External Authentication Settings

This screen allows you to define servers for external user authentication. Once one or more authentication server profiles have been defined, users of the system can be configured to be authenticated locally, or by one or more of these external authentication servers. To configure a user for external authentication, select that user from the CMDB > Users screen, and select External as the authentication mode. If more than one authentication profile is associated with a user, then the servers will be contacted one by one until a connection to one of them is successful. Once a server has been contacted, if the authentication fails, the process ends, and the user is notified that the authentication failed.

The following section describes the procedure to configure External Authentication Settings:

Adding External Authentication Settings

Prerequisites

The following sections provide prerequisites steps before setting up external authentication in FortiSIEM.

Note: RADIUS and Okta follow the same authentication set up process.

Adding Users from Active Directory via LDAP

If you want to add users to your FortiSIEM deployment from an Active Directory server over LDAP, you must first add the login credentials for your server and associate them to an IP range, and then run the discovery process on the Active Directory server. If the server is discovered successfully, then all the users in that directory will be added to your deployment. You then must set up an authentication profile, which will become an option you can associate with users as described in Adding Users.

Creating Login Credentials and Associating with an IP Address

  1. Log in to your Supervisor node.
  2. Go to ADMIN > Setup > Credentials.
  3. Click New.
  4. Enter a Name.
  5. For Device Type, select Microsoft Windows.
  6. Select your Access Protocol.

    FortiSIEM supports these LDAP protocols:
  7. Protocol Settings
    LDAP [Required] IP Host - Access IP for LDAP

    Port - Non-secure version on port 389
    LDAPS [Required] IP Host - Access IP for LDAPS

    Port - Secure version on port 636

    LDAP Start TLS [Required] IP Host - Access IP for LDAP Start TLS

    Port - Secure version on port 389

  8. For Used For, select Microsoft Active Directory
  9. For Base DN, enter the root of the LDAP user tree. 
  10. Enter the NetBIOS/Domain for your LDAP directory.
  11. Enter the User Name for your LDAP directory.

    For user discovery from OpenLDAP, specify the full DN as the user name. For Active Directory, use your server login name.
  12. Enter and confirm the Password for your User Name
  13. Click Save.

    Your LDAP credentials will be added to the list of Credentials.
  14. Under Enter IP Range to Credential Associations, click Add
  15. Select your LDAP credentials from the list of Credentials. Click + to add more.
  16. Enter the IP/IP Range or host name for your Active Directory server.
  17. Click Save.

    Your LDAP credentials will appear in the list of credential/IP address associations.
  18. Click Test > Test Connectivity to make sure you can connect to the Active Directory server.

Discovering the Active Directory Server and Users

  1. Go to ADMIN > Setup Discovery.
  2. Click New.
  3. For Name, enter Active Directory.
  4. For Include Range, enter the IP address or host name for your Active Directory server. 
  5. Leave all the default settings, but clear the Discover Routes under Options
  6. Click OK.

    Active Directory will be added to the list of discoverable devices.
  7. Select the Active Directory device and click Discover
  8. After discovery completes, go to CMDB > Users to view the discovered users. 

    You may need to click Refresh for the user tree hierarchy to load.

Adding Users from Okta

Follow the procedures below to add users from Okta.

Configuring Okta Authentication

To use Okta authentication for your FortiSIEM deployment, you must set up a SAML 2.0 Application in Okta, and then use the certificate associated with that application when you configure external authentication.

  1. Log into Okta.
  2. In the Applications tab, create a new application using Template SAML 2.0 App
  3. Under Settings, configure the settings similar to the table below:

    Post Back URLPost Back URL
    Application labelFortiSIEM Demo
    Force AuthenticationEnable
    Post Back URLhttps://<FortiSIEMIP>/phoenix/okta
    Name ID FormatEmailAddress
    RecipientFortiSIEM
    Audience RestrictionSuper
    authnContextClassRefPasswordProtectedTransport
    ResponseSigned
    AssertionSigned
    RequestUncompressed
    Destinationhttps://<FortiSIEMIP>/phoenix/okta
  4. Click Save.
  5. In the Sign On tab, click View Setup Instructions.
  6. Click Download Certificate
  7. Follow the instructions above and enter the downloaded certificate for Okta authentication. 

