Home

> Administration > General Settings > External Authentication Settings

External Authentication Settings

This screen allows you to define servers for external user authentication. Once one or more authentication server profiles have been defined, users of the system can be configured to be authenticated locally, or by one or more of these external authentication servers. To configure a user for external authentication, select that user from the CMDB > Users screen, and select 'External' as the authentication mode. If more than one authentication profile is associated with a user, then the servers will be contacted one by one until a connection to one of them is successful. Once a server has been contacted, if the authentication fails, the process ends, and the user is notified that the authentication failed.

The following section describes the procedure to configure External Authentication Settings:

Adding External Authentication settings

Prerequisites

The following sections provide prerequisites steps before setting up external authentication in FortiSIEM.

Note: RADIUS and Okta follow the same authentication set up process.

Adding Users from Active Directory via LDAP

If you want to add users to your FortiSIEM deployment from an Active Directory server over LDAP, you must first add the login credentials for your server and associate them to an IP range, and then run the discovery process on the Active Directory server. If the server is discovered successfully, then all the users in that directory will be added to your deployment. You then need to set up an authentication profile, which will become an option you can associate with users as described in Adding a Single User.

Creating Login Credentials and Associating with an IP Address

  1. Log in to your Supervisor node.
  2. Go to ADMIN> Setup > Credentials.
  3. Click New.
  4. Enter a Name.
  5. For Device Type, select Microsoft Windows.
  6. Select your Access Protocol.
    FortiSIEM supports these LDAP protocols:
  7. Protocol Settings
    LDAP [Required] IP Host - Access IP for LDAP
    Port - Non-secure version on port 389
    LDAPS [Required] IP Host - Access IP for LDAPS
    Port - Secure version on port 636
    LDAP Start TLS [Required] IP Host - Access IP for LDAP Start TLS
    Port - Secure version on port 389

  8. For Used For, select Microsoft Active Directory
  9. For Base DN, be sure to enter the root of the LDAP user tree. 
  10. Enter the NetBIOS/Domain for your LDAP directory.
  11. Enter the User Name for your LDAP directory.
    For user discovery from OpenLDAP, specify the full DN as the user name. For Active Directory, use your server login name.
  12. Enter and confirm the Password for your User Name
  13. Click Save.
    Your LDAP credentials will be added to the list of Credentials.
  14. Under Enter IP Range to Credential Associations, click Add
  15. Select your LDAP credentials from the list of Credentials. Click + to add more.
  16. Enter the IP/IP Range or host name for your Active Directory server.
  17. Click Save.
    Your LDAP credentials will appear in the list of credential/IP address associations.
  18. Click Test > Test Connectivity to make sure you can connect to the Active Directory server.

Discovering the Active Directory Server and Users

  1. Go to ADMIN> Discovery.
  2. Click Add.
  3. For Name, enter Active Directory.
  4. For Include Range, enter the IP address or host name for your Active Directory server. 
  5. Leave all the default settings, but clear the Discover Routes option. 
  6. Click OK.
    Active Directory will be added to the list of discoverable devices.
  7. Select the Active Directory device and click Discover
  8. After discovery completes, go to CMDB > Users to view the discovered users. 
    You may need to click Refresh for the user tree hierarchy to load.

Adding Users from Okta

Follow the procedures below to add users from Otka.

Configuring Okta Authentication

To use Okta authentication for your FortiSIEM deployment, you must set up a SAML 2.0 Application in Okta, and then use the certificate associated with that application when you configure external authentication.

  1. Log into Okta.
  2. In the Applications tab, create a new application using Template SAML 2.0 App
  3. Under General Settings, configure the settings similar to the table below:
    Post Back URLPost Back URL
    Application labelFortiSIEM Demo
    Force AuthenticationEnable
    Post Back URLhttps://<FortiSIEMIP>/phoenix/okta
    Name ID FormatEmailAddress
    RecipientFortiSIEM
    Audience RestrictionSuper
    authnContextClassRefPasswordProtectedTransport
    ResponseSigned
    AssertionSigned
    RequestUncompressed
    Destinationhttps://<FortiSIEMIP>/phoenix/okta
  4. Click Save.
  5. In the Sign On tab, click View Setup Instructions.
  6. Click Download Certificate
  7. Follow the instructions below and enter the downloaded certificate for Okta authentication. 

Creating an Okta API Token

  1. Log in to Okta using your Okta credentials. 
  2. Got to Administration > Security > API Tokens.
  3. Click Create Token.
    You will use this token when you set up the Okta login credentials in the next section. Note that this token will have the same permissions as the person who generated it. 

Creating Login Credentials and Associating Them with an IP Address

  1. Log in to your Supervisor node.
  2. Go to ADMIN> Setup > Credentials.
  3. Click New.
  4. Enter a Name.
  5. For Device Type, select OKTA.com OKTA.
  6. For Access Protocol, select OKTA API.
  7. Enter the Pull Interval in minutes.
  8. Enter the Domain associated with your Okta account.
    For example, FortiSIEM.okta.com
  9. Enter and reconfirm the Security Token you created.
  10. Enter any related information in Description.
  11. Click Save.
    Your Okta credentials will be added to the list of Credentials.
  12. Under Enter IP Range to Credential Associations, click New
  13. Enter the IP/IP range or host name for your Okta account.
  14. Select your Okta credentials from the list of Credentials. Click + to add more.
  15. Click Save.
    Your Okta credentials will appear in the list of credential/IP address associations.
  16. Click Test > Test Connectivity to make sure you can connect to the Okta server.

