Identity and Access Management

Securely connect every identity to your resources and simplify management

web product icon identity access management

Identity and Access Management (IAM) Overview

Today’s enterprise identity environments are made up of various systems of record ranging from networking devices, servers, directory services, and cloud applications. Managing an identity that resides in these various systems can quickly grow into such a large administrative challenge that it negatively affects users, administrators, and application developers.

Additionally, many of today’s most damaging security breaches have been due to compromised user accounts and passwords exacerbated by users being provided with inappropriate levels of access. Securely and effectively managing identity authentication and authorization for all systems and applications is crucial to minimize security breaches.

 

Identity and Access Management Product Details

Fortinet IAM provides the services necessary to securely confirm the identities of users and devices as they enter the network. With our robust solution, you can control and manage identity to securely connect the right users to only the appropriate resources.

The Fortinet IAM solution includes the following products:

  • FortiAuthenticator protects against unauthorized access to corporate resources by providing centralized authentication services for the Fortinet Security Fabric, including single sign-on services, certificate management, and guest access management.
  • FortiToken further confirms the identity of users by adding a second factor to the authentication process through physical or mobile-application tokens.
  • FortiToken Cloud offers multi-factor authentication (MFA) as a service. Organizations can use its intuitive dashboard to manage MFA.

The combination of FortiAuthenticator and FortiToken or FortiToken Cloud effectively addresses the identity and access management challenges organizations face in this era of rapidly increasing user and device connectivity.

Features and Benefits

icon benefits secure authentication

Intuitive, centralized authentication and authorization services

Ensure the right people get appropriate access to your data, resources, and applications
icon benefits migration

Multi-factor authentication and management

Increase certainty of user identity with the verification of another factor
simple icon

Single sign-on (SSO) for web/cloud applications and network resources

Fortinet SS0 (FSSO) including modern authentication protocols federating identity for SSO (SAML, oAuth, OIDC, and API support)
icon benefits management

Guest, BYOD, and certificate management

Customizable portals including self-service capabilities
intelligent icon

Simple deployment and licensing

Flexible deployment modes (appliances, VMs, cloud) with non-recurring or renewal licensing options
Compliance icon

Integration with secure directories

Leverage existing identity systems of record on-premises or in the cloud

Identity and Access Management Models and Specifications

Fortinet Identity and Access Management products offer a robust response to the challenges today's businesses face in the verification of user and device identity.

FortiAuthenticator provides centralized authentication services for the Fortinet Security Fabric including single sign on services, certificate management, and guest management.

Hardware Appliances

Total Users
500
Description
4x GE RJ45 ports, 1x 1 TB HDD
Total Users
2,000
Description
4x GE RJ45 ports, 2x 1 TB HDD
Total Users
10,000
Description
4x GE RJ45 ports, 2x GE SFP, 2x 2 TB HDD
Total Users
20,000
Description
4x GE RJ45 ports, 2x GE SFP, 2x 2 TB SAS Drive
Total Users
40,000
Description
4x GE RJ45 ports, 2x GE SFP, 2x 2 TB SAS Drive
Total Users
8,000
Description
4x GE RJ45 ports, 2x GE SFP, 2x 2 TB HDD

Please see the product page for more information on these and many more Product features. 

 

Virtual Machines

Users
100
Description
Base FortiAuthenticator-VM with 100 user license
Users
+100
Description
License to add 100 users to base VM
Users
+1000
Description
License to add 1000 users to base VM
Users
+10000
Description
License to add 10000 users to base VM

FortiToken further confirms the identity of users by adding a second factor to the authentication process through physical and mobile application based tokens.

Description
Two factor authentication application for mobile devices
Description
Standard multi-form factor OATH compliant hardware token
Description
Hardware USB token for X.509 PKI certificates

To review the relevant data sheets click here

FortiToken Cloud offers secure cloud management of two-factor authentication for FortiGate environments from provisioning to revocation. 

Click here for FortiToken Cloud Service login.

FortiAuthenticator offers a public cloud BYOL (bring your own license) option through AWS Marketplace and Azure Marketplace.  For more information please click on the links below:

 

Identity and Access Management Use Cases

Enhance security and productivity while minimizing the burden on IT

The increase in cloud-based applications and connected devices have changed the way we work. This has also expanded the attack surface, giving cybercriminals more opportunities for targeted attacks. To avoid breaches, organizations need to ensure the right users are accessing the right network resources.

Fortinet User Authentication provides you with the tools and capabilities to effectively manage identity and authentication of users, devices, and guests or partners. You can federate identity to provide a great experience for your users.

Flexible deployment options let you decide the best way to deploy the solution, depending on your needs. Choose on-premises ready-to-use hardware, a virtual machine, managed cloud, or identity-as-a-service (IDaaS). Quickly integrate Fortinet IAM with existing authentication infrastructure such as active directory (AD) or LDAP, or with new services through cloud service providers. 

 

Get Better Security Access with Multi-Factor Authentication (MFA)

Providing secure access to applications, services, or software development hosted on-premises or in the cloud, while offering ease of use for end users, is a constant challenge.

