Overview:
Centralized Identity and Access Management Solution
Network and Internet access is key for almost every role within the enterprise; however, this requirement must be balanced with the risk that it brings. The key objective of every enterprise is to provide secure but controlled network access enabling the right person the right access at the right time, without compromising on security.
FortiAuthenticator is a scalable Identity and Access Management (IAM) solution that enhances security and simplifies authentication for enterprises. Available as a physical or virtual appliance for private and public cloud deployments, it provides robust services such as RADIUS/TACACS+ service, Multi-Factor Authentication (MFA), Passwordless Authentication, Adaptive Authentication (AA), Single Sign-On (SSO), Identity Provider (IdP) and IdP Proxy, System for Cross-domain Identity Management (SCIM), Fortinet Single Sign-On (FSSO), and Certificate Authority.
FortiAuthenticator integrates seamlessly with remote on-prem and cloud directories, applications, and Fortinet's Security Fabric. This integration ensures secure and streamlined access to business resources and internal and external SaaS applications (e.g., Microsoft 365). Supporting legacy and modern authentication protocols, including FIDO passkeys, FortiAuthenticator employs context-aware, adaptive authentication to grant, challenge, or deny access based on login criteria. Acting as a gatekeeper, it identifies users, queries third-party access permissions, and communicates identity-based policies to FortiGate devices, securing enterprise networks with precision and ease.
Highlights
- Centralized user authentication and authorization
- Multi-factor authentication (MFA)
- Single Sign-On (SSO)
- FIDO passwordless registration and authentication
- Certificate management
- RADIUS, TACACS+, LDAP, SAML IdP and SP support
- Fortinet Single Sign-On (FSSO)
- Trusted Endpoint SSO
Features:
Centralized Authentication
FortiAuthenticator streamlines and secures user authentication by acting as a standalone IdP or integrating with both on-premises and cloud identity providers, offering seamless access to systems and applications for users, regardless of location. It supports a wide range of multi-factor authentication (MFA) methods, including FortiToken, SMS and email OTP, and FIDO2 for passwordless authentication, delivering a consistent, secure, and unified authentication experience. By centralizing authentication, FortiAuthenticator enhances security across the organization, improves operational efficiency, and reduces the complexity associated with managing multiple disparate authentication systems.
FortiAuthenticator integrates seamlessly with multiple Fortinet products and services, providing identity management and strong authentication across Fortinet's Security Fabric. Additionally, it functions as a fully standalone authentication solution for third-party environments, supporting RADIUS and LDAP authentication and SAML and OAuth/OIDC SSO. This flexibility allows organizations to implement FortiAuthenticator in both Fortinet-centric and heterogeneous IT infrastructures with ease.
Strong User Identity with Multi-Factor Authentication (MFA)
FortiAuthenticator enhances user security by enforcing robust multi-factor authentication (MFA) to secure access to critical resources. It supports a diverse range of MFA methods, including FortiToken Mobile and hardware tokens, SMS and email OTP, client certificate-based authentication, and FIDO2 for passwordless authentication, ensuring flexible and secure user verification across all scenarios.
By combining user identity information with authentication data from FortiToken or FIDO2 services, FortiAuthenticator ensures only authorized individuals gain access, reducing the risk of unauthorized access and data breaches. This added layer of security also helps organizations comply with government and business privacy regulations.
With the industry's widest range of MFA options, FortiAuthenticator accommodates diverse user needs, offering time-based physical tokens, mobile apps (iOS, Android, Windows), and modern passwordless methods like FIDO2. Its capabilities extend to controlling access for FortiGate management, SSL/IPsec VPNs, wireless captive portals, third-party RADIUS-compliant networking equipment, and SAML service providers.
FortiAuthenticator also features a REST API for adding MFA to custom web-based applications, enabling seamless integration into existing workflows. To simplify local user management, it includes self-registration and password recovery capabilities, ensuring a streamlined and user-friendly experience.