Creating an Okta API Token

  1. Log in to Okta using your Okta credentials. 
  2. Got to Administration > Security > API Tokens.
  3. Click Create Token.

    You will use this token when you set up the Okta login credentials in the next section. Note that this token will have the same permissions as the person who generated it. 

Creating Login Credentials and Associating Them with an IP Address

  1. Log in to your Supervisor node.
  2. Go to ADMIN > Setup > Credentials.
  3. Click New.
  4. Enter a Name.
  5. For Device Type, select OKTA.com OKTA.
  6. For Access Protocol, select OKTA API.
  7. Enter the Pull Interval in minutes.
  8. Enter the Domain associated with your Okta account.

    For example, FortiSIEM.okta.com
  9. Enter and reconfirm the Security Token you created.
  10. Enter any related information in Description.
  11. Click Save.

    Your Okta credentials will be added to the list of Credentials.
  12. Under Enter IP Range to Credential Associations, click New
  13. Enter the IP/IP range or host name for your Okta account.
  14. Select your Okta credentials from the list of Credentials. Click + to add more.
  15. Click Save.

    Your Okta credentials will appear in the list of credential/IP address associations.
  16. Click Test > Test Connectivity to make sure you can connect to the Okta server.

Discovering Okta Users

If the number of users is less than 200, then Test Connectivity will discover all the users. Okta API has some restrictions that do not allow FortiSIEM to pull more than 200 users. In this case, follow these steps:

  1. Log in to Okta.
  2. Download user list CSV file (OktaPasswordHealth.csv) by visiting Admin > Reports > Okta Password Health.
  3. Rename the CSV file to all_user_list_%s.csv. (%s is the placeholder of token obtained in Create an Okta API Token - Step 3, e.g. all_user_list_00UbCrgrU9b1Uab0cHCuup-5h-6Hi9ItokVDH8nRRT.csv).
  4. Log in to FortiSIEM Supervisor node:
    1. Upload CSV file all_user_list_%s.csv to this directory /opt/phoenix/config/okta/
    2. Make sure the permissions are admin and admin (Run chown -R admin:admin /opt/phoenix/config/okta/)
    3. Go to ADMIN > Setup > Credentials > Enter IP Range to Credential Associations.
    4. Select the Okta entry and run Test > Test connectivity to import all users.

Configuring FortiSIEM for SAML Overview

In SAML authentication, there are 3 entities:

  • Identity Provider (IDP) - this is where user authentication happens. There are many examples, OKTA, Entrust, etc...

  • IDP Portal - this is where you define users and credentials for your IDP and Service Providers.

  • Service Provider (SP) - this is where the user logs on after authentication succeeds, e.g. FortiSIEM in this case.

After configuration, the flow is as follows:

  1. The user authenticates on to the IDP Portal.

  2. The user clicks a FortiSIEM icon on the IDP Portal.

  3. IDP sends a SAML response to FortiSIEM containing the User, Org, and Role. User and Org are required, while Role is optional.

  4. FortiSIEM trusts the IDP and logs in the User with the right Org and Role (if applicable).

To ensure SAML works correctly, the following must be done.

  1. Define URLs and credentials in IDP Portal and FortiSIEM so that they can securely communicate with each other.

  2. Map the User, Org, and Role in the IDP Portal to the User, Org, and Role in FortiSIEM. The User must be an exact match, including case-sensitivity. For Org and Role, you can define mappings in FortiSIEM for IDP Org to FortiSIEM Org and IDP Role to FortiSIEM Role.

The following is a detailed example showing the steps required for configuration. This example assumes a FortiSIEM user has already been created in an IDP Portal.

Step 1 - Preparation

  1. Configure your IDP for the specific User, Organization, and Role. Collect IDP Portal endpoint and certificate.

  2. Study the SAML Response from your IDP and determine where to find the User, Org, and Role. Typically, the User is in the NameIdentifier element of the Subject statement. Org is in the Audience element of AudienceRestriction.

This step is different for every IDP vendor. See the representative examples below for Okta.com and samltest.idp website. In OKTA.com, there is no Role information. However, the samltest.idp website allows you to define a role.

Step 2 - Create External Authentication Profile in FortiSIEM

  1. Log on to FortiSIEM as Admin.

  2. Go to ADMIN > Settings > General > External Authentication.

  3. Click New to create an External Authentication profile.

    1. (Service Provider Case) Set Organization to System if any User from any Org can use this profile. Otherwise, set it to the specific Org.

