Today’s enterprise identity environments are made up of various systems of record ranging from networking devices, servers, directory services, and cloud applications. Managing an identity that resides in these various systems can quickly grow into such a large administrative challenge that it negatively affects users, administrators, and application developers.

Additionally, many of today’s most damaging security breaches have been due to compromised user accounts and passwords exacerbated by users being provided with inappropriate levels of access. Securely and effectively managing identity authentication and authorization for all systems and applications is crucial to minimize security breaches.

Fortinet IAM provides the services necessary to securely confirm the identities of users and devices as they enter the network. With our robust solution, you can control and manage identity to securely connect the right users to only the appropriate resources.

The Fortinet IAM solution includes the following products:

• FortiAuthenticator protects against unauthorized access to corporate resources by providing centralized authentication services for the Fortinet Security Fabric, including single sign-on services, certificate management, and guest access management.
• FortiToken further confirms the identity of users by adding a second factor to the authentication process through physical or mobile-application tokens.
• FortiToken Cloud offers multi-factor authentication (MFA) as a service. Organizations can use its intuitive dashboard to manage MFA.

The combination of FortiAuthenticator and FortiToken or FortiToken Cloud effectively addresses the identity and access management challenges organizations face in this era of rapidly increasing user and device connectivity.

The increase in cloud-based applications and connected devices have changed the way we work. This has also expanded the attack surface, giving cybercriminals more opportunities for targeted attacks. To avoid breaches, organizations need to ensure the right users are accessing the right network resources.

Fortinet User Authentication provides you with the tools and capabilities to effectively manage identity and authentication of users, devices, and guests or partners. You can federate identity to provide a great experience for your users.

Flexible deployment options let you decide the best way to deploy the solution, depending on your needs. Choose on-premises ready-to-use hardware, a virtual machine, managed cloud, or identity-as-a-service (IDaaS). Quickly integrate Fortinet IAM with existing authentication infrastructure such as active directory (AD) or LDAP, or with new services through cloud service providers. 

FortiAuthenticator provides integration with many leading IT vendors as part of the Fortinet Security Fabric. Below is a list of current FortiAutheticator Alliance Partners:

What is FortiAuthenticator?
FortiAuthenticator centralizes all authentication services, including multi-factor authentication, Fortinet single sign-on, web single sign-on using SAML or OAuth protocols, passwordless login, and portals to support guest, onboarding, self-service, and life-cycle certificate management.

Does FortiAuthenticator work with virtual machines?
Yes. FortiAuthenticator coverage for virtual machines is offered for 100-1M+ users. The license is perpetual and stackable. It does not have a limit on CPU or RAM. FortiAuthenticator also offers four appliance models. Refer to the FortiAuthenticator datasheet for detailed specifications.

Does FortiAuthenticator support high availability and load balancing?
Yes.

What authentication protocols or methods does FortiAuthenticator support?
It supports a wide range of networking-, web-, and portal-authentication protocols. Users can authenticate using:

• A web portal and a set of embeddable widgets.
• RADIUS/RADSec, TACACS+, SAML, OAUTH2, FIDO2 WebAuthn
• FortiClient single sign-on mobility agent for automatic authentication (if users have FortiClient endpoint security installed).
• Authentication against Active Directory (automatic authentication).
• RADIUS Accounting packets that trigger a Fortinet single sign-on authentication.

For additional information, download the FortiAuthenticator datasheet.

Fortinet FortiGate already supports authentication that includes Security Assertion Markup Language (SAML) with MFA. Why do I need FortiAuthenticator?
FortiAuthenticator is necessary when the security architecture requires a central authentication management platform beyond the authentication functionality found in a single FortiGate. Generally, FortiAuthenticator is necessary where authentication integration is needed and more than one FortiGate is deployed in the environment.

What is SAML 2.0 authentication?
Security Assertion Markup Language (SAML) is a standard format that is used to authenticate users for access to online apps using a single sign-on. It is an XML-based framework for authentication and authorization between a service provider (SP) and an identity provider (IdP). An SP entity is an online app or service a user wants to access, whereas an IdP entity performs the user authentication function.

