FAC-3000E -- IDENTITY MANAGEMENT

• Enables identity and role-based security policies in the Fortinet secured enterprise network without the need for additional authentication through integration with Active Directory
• Strengthens enterprise security by simplifying and centralizing the management of user identity information
• Secure Two-factor/OTP Authentication with full support for FortiToken
• RADIUS and LDAP Authentication
• Certificate management for enterprise VPN deployment
• IEEE802.1X support for wired and wireless network security
• SAML SP/IdP Web SSO

FortiAuthenticator user identity management appliances strengthen enterprise security by simplifying and centralizing the management and storage of user identity information.
Fortinet Single Sign-On is the method of providing secure identity and role-based access to the Fortinet connected network. Through integration with existing Active Directory or LDAP authentication systems, it enables enterprise user identity based security without impeding the user or generating work for network administrators. FortiAuthenticator builds on the foundations of Fortinet Single Sign-on, adding a greater range of user identification methods and greater scalability. FortiAuthenticator is the gatekeeper of authorization into the Fortinet secured enterprise network identifying users, querying access permissions from third-party systems and communicating this information to FortiGate devices for use in Identity-Based Policies.

• FortiAuthenticator Single Sign-On user identification methods
  FortiAuthenticator can identify users through a varied range of methods and integrate with third party LDAP or Active Directory systems to apply group or role data to the user and communicate with FortiGate for use in Identity-based policies. FortiAuthenticator is completely flexible and can utilize these methods in combination.
• Active directory polling
  User authentication into active directory is detected by regularly polling domain controllers. When a user login is detected, the username, IP and group details are entered into the FortiAuthenticator User Identity Management Database and according to the local policy, can be shared with multiple FortiGate devices.
• FortiAuthenticator SSO Mobility Agent
  For complicated distributed domain architectures where polling of domain controllers is not feasible or desired, an alternative is the FortiAuthenticator SSO Client. Distributed as part of FortiClient or as a standalone installation for Windows PCs, the client communicates login, IP stack changes and logout events to the FortiAuthenticator, removing the need for polling methods.
• FortiAuthenticator portal and widgets
  For systems which do not support AD polling or where a client is not feasible, FortiAuthenticator provides an explicit authentication portal. This allows the users to manually authenticate to the FortiAuthenticator and subsequently into the network. To minimize the impact of repeated logins required for manual authentication, a set of widgets is provided for embedding into an organization's intranet which automatically logs the users in through the use of browser cookies whenever they access the intranet homepage.
• RADIUS Accounting login
  In a network which utilizes RADIUS authentication, RADIUS Accounting can be used as a user identification method. This information is used to trigger user login and to provide IP and group information, removing the need for a second tier of authentication.
• Strong user identity with two-factor authentication
  FortiAuthenticator extends two-factor authentication capability to multiple FortiGate appliances and to third party solutions that support RADIUS or LDAP authentication. User identity information from FortiAuthenticator combined with authentication information from FortiToken ensures that only authorized individuals are granted access to your organization's sensitive information. This additional layer of security greatly reduces the possibility of data leaks while helping companies meet audit requirements associated with government and business privacy regulations. FortiAuthenticator supports the wide range of tokens to suit your user requirements. Two-factor authentication can be used to control access to applications such as FortiGate management, SSL and IPsec VPN, Wireless Captive Portal login and third-party, RADIUS-compliant networking equipment. To streamline local user management, FortiAuthenticator includes user self-registration and password recovery features.
• Enterprise certificate-based VPNs
  Site-to-site VPNs often provide access direct to the heart of the enterprise network from many remote locations. Often these VPNs are secured simply by a preshared key, which, if compromised, could give access to the whole network. FortiOS support certificate-based VPNs; however, use of certificate secured VPNs has been limited, primarily due to the overhead and complexity introduced by certificate management. FortiAuthenticator removes this overhead involved by streamlining the bulk deployment of certificates for VPN use in a FortiGate environment by cooperating with FortiManager for the configuration and automating the secure certificate delivery via the SCEP protocol.