    2. In the Protocol drop-down list, select SAML.

    3. Fill in the Issuer and Certificate (credentials) fields using the information collected in Step 1A.

    4. Set User to the specific field in the SAML Response containing the User information. (note - match is exact and case-sensitive). This information was gathered in Step 1B. If the User is not in the NameIdentifier element of the Subject Statement, then select Custom Attribute and enter the field containing the User information.

    5. Set Org to the specific field in the SAML Response containing the Org information. This information was gathered in Step 1B. If Org is not in the Audience element of AudienceRestriction, then select Custom Attribute and enter the field containing the Org information. Matching is determined by the Role mapping rules in Step 3.

    6. If Role is present in the SAML Response from the IDP, then select Custom Attribute and enter the field containing the Role information. Otherwise, select None. In the later case, you must create the User in CMDB for the specific Org, and assign the right Role. Step 3 is not needed.

Step 3 - Create SAML Role Mappings in FortiSIEM

This step is only needed if Role is present in the SAML Response as in Step 2Cvi. For example, OKTA does not have Role, so this step is not needed.

  1. Log on to FortiSIEM as Admin.

  2. Go to ADMIN > Settings > Role > SAML Role.

  3. Click New.

  4. In the Add SAML Role, enter the following information.

    1. From the SAML Auth profile, select the user.

    2. In the SAML Role field, enter the SAML Role.

    3. In the SAML Organization field, enter the SAML Organization.

    4. From the Mapped Role drop-down list, select an existing role.

    5. From the Mapped Organization drop-down list, select an organization.

    6. (Optional) In the Comments field, enter any information you may wish to reference at a future date.

    7. Click Save.

Step 4 - Create the User in CMDB

This step is only needed if Role is not present in the SAML Response, as in Step 2Cvi. For example, OKTA does not have Role, so this step is needed.

  1. Log on to FortiSIEM as Admin.

  2. Go to CMDB > Users.

  3. If the SAML user is not present, then click New to create a new user.
    Note: You may need to navigate to CMDB > Users > Ungrouped.

  4. In the User Name field, enter the name exactly as that used in Step 2Civ. The name must match exactly, including case-sensitivity.

  5. Click System Admin and set the Role.

  6. When done, click Save.

This procedure is described in more details in https://help.fortinet.com/fsiem/6-3-0/Online-Help/HTML5_Help/Adding_users.htm.

SAML Login Error Codes

Error Code 1000-2000: Invalid SAML Configuration

Error Code 2000-3000: Invalid SAML Response

Error Code 3000-4000: Invalid username or password or organization

Example 1 - OKTA

  1. Using an admin account, log into Okta (https://okta.com/)

  2. Click on the Admin button.

  3. Enter the Okta Verify code.

  4. At the Use single sign on option, click the Add App button.

  5. Click on Create New App.

  6. Select SAML 2.0 and click Create.

    In General Settings, provide the following:

  • App name - FortiSIEM

  • App logo (optional)

  1. Click Next.

  2. In Configure SAML, provide the following:

  • In Single sign on URL, enter https://super_ip/phoenix/sso/saml/ExternalAuthenticationProfileName
    super_ip represents the FortiSIEM IP address you want to log into, and ExternalAuthenticationProfileName will need to be configured in FortiSIEM by a full Admin creating an SAML External Authentication Profile via ADMIN > Settings > General > External Authentication.

  • In the Audience URI (SP Entity ID), enter your organization name, for example "Super".

  1. Click Next, then Finish. The FortiSIEM app is now being created.

  2. On the Okta Application page, under Sign On Settings, SAML 2.0, click View Setup Instructions.


  3. Copy the Identify Provider Issuer and Certificate information. When you create your External Authentication Profile in FortiSIEM, the Identify Provider Issuer will go into the Issuer field, and the Certificate information will go into the Certificate field.