You can make it much tougher for hackers to gain access to protected information through the use of additional credentials such as a one-time passcode (OTP). OTP is one component of MFA. MFA is a crucial security feature of any IAM solution because it requires verification of multiple credentials:

  • Something the user knows: a username and password.
  • Something the user has: an OTP in the form of a token or code. This is sent to the user via email or SMS, to a hardware token generator, or to an authenticator application installed on the user’s smartphone.
  • Something specific to the user: biometric information such as the user’s finger print.

Therefore, even if a cybercriminal has a username and password, they cannot access the system without the other information.

Fortinet MFA provides easy-to-use secure access to corporate VPNs, Wi-Fi, on-premises, or cloud-based apps. Users can quickly log on by responding to a push notification on their smart device during the authentication process.

Learn More

Increase Security While Providing Easier Access for Users with Single Sign-on (SSO)

Centrally managing user identities and their access to organizational resources is the most effective identity and access management (IAM) security practice. With the IAM centralized solution, IT admins can enforce password complexity requirements and multi-factor authentication. Plus, Fortinet IAM delivers a better user experience when accessing services and applications in the cloud or on premises.

Single sign-on (SSO) is a key component of IAM that enables users to securely authenticate with multiple applications and websites by logging in only once. However, not all SSO solutions are built equally. Some providers offer an SSO solution for web-based applications, while others leverage public cloud infrastructure. Still, other SSO solutions are designed for on-premises services including applications, file storage, servers, and networks. Solely adopting a web-based-application SSO solution is inefficient for effective identity security because cloud infrastructure and on-premises services will have different SSO requirements. As a result, managing (and federating) identities will largely remain decentralized and would require integration efforts across different SSO solutions to provide true SSO capability.

Fortinet FortiAuthenticator provides a comprehensive approach to SSO with centralized identity management. It authenticates users with traditional on-premises as well as modern web and cloud authentication protocols. Organizations gain full control. You can securely connect your users to appropriate resources in the cloud or on premises while improving their experience.

Learn More

Fuse Community


Product Demo

This full working demo lets you explore the many capabilities of FortiAuthenticator - for user identification, single sign-on, and/or two-factor authentication. You can see the range of identity sources (integration with directory services), authentication methods (hardware, software, SMS tokens), end user self-service portal, and more. And you'll quickly learn how easy it is to scalably add these capabilities to a FortiGate deployment.

Identity and Access Management FAQs

What is FortiAuthenticator (FAC)?
FortiAuthenticator centralizes all authentication services, including two-factor authentication (2FA), Fortinet Single Sign On, SAML 2.0 single sign-on, and portals to support guest, onboarding, and life-cycle certificate management.

Does FAC work with virtual machines?
Yes. FAC coverage for virtual machines is offered for 100-1M+ users. The license is perpetual, stackable and does not have a limit to CPU or RAM. FAC also offers five Appliance models. Refer to FAC Datasheet for detailed specifications.

Does FAC Support high-availability and load balancing?
Yes.

Fortinet FortiGate already supports authentication (including SAML) with 2FA. Why do I need FAC?
FAC is necessary when the security architecture requires a central authentication management platform beyond the authentication functionality found in a single FortiGate. Generally, FAC is necessary where authentication integration is needed and more than one FortiGate is deployed in the environment.

What authentication protocols or methods does FAC support?
A wide range of networking-, web-, and portal-authentication protocols.

  • Users can authenticate through a web portal and a set of embeddable widgets.
  • Users with FortiClient Endpoint Security installed can be automatically authenticated through the FortiClient SSO Mobility Agent.
  • Users authenticating against Active Directory can be automatically authenticated.
  • RADIUS Accounting packets can be used to trigger an FSSO authentication.

For additional information, download the FAC Datasheet

What is Two-Factor Authentication?
Two-factor authentication (2FA) is a method of establishing access to an online app, account or network device that requires the user to provide two different types of information. The first-factor simply means a way to convince an online service or network device that you are who you say you are. Typically, this is something you know such as your user name and password pair. The second-factor requires you to prove your identity with something that you have, e.g., a token.

Are all Two-Factor Authentication solutions equally effective?
There’s a wide range of approach and form factors to two-factor authentication. Some are much more secure than others.

  • Hardware tokens are the traditional 2FA method. Tokens often come in a key fob form-factor with a display showing time-based One Time Passwords (OTPs). The hardware itself protects its internal key.
  • Mobile tokens work like hardware tokens, but are delivered as a mobile app. A distinction between mobile app and token must be considered for security effectiveness. The app is the OTP generator and the seed specifically binds to a token installed on the app. During token activation, an effective solution delivers the token seed in encrypted format, not in a clear form. Fortinet FortiToken Mobile (FTM) delivers FTM token seed securely (encrypted) during activation and prevent the token from activating on multiple devices simultaneously. Additionally, FTM with FortiAuthenticator or FortiToken Cloud offers cross token transfer service (patented) for FTM and 3rd party tokens. This allows secure transfer of tokens across different platforms running iOS or Android—a benefit offered by no other app at this time.