Discovering Okta Users

If the number of users are less than 200, then Test Connectivity will discover all the users. Okta API has some restrictions that does not allow FortiSIEM to pull more than 200 users. In this case, follow these steps:

  1. Login to Okta.
  2. Download user list CSV file (OktaPasswordHealth.csv) by visiting Admin > Reports > Okta Password Health.
  3. Rename the CSV file to "all_user_list_%s.csv". (%s is the placeholder of token obtained in Create an Okta API Token - Step 3, e.g. 'all_user_list_00UbCrgrU9b1Uab0cHCuup-5h-6Hi9ItokVDH8nRRT.csv')
  4. Login to FortiSIEM Supervisor node:
    1. Upload CSV file all_user_list_%s.csv to this directory /opt/phoenix/config/okta/
    2. Make sure the permissions are admin and admin (Run "chown -R admin:admin /opt/phoenix/config/okta/")
    3. Go to Admin > Setup > Credentials > Enter IP Range to Credential Associations.
    4. Select the Okta entry and run Test > Test connectivity to import all users.

Adding 2-factor Authentication via Duo Security

Obtain keys for FortiSIEM to communicate with Duo Security

  1. Sign up for a Duo Security account: signup.
    This will be admin account for Duo Security.
  2. Log in to Duo Security Admin Panel and navigate to Applications.
  3. Click Protect an Application. Locate Web SDK in the applications.
  4. Get API Host NameIntegration key, Secret key from the page.
    You will need it when you configure FortiSIEM.
  5. Generate Application key as a long string.
    This is a password that Duo Security will not know. You can choose any 40 character long string or generate it as follows using python

    import os, hashlib

    print hashlib.sha1(os.urandom(32)).hexdigest()

Create and Manage FortiSIEM users in Duo Security

This determines how the 2-factor authentication response page will look like in FortiSIEM and how user will respond to the second factor authentication challenge:

  1. Log in to Duo Security as admin user.
  2. Choose the Logo which will be shown to users as they log on.
  3. Choose the super set of 2-factor Authentication Methods.
  4. Optional - you can create the specific users that will logon via FortiSIEM. If the users are not pre-created here, then user accounts will be created automatically when they attempt 2-factor authentication for the first time.

Setup External Authentication Profiles

Add LDAP, LDAPS, and LDAPTLS authentication profile as follows:

  1. Go to ADMIN > General Settings > Authentication.
  2. Click New.
  3. Enter Name.
  4. Select Organization.
  5. Set Protocol as LDAP or LDAPS or LDAPTLS.
  6. Set IP/Host of LDAP server.
  7. Change the port if it is different than default port.
  8. Check Set DN Pattern if needed by filling in the DN Pattern field.
    Setting the DN pattern manually is not necessary if the user is discovered via LDAP. However this feature allows you to manually override the discovered pattern, or enter it for a user that is being manually created.Enter %s to represent the user's name (CN/uid), for example:
    CN=%s,CN=Users,DC=accelops,DC=com
  9. Click Save

Add RADIUS authentication profile as follows:

  1. Go to ADMIN> General Settings > Authentication.
  2. Click New.
  3. Enter Name.
  4. Select Organization.
  5. Set Protocol as RADIUS.
  6. Set IP/Host of RADIUS server.
  7. Change and set Authen Port if the port is different from default.
  8. Enter Shared Secret.
  9. Click on CHAP if Radius server uses Challenge Handshake Authentication Protocol.
  10. Click Save.

Add Okta authentication profile as follows:

  1. Go to ADMIN> General Settings > Authentication.
  2. Click New.
  3. Enter Name.
  4. Select Organization
  5. Set Protocol as 'Okta'.
  6. Copy and paste the certificate you downloaded in Configuring Okta Authentication - step 6 to Certificate.
  7. Click Save.

Add 2-factor authentication option for FortiSIEM users

  1. Create a 2-factor authentication profile:
    1. Go to ADMIN> General Settings > Authentication.
    2. Click New.
      1. Enter Name.
      2. Select the organization from Organization drop-down
      3. Set Protocol as 'Duo'.
      4. Set IP/Host from API hostname in Step 4 above.
      5. Set Integration key, Secret keyfrom Step 4 above.
      6. Set Application key from Step 5 above.
      7. Click Save
  2. Add the 2-factor authentication profile to an user:
    1. Go to CMDB > User.
    2. Select a specific user.
    3. Check Second Factor check-box.
    4. Select the 2-factor authentication profile created in Step 1.
    5. Click Save.

Login to FortiSIEM using 2-factor authentication

Before logging in to FortiSIEM with 2-factor authentication, make sure that the three steps are completed.

  1. Obtain keys for FortiSIEM to communicate with Duo Security.
  2. Create and Manage FortiSIEM users in Duo Security.
  3. Add 2-factor authentication option for FortiSIEM users.

Follow these steps:

  1. Logon to FortiSIEM normally (first factor) using the credential defined in FortiSIEM - local or external in LDAP.
  2. If the 2-factor authentication is enabled, the user will now be redirected to the 2-factor step
    1. ŸIf the user is not created in Duo system (by Duo admin), a setup wizard will let you set some basic information like phone number and ask you download the Duo app.
    2. If the user already exists in FortiSIEM, then follow the authentication method and click Log in.
    The user will be able to log in to FortiSIEM.

Modifying External Authentication settings

Follow the procedure below to modify External Authentication settings:

  1. Go to ADMIN > General Settings > Authentication tab.
  2. Use the following buttons to modify External Authentication settings:
    • Edit - To edit an External Authentication setting.
    • Delete - To delete an External Authentication setting.
  3. Click Save.