id” as the attribute value, FortiPortal expects the following in the authentication response from the SSO server:

    <My Customer Id>Fortinet</My Customer Id>

    where Fortinet is the value returned by the SSO server.

    This value must have been supplied to Domains in the General.

    For a RADIUS server, the Tenant Identification Attribute value is a Fortinet Vendor Attribute value. The server will send “Fortinet” in the authentication response.

    FortiPortal treats the attribute values from either RADIUS or SSO server equally.

    Note: This option is available only when Authentication Access is set as Remote and Remote Server is SSO.

    SSO Error URL

    (Optional) Error URL provided by IDP.

    Note: This option is available only when Authentication Access is set as Remote and Remote Server is SSO.

    IDP Logout Service Endpoint

    Required. IDP logout URL provided by IDP.

    Note: This option is available only when Authentication Access is set as Remote and Remote Server is SSO.

    SSO Certificate

    Required. Certificate provided by IDP used by SP to decrypt the signed response.

    Note: This option is available only when Authentication Access is set as Remote and Remote Server is SSO.

    Site Attribute

    Attribute parameter name that specifies which sites the customer user can access.

    When the Remote Server is SSO, enter the site attribute.

    For example, an attribute name of "site" might have the values "site1" and "site2". A customer user assigned to "site" would be able to access "site1" and "site2".

    <saml:Attribute Name="site" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">

    <saml:AttributeValue xsi:type="xs:string">site1</saml:AttributeValue>

    <saml:AttributeValue xsi:type="xs:string">site2</saml:AttributeValue>

    </saml:Attribute>

    When the Remote Server is FortiAuthenticator or Radius, select a site attribute from the dropdown. By default, Fortinet-Fpc-Tenant-user-sites is available.

    You can select a different value if you define an attribute for a site on the FortiAuthenticator-side or the RADIUS server.

    Note: If the Site Attribute is empty, the customer user is assigned all the sites owned by the organization.

    Note: This option is available only when Authentication Access is set as Remote.

    Email Attribute

    The user-defined email attribute name.

    Note: This option is available only when Authentication Access is set as Remote and Remote Server is SSO.

    View/Change SSO Roles

    Select to map the SSO roles with the local roles. See SSO Roles.

    Note: This option is available only when Authentication Access is set as Remote and Remote Server is SSO.
  3. Click Save.

Authentication Access

If the authentication access is local, the administrator and customer user log-in credentials are checked in the local user databases. With the local option, you must add an SP user entry for each administrative user, and a user for each organization user.

If the authentication access is remote, the administrator and customer user log-in credentials are checked in the remote RADIUS server or FortiAuthenticator user database. Local customer users cannot be used when remote authentication is selected.

See Remote authentication: FortiAuthenticator, Remote authentication: RADIUS, and Remote authentication - SSO.

Radius Roles

Selecting View Radius Roles on the Authentication tab displays the Radius Roles window. Here, you can configure the mapping between FortiPortal roles and RADIUS roles. For each RADIUS role, the window displays the Role Name, Role Type (Service Provider or Customer) and a list of FPC (FortiPortal) roles that map to the RADIUS role.

The Radius Roles window contains the following options:

  • Create—open a dialog to create a RADIUS role.
  • Edit—edit a selected RADIUS role.
  • Delete—delete a selected RADIUS role.
  • Search—enter text to search for RADIUS role names containing that text.
  • Show x entries—sets the number of entries that are displayed at once (20 or 50).
  • Sort—allows you to sort columns in ascending or descending order.
To create a Radius Role:
  1. Go to System > Settings > Authentication.
  2. In Authentication Access, select Remote.
  3. In the Remote Server dropdown, select Radius.
  4. Select View/Change Radius Roles.

    The Radius Roles window opens.

  5. In the Radius Roles window, select Create.
  6. In the Create Role window, enter the following information:

    Settings

    Guidelines

    Role Name

    The RADIUS role name. The name must match a role name in the RADIUS server.

    Role Type

    Service Provider or Customer.

    FPC Roles

    Select the FortiPortal roles to associate with this RADIUS role.
  7. Click Save.

SSO Roles

Selecting the View SSO Roles button on the Authentication tab displays the SSO Roles window. Here, you can configure the mapping between FortiPortal roles and SSO roles. For each SSO role, the window displays Role Name, Role Type (Service Provider or Customer) and a list of FPC (FortiPortal) roles that map to the SSO role.

The SSO Roles window contains the following actions:

  • Create—open a dialog to add an SSO role.
  • Edit—edit a selected SSO role.
  • Delete—delete a selected SSO role.
  • Search—enter text to search for SSO role names containing that text.
  • Show x entries—sets the number of entries that are displayed at once (20 or 50).
  • Sort—allows you to sort columns in ascending or descending order.
To create an SSO Role:
  1. Go to System > Settings > Authentication.
  2. In Authentication Access, select Remote.
  3. In the Remote Server dropdown, select SSO.
  4. Select View SSO Roles.

    The SSO Roles window opens.

  5. In the SSO Roles window, select Create.
  6. In the Create Role window, enter the following information:

    Settings

    Guidelines

    Role Name

    The SSO role name. The name must match a role name in the SSO server.

    Role Type

    Service Provider or Customer.

    FPC Roles

    Select the FortiPortal roles to associate with this SSO role.
  7. Click Save.
Previous
Next