What token options does Fortinet offer?
A comprehensive range of token types:

  • Hardware with various form-factors: Mini Credit, and key fob with large display form factors (USB form factor for PKI smart-card token)
  • Software Token on multiple mobile platforms (iOS, Android, Windows)
  • MFA-as-a-Service on Fortinet FortiToken Cloud

What is SAML 2.0 authentication?
Security Assertion Markup Language (SAML) is a standard format that is used to authenticate users for access to online apps using a single sign-on. It is an XML-based framework for authentication and authorization between two entities: a Service Provider (SP) and an Identity Provider (idP). A SP entity is an online app or service to which a user wishes to gain access, whereas an idP entity performs the user authentication function.

There are two user flows in SAML 2.0 authentication:

  • The idP flow is typically initiated by a page within the idP displaying a list of available apps or services that a user can login based on his access rights. The SP agrees to trust the idP and renders access once idP authenticates the user.
  • The SP flow is initiated when the user or browser requests access to the app or service offered by the SP. As the user attempts to access the online app, the SP creates a SAML request, forwarding the user and the request information to the idP for authentication. The SP grants user access once the user is verified and authenticated by the idP.

Does FAC support both SAML 2.0 flows?
Yes, FortiAuthenticator offers both SAML 2.0 flows, idP-initiated and SP-initiated with strong authentication (2FA). Additionally, with more complex deployments, FAC provides an idP proxy capability to simplify enterprise cloud app adoption.

What is Single Sign-on (SSO)?
SSO is a part of an Identity and Access Management (IAM) capability. It enables users to securely authenticate only once with their credentials and be able to use multiple applications to which the user has access rights.

What is Fortinet Single Sign-on (FSSO)?
Fortinet Single Sign-On, formerly known as FortiGate Server Authentication Extension (FSAE), is the authentication protocol by which users can transparently authenticate to FortiGate, FortiAuthenticator, and FortiCache platforms. The FAC identifies users based on their authentication from a different system. Users can then be authenticated via several methods, including the following:

  • Users can authenticate through a web portal and a set of embeddable widgets.
  • Users with FortiClient Endpoint Security installed can be automatically authenticated through the FortiClient SSO Mobility Agent.
  • Users authenticating against Active Directory can be automatically authenticated.
  • RADIUS Accounting packets can be used to trigger an FSSO authentication.
  • Users can be identified through the FAC RestAPI. (This is useful for integration with third-party systems.)

What is Fortinet Mobile Single Sign-on Agent?
It is a feature of FortiClient Endpoint Security. The agent automatically provides user name and IP address information to FAC for transparent authentication. IP address changes, such as those due to WiFi roaming, are automatically sent to the FAC. When the user logs off or otherwise disconnects from the network, FAC is aware of this and de-authenticates the user.

What cloud IdPs does FAC support?
Any SAML 2.0 compliant IdP can be supported. Most SAML 2.0 IdPs usually have an option to create a custom attribute. FAC can match against almost any custom user/group attribute. IdPs that have been tested include Azure, GSuite, and Okta.

Is 2FA with O365 a cloud application supported?
We support O365 as a SAML SP when using FAC as the IdP with an on-premise Active Directory (AD) with LDAP authentication.

What is the pre-requisite in O365 as an SP when FAC is set up as an IdP?
We support O365 as a SAML SP when using FAC as the IdP with an on-premise Active Directory (AD) with LDAP authentication. On FAC, you only need to set up O365 as a SAML SP and create an LDAP(s) authentication connection to your on-premise AD.

Can FAC map the domain name on a SAML IdP that only have “UserID”?
Yes. Each SAML IdP can be mapped to a Realm.

What FortiOS versions support FortiToken Cloud?
The earliest is FortiOS 6.2.x

For new token requests for Cloud 2FA, does that request route to Fortinet sales or Fortinet partners or is it allowing for a direct purchase through Fortinet?
All FTC licenses are available as SKUs on Price List. Only the lowest point SKU (120 points) is available for purchase via in-app.

Does FortiToken Cloud also require the purchase of the FortiToken Mobile or physical token licenses?
FortiToken Mobile is included in the FortiToken Cloud subscription. FortiToken physical tokens are a separate purchase.

How is SMS enabled on FortiToken Cloud?
SMS can be used in place of email to send an activation code for FortiToken Mobile via the mobile app. SMS can also be used in place of FortiToken Mobile to deliver OTP as an ongoing two-factor authentication. This method, however, is less secure and should only be used as a temporary solution for non-critical access.

In my FortiToken Cloud subscription, do I calculate 1 point for 1 user for a month’s usage?
Once a licensed user is registered, the FortiToken Cloud points are yours to use. One point = one user x one month. FortiToken Mobile tokens are included in the subscription to FortiToken Cloud, and there is no additional usage charge for FortiToken Mobile tokens. One point is also consumed for every 250 SMS messages used.

Does Fortinet have any documentation to show how to setup FTM Push?
Please see documentation by clicking here.

Does Fortinet have any documentation to share with customers on how to setup FTM push from FAC without opening ports up?
Please see documentation by clicking here.

Does FAC or FTC offer cross-token transfer across different devices running iOS or Android?
Yes. Users need to enable token transfer option in FAC and have at least one FTM token installed in the FTM app.