  4. Assign the OKTA user(s) for FortiSIEM.

  5. Log on to FortiSIEM as a full Admin.

  6. Go to ADMIN > Settings > General > External Authentication.

  7. Click New to create an External Authentication Profile.

  8. From External Authentication Profile, take the following steps:

    1. In the Name field, enter your ExternalAuthenticationProfileName.

    2. From the Organization drop-down list, select the org.

    3. From the Protocol drop-down list, select SAML.

    4. In the Issuer field, enter the Identify Provider Issuer from Okta.

    5. In the Certificate field, enter/paste the certificate information from Okta.

    6. Configure User, and Org according to your IDP.

    7. Click Save.

  9. Go to CMDB > Users > Ungrouped.

  10. Click New to add the Okta user.

  11. In the User Name field, enter the user's Okta assigned username.
    Note: You can enter the name by using an email address depending on how the user was configured in Okta.

  12. Click the System Admin field to open the New User window.

  13. From the Mode drop-down list, select External.

  14. From the Authentication Profiles drop-down list, select your Okta authentication profile that you created under your External Authentication profile.

  15. From the Default Role drop-down list, select the appropriate user role and check the appropriate organization checkboxes the user is enabled for.

  16. Click Back.

  17. Click Save.

  18. Log on to Okta as an assigned user for FortiSIEM. The assigned Okta user is now able to log on to FortiSIEM by clicking the FortiSIEM icon/application.


 

Example 2 - https://samltest.id/

  1. Prepare a SAML.XML file.

  2. Go to https://samltest.id/.

  3. Click UPLOAD METADATA.


  4. Click Choose File, select your SAML.XML file, and click UPLOAD. When SAMLTEST.ID reports success, proceed to the next step, otherwise check your XML file and re-upload.

  5. Click on Testing Resources, and select Download Metadata.

  6. Scroll down until you see SAMLtest's IdP " Connection information".

    1. Copy the entityID information. This will go into the Issuer field in the External Authentication Profile for the SAML IDP configuration.

    2. Copy the Signing Certificate information. This will go into the Certificate field in the External Authentication Profile for the SAML IDP configuration.


  7. Log on to FortiSIEM with an Admin account, and navigate to ADMIN > Settings > General > External Authentication.

  8. Click New.

  9. Following Step 2 - Create External Authentication Profile in FortiSIEM, in the External Authentication Profile window, fill out the required information and click Save. Mandatory settings include

    • In the Protocol drop-down list, select SAML.

    • In the Issuer field, provide the entityID from step 6a.

    • In the Certificate field, paste/enter the signing certificate content from step 6b.

    • Configure the User, Org, and Role appropriately, based on your elements.


  10. Go to ADMIN > Settings > Role > SAML Role, click New, fill out the information and click Save. The SAML user will be added automatically in CMDB > Users once the user logs on to FortiSIEM.

  11. Go to https://samltest.id/ and navigate to Testing Resources > Test Your SP.  

  12. On the Test Your SP page, in the entityID field, enter your entityID, and click GO!.

  13. In the Username and Password fields, enter your user name and password respectively, and click LOGIN.

  14. SAMLTEST.ID will prompt with choices for logging in. Select your choice, and click Accept to login to FortiSIEM.


Adding 2-factor Authentication via Duo Security

Obtain keys for FortiSIEM to communicate with Duo Security

  1. Sign up for a Duo Security account: signup.

    This will be admin account for Duo Security.
  2. Log in to Duo Security Admin Panel and navigate to Applications.
  3. Click Protect an Application. Locate Web SDK in the applications.
  4. Get API Host NameIntegration key, Secret key from the page.

    You will need it when you configure FortiSIEM.
  5. Generate Application key as a long string.

    This is a password that Duo Security will not know. You can choose any 40 character long string or generate it as follows using python

    import os, hashlib

    print hashlib.sha1(os.urandom(32)).hexdigest()

Create and Manage FortiSIEM users in Duo Security

This determines how the 2-factor authentication response page will look like in FortiSIEM and how the user will respond to the second-factor authentication challenge:

  1. Log in to Duo Security as admin user.
  2. Choose the Logo which will be shown to users as they log on.
  3. Choose the super set of 2-factor Authentication Methods.
  4. Optional - you can create the specific users that will logon via FortiSIEM. If the users are not pre-created here, then user accounts will be created automatically when they attempt 2-factor authentication for the first time.