Multi-Factor Authentication (MFA)
FortiAuthenticator delivers strong, centralized multi-factor authentication (MFA) using FortiToken to verify user identities across VPN, network, and cloud applications. By combining a user's primary credentials with a FortiToken—whether mobile app, hardware OTP, or FIDO2 security key—it adds a secure second factor that protects against password compromise and unauthorized access. Supporting methods like one-time passwords, push approvals, and passwordless login, FortiAuthenticator seamlessly integrates with Fortinet's Security Fabric and external identity providers to provide adaptive, user-friendly MFA for zero-trust, identity-driven access.
Certificate Management
FortiAuthenticator serves as a robust Certificate Authority (CA), enabling administrators to create, import, and manage X.509 certificates, including server certificates for HTTPS and SSH, and client certificates for HTTPS, SSL, and IPsec VPNs. It supports the full certificate lifecycle, including generation, signing, and revocation, and offers streamlined management of Certificate Revocation Lists (CRLs).
To ensure secure and automated certificate operations, FortiAuthenticator supports SCEP and CMP protocols, simplifying certificate deployment and renewal processes. It integrates seamlessly with remote LDAP servers, verifying identities using trusted CA certificates, and supports EAP authentication by validating client certificates against authorized CA certificates and user records.
In environments with site-to-site VPNs, where pre-shared keys can pose a security risk, FortiAuthenticator enhances security by enabling certificate-based VPNs. Its integration with FortiManager automates bulk certificate deployment and simplifies certificate management, removing the complexity traditionally associated with these solutions. Certificates are securely delivered via the SCEP protocol, making it easier to implement and manage certificate-secured VPNs within FortiGate environments.
For client-based VPNs, FortiAuthenticator supports the FortiToken 300 USB Certificate Store, a secure, PIN-protected hardware solution that enhances client VPN security. This USB-based certificate store is fully compatible with FortiClient, ensuring an additional layer of protection for client VPN connections.
Adaptive Authentication
FortiAuthenticator provides advanced adaptive authentication capabilities by analyzing contextual factors during login, such as user location, device type, time of day, behavior patterns, and IP address. Based on this context and predefined policies, it dynamically adjusts authentication requirements, such as enforcing MFA, bypassing MFA, or blocking access entirely. This approach ensures secure, context-aware access control, allowing organizations to apply stricter security measures or deny access based on risk. These adaptive features enable organizations to strengthen security while maintaining a seamless user experience.
Protocol Support for Flexible Integration
FortiAuthenticator is designed for interoperability, supporting a wide range of protocols including RADIUS, SAML, OIDC, LDAP, and TACACS+. This extensive protocol compatibility ensures seamless integration with diverse systems, allowing organizations to leverage existing infrastructure while enhancing security and scalability.
802.1X Authentication
FortiAuthenticator supports 802.1X authentication, a foundational protocol for enterprise network access control. Acting as a RADIUS server, it provides authentication, authorization, and accounting (AAA) services for devices connecting to wired, wireless, or VPN networks. By validating user credentials, device certificates, or both, FortiAuthenticator ensures that only authorized users and devices gain access, effectively preventing unauthorized network access.
FortiAuthenticator integrates seamlessly with existing identity stores such as Active Directory, LDAP, and PKI systems, and supports advanced protocols like EAP-TLS for certificate-based authentication. These capabilities enable enterprises to enforce Zero Trust principles, ensure compliance with security policies, and safeguard sensitive resources against unauthorized access.
With FortiAuthenticator, organizations can achieve secure port-level access control for LAN and WLAN environments, offering robust protection for enterprise networks while supporting scalable and flexible deployment options.
TACACS+ and RADIUS Authentication
Serving as a centralized Authentication, Authorization, and Accounting (AAA) server, FortiAuthenticator supports both TACACS+ and RADIUS protocols. This approach enables secure network access control by authenticating users and devices, enforcing access policies, and providing granular control over network commands and configurations.