SAML 2.0 authentication has two user flows:

• The IdP flow is typically initiated by a page within the IdP that displays a list of available apps or services that a user can log in based on his access rights. The SP agrees to trust the IdP and provides access once the IdP authenticates the user.
• The SP flow is initiated when the user or browser requests access to the app or service offered by the SP. As the user attempts to access the online app, the SP creates a SAML request, which forwards the user and the request information to the IdP for authentication. The SP grants the user access once the user is verified and authenticated by the IdP.

Does FortiAuthenticator support IdP-initiated and SP-initiated SAML 2.0 flows?
Yes, FortiAuthenticator offers both IdP-initiated and SP-initiated SAML 2.0 flows with strong multi-factor authentication. With more complex deployments, FortiAuthenticator also provides an IdP proxy capability to simplify enterprise cloud app adoption.

What cloud IdPs does FortiAuthenticator support?
Any SAML 2.0-compliant IdP can be supported. Most SAML 2.0 IdPs have an option to create a custom attribute. FortiAuthenticator can match against almost any custom user or group attribute. IdPs that have been tested include Azure, GSuite, and Okta.

Is MFA with the Microsoft Office 365 (O365) cloud application supported?
We support O365 as a SAML SP when using FortiAuthenticator as the IdP with an on-premise Active Directory and hybrid Azure Active Directory with LDAP authentication.

What is the pre-requisite in O365 as an SP when FortiAuthenticator is set up as an IdP?
We support O365 as a SAML SP when using FortiAuthenticator as the IdP with an on-premise Active Directory with LDAP authentication. On FortiAuthenticator, you only need to set up O365 as a SAML SP and create an LDAP(s) authentication connection to your on-premise Active Directory.

Can FortiAuthenticator map the domain name on a SAML IdP that only has “UserID”?
Yes. Each SAML IdP can be mapped to a realm.

What is open authorization or OAuth 2.0?
OAuth is an authorization (not authentication) framework that allows third-party services to exchange your information without necessarily revealing your credentials or password.

What is Fast Identity Online or FIDO?
FIDO is another type of authentication. In the industry, it is also known as passwordless authentication. FIDO is an open standard that was developed by the FIDO Alliances and the World Wide Web Consortium. FIDO is a lightweight approach to asymmetric public-key cryptography that provides organizations a way to extend the security benefits of public-key cryptography to a wider array of applications, domains, and devices. FIDO is designed to reduce password usage, avoid the sharing of secrets, and create a path toward using a single credential for authenticating to multiple service providers such as web sites and mobile services.

Does Fortinet implement FIDO via SAML IdP-initiated flow?
Yes.

What is adaptive authentication?
Adaptive authentication uses contextual information of any given login attempt to evaluate risk. Two-factor authentication is only necessary if that risk is higher than a predetermined threshold. The login can be blocked if the potential risk is deemed high enough.

What is single sign-on?
Single sign-on (SSO) is a part of an identity and access management (IAM) capability. With SSO, users need to securely authenticate only once with their credentials to be able to use multiple applications to which the user has access rights.

What is Fortinet Single Sign-On?
Fortinet Single Sign-On (FSSO), formerly known as FortiGate Server Authentication Extension (FSAE), is the authentication protocol by which users can transparently authenticate to FortiGate, FortiAuthenticator, and FortiCache platforms. FortiAuthenticator identifies users based on their authentication from a different system. The users can then be authenticated using several methods, including:

• Users can authenticate through a web portal and a set of embeddable widgets.
• Users with FortiClient Endpoint Security installed can be automatically authenticated through the FortiClient SSO Mobility Agent.
• Users authenticating against Active Directory can be automatically authenticated.
• RADIUS accounting packets can be used to trigger an FSSO authentication.
• Users can be identified through the FortiAuthenticator RestAPI. (This option is useful for integration with third-party systems.)

What is multi-factor authentication?
Multi-factor authentication (MFA) is a method of establishing access to an online app, account, or network device that requires the user to provide more than a single type of credential. The first-factor is a way to convince an online service or network device that you are who you say you are. Typically, it is something you know such as your username and password. The second-factor requires you to prove your identity with something that you have such as a token.

Are all multi-factor authentication solutions equally effective?
Multi-factor authentication uses a wide range of approach and form factors, and some are more secure than others.