Setup External Authentication Profiles

Add LDAP, LDAPS, and LDAPTLS authentication profile as follows:

  1. Go to ADMIN > Settings > General > External Authentication.
  2. Click New.
  3. Enter Name.
  4. Select Organization.
  5. Set Protocol as LDAP or LDAPS or LDAPTLS.
  6. Set IP/Host of LDAP server.
  7. Change the port if it is different than default port.
  8. Check Set DN Pattern if needed by filling in the DN Pattern field.
    Setting the DN pattern manually is not necessary if the user is discovered via LDAP. However, this feature allows you to manually override the discovered pattern, or enter it for a user that is being manually created. Enter %s to represent the user's name (CN/uid), for example:
    CN=%s,CN=Users,DC=accelops,DC=com
  9. Click Save

Add RADIUS authentication profile as follows:

  1. Go to ADMIN > Settings > General > External Authentication.
  2. Click New.
  3. Enter Name.
  4. Select Organization.
  5. Set Protocol as RADIUS.
  6. Set IP/Host of RADIUS server.
  7. Change and set Authen Port if the port is different from default.
  8. Enter Shared Secret.
  9. Click on CHAP if Radius server uses Challenge Handshake Authentication Protocol.
  10. Click Save.

Add Okta authentication profile as follows:

  1. Go to ADMIN > Settings > General > External Authentication.
  2. Click New.
  3. Enter Name.
  4. Select Organization
  5. Set Protocol as "Okta".
  6. Copy and paste the certificate you downloaded in Configuring Okta Authentication - step 6 to Certificate.
  7. Click Save.

Add 2-Factor Authentication Option for FortiSIEM Users

  1. Create a 2-factor authentication profile:
    1. Go to ADMIN > Settings > General > External Authentication.
    2. Click New.
      1. Enter Name.
      2. Select the organization from the Organization drop-down.
      3. Set the Protocol as 'Duo'.
      4. Set the IP/Host from API hostname in Step 4 above.
      5. Set the Integration key, Secret keyfrom Step 4 above.
      6. Set the Application key from Step 5 above.
      7. Click Save.
  2. Add the 2-factor authentication profile to a user:
    1. Go to CMDB > Users > Ungrouped.
    2. Click New to create a new use or Edit to modify a selected user.
    3. Select System Admin checkbox and click the edit icon.
    4. In the Edit User dialog box, enter and confirm a password for a new user.
    5. Select the Second Factor check-box.
    6. Select the 2-factor authentication profile created in Step 1 above.
    7. Select a Default Role from the drop-down list.
    8. Click Save.

Log in to FortiSIEM Using 2-Factor Authentication

Before logging in to FortiSIEM with 2-factor authentication, make sure that these steps are completed.

  1. Obtain keys for FortiSIEM to communicate with Duo Security.
  2. Create and Manage FortiSIEM users in Duo Security.
  3. Add 2-factor authentication option for FortiSIEM users.

Follow these steps:

  1. Log on to FortiSIEM normally (first factor) using the credential defined in FortiSIEM - local or external in LDAP.
  2. If the 2-factor authentication is enabled, the user will now be redirected to the 2-factor step.
    1. If the user is not created in the Duo system (by the Duo admin), a setup wizard will let you set some basic information like phone number and ask you to download the Duo app.
    2. If the user already exists in FortiSIEM, then follow the authentication method and click Log in.
    The user will be able to log in to FortiSIEM.

Authenticating Users Against FortiAuthenticator (FAC)

FortiSIEM authenticates users against FortiAuthenticator (FAC) via RADIUS. User credentials are either stored in the FAC local database, or in an external credential store such as Active Directory (AD), accessed via LDAP. FAC optionally applies 2-factor authentication to users with the FortiToken.

The following sections provide information about the configurations and steps to log in and troubleshoot:

  1. Configure AD users
  2. Configure FortiAuthenticator
  3. Configure FortiSIEM

Configure AD Users

  1. Install AD Domain Services following the steps here.
  2. Configure the test domain users:
    1. Server Manager > Tools > Active Directory Users and Computers.
    2. Expand the Domain, right-click Users, select New > User.