Single Sign-On (SSO)
FortiAuthenticator can function as a SAML Identity Provider (IdP) or as an IdP proxy, allowing it to federate user and group information from remote IdPs to service providers (SPs) (including FortiGate). It supports both SP-initiated and IdP-initiated login flows, ensuring compatibility with a wide range of systems. Additionally, FortiAuthenticator can serve as an OIDC Provider, making it ideal for scenarios involving mobile and native applications.
Trusted Endpoint SSO
FortiAuthenticator's Trusted Endpoint SSO feature enhances seamless and secure user authentication by leveraging FortiClient EMS and ZTNA. Once users log in to their endpoint devices, their credentials are securely cached by FortiAuthenticator, allowing for transparent authentication to service providers without requiring repeated logins.
This feature integrates device security posture checks from FortiClient EMS, ensuring only trusted and compliant endpoints are granted access. It enhances user experience, reduces friction during authentication, and enforces Zero Trust principles by validating both user identity and device trustworthiness. This feature makes Trusted Endpoint SSO a valuable differentiator for organizations prioritizing secure, user-friendly access.
Fortinet Single Sign-On (FSSO)
Fortinet Single Sign-On (FSSO) is a proprietary feature that enables seamless and transparent user authentication for FortiGate firewalls. By collecting user, IP, and group information from external identity sources such as Active Directory or LDAP, FSSO allows FortiGate devices to enforce identity-based policies for network access control. FortiAuthenticator serves as a central collector for user authentication events, channeling login and logout status from various sources and ensuring accurate identity tracking across Fortinet deployments.
FortiAuthenticator's FSSO capability ensures consistent and centralized user identity management for FortiGate deployments. By supporting multiple authentication methods and integrating with diverse directory systems, it provides flexibility for complex network environments. This approach not only enhances security by enabling identity-based policies but also improves the user experience with transparent authentication processes.
Key Features of FortiAuthenticator FSSO Integration:
- Active Directory Polling: FortiAuthenticator detects user logins by regularly polling Active Directory domain controllers. Once a login is identified, it collects the username, IP address, and group details, storing them in the FortiAuthenticator User Identity Management Database. These details can then be shared with multiple FortiGate devices to enforce identity-based policies.
- FortiAuthenticator SSO Mobility Agent: For distributed or complex domain environments where polling domain controllers is impractical, the FortiAuthenticator SSO Mobility Agent provides an alternative. Distributed via FortiClient or as a standalone application, it communicates login events, IP changes (e.g., between wired and wireless networks), and logout events to FortiAuthenticator, ensuring real-time user tracking without relying on polling.
- Explicit Authentication Portal and Widgets: For systems that do not support AD polling or where an SSO client is not feasible, FortiAuthenticator offers a user authentication portal. Users can manually log in to gain network access, and to streamline repeated logins, organizations can deploy widgets on their intranet. These widgets leverage browser cookies to automatically log in users when they access the intranet homepage.
- RADIUS Accounting Integration: In networks utilizing RADIUS authentication (e.g., for wireless or VPN access), RADIUS Accounting can serve as a user identification method. FortiAuthenticator uses this information to detect logins, associate IP and group details with users, and eliminate the need for redundant authentication tiers.
System for Cross-domain Identity Management (SCIM)
FortiAuthenticator supports SCIM, an open standard for automating the exchange of user identity information between identity providers and service providers. This method facilitates seamless synchronization of user data, streamlining provisioning and deprovisioning processes, and reducing administrative overhead.
Offline Token Provisioning for Air-Gapped Environments
FortiAuthenticator ensures secure authentication even in air-gapped environments by supporting offline token provisioning. Administrators can activate FortiToken Mobile tokens without internet connectivity through QR codes or manual activation codes. This feature is particularly valuable for operational technology (OT) networks and other isolated environments where internet access is restricted, providing robust authentication while maintaining strict network isolation and security.