• Hardware tokens are the traditional MFA method. Tokens often come in a key fob form-factor with a display that shows time-based one-time passwords. The hardware itself protects its internal key.
• Mobile tokens work like hardware tokens, but are delivered using a mobile app. A distinction between the mobile app and token must be considered for security effectiveness. The app is the one-time password generator, and the seed specifically binds to a token that is installed on the app. During token activation, an effective solution delivers the token seed in encrypted format, not in a clear form. Fortinet FortiToken Mobile delivers an encrypted token seed securely during activation and prevents the token from activating on multiple devices simultaneously. Additionally, FortiToken Mobile with FortiAuthenticator or FortiToken Cloud offers a patented cross-token transfer service for FortiToken Mobile and third-party tokens. This service securely transfers tokens across different platforms running iOS or Android, which is a benefit no other app has at this time.
• One-time passwords that are delivered by email and SMS are less secure. This approach is not considered a best practice.

What token options does Fortinet offer?
Fortinet offers a comprehensive range of token types:

• Hardware with various form-factors, including a mini credit card, a key fob with a large display, a public key infrastructure (PKI) smart-card token, and driverless USB form factors
• Software tokens on multiple mobile platforms, including iOS, Android, and Windows
• MFA-as-a-Service on the Fortinet FortiToken Cloud

Where can I find documentation that show how to set up FortiToken Mobile push?
Please refer to the documentation here.

Does Fortinet have any documentation to share with customers on how to set up FortiToken Mobile push from FortiAuthenticator without opening ports?
Please refer to the documentation here.

When licensing for high-availability, do I need to duplicate licenses for FortiAuthenticator units? What about FortiToken Mobile licenses for FortiToken?
For FortiAuthenticator, you need to duplicate licenses for high-availability units whether they are hardware or virtual machines. For FortiToken Mobile licenses, there is no need to duplicate licenses. FortiToken Mobile licenses only need to be activated on the primary unit and will be replicated automatically across all other high-availability cluster members.

What is FortiToken Cloud?
FortiToken Cloud is a subscription-based MFA-as-a-Service by Fortinet. It enables FortiGate and FortiAuthenticator customers to add multi-factor authentication for their respective users, with no additional hardware or software required. It protects local and remote FortiGate and FortiAuthenticator administrators as well as firewall and VPN users.

What FortiOS versions support FortiToken Cloud?
FortiOS 6.2.x and later support FortiToken Cloud.

Does FortiToken Cloud also require the purchase of FortiToken Mobile or physical token licenses?
FortiToken Mobile is included in the FortiToken Cloud subscription. FortiToken physical tokens are a separate purchase.

How is SMS enabled on FortiToken Cloud?
SMS can be used in place of email to send an activation code for FortiToken Mobile using the mobile app. SMS can also be used in place of FortiToken Mobile to deliver a one-time password as an ongoing two-factor authentication. However, this method is less secure and should only be used as a temporary solution for non-critical access.

Does FortiAuthenticator or FortiToken Cloud offer cross-platform token transfer across different devices running iOS or Android?
Yes. Users need to enable the token transfer option in FortiAuthenticator and have at least one FortiToken Mobile token installed in the FortiToken Mobile app.

For new token requests for cloud two-factor authentication, does that request route to Fortinet sales or Fortinet partners, or is it allowing for a direct purchase through Fortinet?
All FortiToken Cloud licenses are available as SKUs on the price list. Only the lowest point SKU (120 credits) is available for purchase using the app.

What is the Fortinet mobile single sign-on agent?
It is a feature of FortiClient endpoint security. The agent automatically provides user name and IP address information to FortiAuthenticator for transparent authentication. IP address changes, such as those resulting from Wi-Fi roaming, are automatically sent to the FortiAuthenticator. When the user logs off or otherwise disconnects from the network, FortiAuthenticator is aware of this action and de-authenticates the user.

Where can I find relevant resources for FortiAuthenticator, FortiToken, and FortiToken Cloud?
Click on the product name for relevant resources: FortiAuthenticator, FortiToken, and FortiToken Cloud.

How do I purchase and renew FortiToken Cloud licenses?
Refer to the documentation here for detailed information.

Does FortiToken Cloud support the RestAPI for integration? If so, where can I get more information?
Yes, it supports the RestAPI. You can find more information here.

How can I contact Fortinet if I have additional questions?
Please reach out to your sales representative or join the Fortinet Community for additional questions and answers.