Configure FortiAuthenticator

  1. Perform the basic FAC setup following the steps in the FortiAuthenticator Administration Guide: Section: FortiAuthenticator-VM image installation and initial setup here.
    1. Use the default credentials:
      • user name: admin
      • password: <blank>
    2. At the CLI prompt enter the following commands:
      • set port1-ip 192.168.1.99/24
      • set default-gw 192.168.1.2
      Note that the CLI syntax has changed in FAC 5.x. Refer to FAC 6.x documentation for details.
    3. Log in to the FAC GUI (default credentials user name / password: admin / <blank>).
    4. Set the time zone under System > Dashboard > Status > System Information > System Time.
    5. Change the GUI idle timeout for ease of use during configuration, if desired: System Administration > GUI Access > Idle Timeout.
  2. Configure the DC as a remote LDAP server under Authentication > Remote Authentication Servers > LDAP.
    Follow the Fortinet Single Sign-On instructions in the FortiAuthenticator Administration Guide. Note that the user must have appropriate privileges. The Domain Admin account can be used for testing in a lab environment. The ‘Remote LDAP Users’ section will be blank at this stage, users are imported later.
  3. Configure an external Realm to reference the LDAP store:
    1. Select Authentication > User Management > Realms > Create New.
    2. Choose the LDAP source from the drop-down and click OK.
  4. Configure the FortiSIEM as a RADIUS Client:
    1. Select Authentication > RADIUS Service > Clients > Create New.
    2. Enter the IP address of FortiSIEM and a shared secret.
    3. Choose the realms as required.
    4. Click 'add a realm' to include multiple realms.

      Note the FAC evaluation license only supports 2 realms.
    5. Click Save.

  5. Import users from LDAP to FortiSIEM to allow FortiToken to be used:
    1. Select Authentication > User Management > Remote Users.
    2. Select the Import button.
    3. Choose and import the test users configured in AD. Note that the FAC Evaluation license is limited to 5 users.
  6. (Optional) Configure local users in the FAC database for local authentication under Authentication > User Management > Local Users.
  7. Provision the FortiToken:
    1. Select and edit the user in Authentication > User Management > Remote Users (or Local Users as appropriate).
    2. Select the Token Based Authentication check box, and assign an available FortiToken Mobile.

      FAC evaluation includes 2 demo FortiTokens.
    3. Choose Email delivery method and enter an email address in user information.
      The email address doesn’t have to be valid for basic testing, the provisioning code is visible in the FAC logs.
    4. Click OK.

  8. Configure the FortiToken iPhone app:
    1. Install the FortiToken app from the app store.
    2. Open the app and select the + icon in the top right corner.
    3. Choose enter manually from the bottom of the screen.
    4. Select and edit the user in Authentication > User Management > Remote Users (or Local Users as appropriate).
    5. Select the Token Based Authnetication check box, and assign an avaialble FortiToken Mobile. FAC eval includes 2 demo FortiTokens.
    6. Choose Email delivery method and enter an email address in user information. The email address doesn’t have to be valid for basic testing, the provisioning code is visible in the FAC logs.
    7. Click OK.

Configure FortiSIEM

Step 1: Configure an External Authentication Source
  1. Go to ADMIN > Settings > General > External Authentication.
  2. Click New.
  3. Enter the following settings:
    • Organization - System
    • Protocol - RADIUS
    • IP/Host - IP of FortiAuthenticator
    • Shared Secret - Secret configured when setting RADIUS Client in FAC
  4. Click Save.
  5. Click Test to test the authentication settings.
Step 2: Configure Users in FortiSIEM Database
  1. Go to CMDB > Users and click New.
  2. Enter the user name to match the user configured in FSM/AD. (Use the format: user@domain.com)
  3. Select the System Admin checkbox.
  4. Select the Mode as External.
  5. Select the RADIUS profile previously configured from Authentication Profiles.
  6. Select the Default Role from the list.
  7. Click Save.

Logging In

The User Name must be entered in the format user@domain.xyz. For 2-factor authentication, the password and FortiToken value must be concatenated and entered directly into the Password field.

For example:

  • Username: user123@testdomain.local
  • Password : testpass123456; where 123456 is the current FortiToken value

Troubleshooting

FortiAuthenticator logs are accessible by opening the Logging tab. Select a log entry to see more details.

Modifying External Authentication Settings

Complete these steps to modify External Authentication settings:

  1. Use the following buttons to modify External Authentication settings:
    • Edit - to modify an External Authentication setting.
    • Delete - to delete an External Authentication setting.
  2. Click Save.