DOCSLIB.ORG

Fortiauthenticator Administration Guide Contains the Following Sections

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

FortiAuthenticator - Administration Guide Version 6.0.3 FORTINET DOCUMENT LIBRARY https://docs.fortinet.com FORTINET VIDEO GUIDE https://video.fortinet.com FORTINET BLOG https://blog.fortinet.com CUSTOMER SERVICE & SUPPORT https://support.fortinet.com FORTINET TRAINING & CERTIFICATION PROGRAM https://www.fortinet.com/support-and-training/training.html NSE INSTITUTE https://training.fortinet.com FORTIGUARD CENTER https://fortiguard.com/ END USER LICENSE AGREEMENT https://www.fortinet.com/doc/legal/EULA.pdf FEEDBACK Email: [email protected] April 09, 2020 FortiAuthenticator 6.0.3 Administration Guide 23-603-583129-20200409 TABLE OF CONTENTS Change Log 8 What's new in FortiAuthenticator 9 FortiAuthenticator 6.0.3 9 SAML SP single logout enhancements for FSSO 9 SAML remote authentication enhancements 9 Low HA sync activity SNMP trap 9 Reject usernames containing uppercase letters 10 FortiAuthenticator 6.0.2 10 FortiAuthenticator 6.0.1 10 Support for FortiToken Cloud 10 Guest portals: Automatic login after registration 10 Client certificate for TLS authentication with remote LDAP servers 10 SAML IdP enhancements 10 Node-specific default gateway 11 More granular control for purging disabled user accounts 11 REST API enhancement: OAuth verify token returns username 11 FortiAuthenticator on Azure Marketplace 11 FortiAuthenticator 6.0.0 11 GUI update 11 SAML IdP proxy for cloud identity services 11 Improvements to remote LDAP user synchronization rules 12 OAuth server capability 12 Use FortiNAC as sources of SSO sessions 12 FSSO domain monitor improvements 12 HTTPS/HTTP access controls 13 Enhanced cryptography for local user password storage 13 Configurable error pages 13 FortiOS Security Fabric integration 13 G Suite and Azure group lookup for SAML SP 14 Support for additional DC event log types 14 Export intermediate CA certificate and private key 14 Support for Microsoft Azure and Oracle Cloud deployments 14 Upgrade FortiAuthenticator firmware through CLI 14 Introduction 15 Before you begin 16 How this guide is organized 17 Registering your Fortinet product 17 Setup 18 Initial setup 18 FortiAuthenticator-VM setup on VMware 18 Administrative access 19 Adding FortiAuthenticator to your network 21 Maintenance 22 Backing up the configuration 22 FortiAuthenticator 6.0.3 Administration Guide 3 Fortinet Technologies Inc. Upgrading the firmware 22 Licensing 23 Swapping hard disks 23 CLI commands 24 Troubleshooting 27 FortiAuthenticator settings 27 FortiGate settings 27 System 28 Dashboard 28 Customizing the dashboard 29 System information widget 30 System resources widget 33 Authentication activity widget 33 User inventory widget 34 License information widget 34 Disk monitor widget 34 Top user lockouts widget 34 User lookup 35 Network 36 Interfaces 36 DNS 38 Static routing 39 Packet capture 39 Administration 40 System access 41 High availability 42 Firmware upgrade 47 Configuring auto-backup 47 SNMP 48 Licensing 51 FortiGuard 51 FortiNACs 53 FTP servers 53 Admin profiles 54 Messaging 54 SMTP servers 55 Email services 56 SMS gateways 57 Authentication 61 What to configure 61 Password-based authentication 62 Two-factor authentication 62 Authentication servers 63 Machine authentication 63 User account policies 64 General 64 PCI DSS 3.2 two-factor authentication 65 Lockouts 66 FortiAuthenticator 6.0.3 Administration Guide 4 Fortinet Technologies Inc. Passwords 66 Custom user fields 68 Tokens 69 User management 71 Administrators 71 Local users 72 Remote users 80 Remote user sync rules 85 Guest users 87 User groups 88 Usage profile 89 Organizations 90 Realms 91 FortiTokens 92 MAC devices 93 RADIUS attributes 94 FortiToken physical device and FortiToken Mobile 94 FortiAuthenticator and FortiTokens 95 Monitoring FortiTokens 96 FortiToken device maintenance 96 FortiToken drift adjustment 96 Self-service portal 97 General 97 Access control 97 Self-registration 98 Token self-provisioning 100 Replacement messages 102 Device self-enrollment 103 Guest portals 105 Portals 105 Rules 110 Replacement messages 111 Smart Connect profiles 112 Remote authentication servers 114 General 114 LDAP 115 RADIUS 120 OAUTH 120 SAML 121 RADIUS service 124 Clients 124 Client profile attributes 127 Extensible Authentication Protocol 127 Services 127 Custom dictionaries 128 LDAP service 129 General 129 Directory tree overview 129 FortiAuthenticator 6.0.3 Administration Guide 5 Fortinet Technologies Inc. Creating the directory tree 130 Configuring a FortiGate unit for FortiAuthenticator LDAP 133 OAuth Service 134 Settings 134 Applications 134 SAML IdP 135 General 136 Replacement messages 136 Service providers 137 FortiAuthenticator agents 139 FortiAuthenticator Agent for Microsoft Windows 139 FortiAuthenticator Agent for Outlook Web Access 142 Port-based network access control 143 Extensible Authentication Protocol 143 FortiAuthenticator and EAP 144 FortiAuthenticator unit configuration 144 Configuring certificates for EAP 144 Configuring switches and wireless controllers to use 802.1X authentication 144 Non-compliant devices 145 Fortinet Single Sign-On 147 Domain controller polling 147 Windows management instrumentation polling 147 General settings 148 Configuring FortiGate units for FSSO 153 Portal services 153 Kerberos 155 SAML authentication 156 Windows event log sources 157 RADIUS accounting sources 159 Syslog sources 160 Syslog sources 161 Matching rules 161 Predefined rules 161 Fine-grained controls 163 SSO users and groups 164 Domain groupings 166 FortiGate filtering 167 IP filtering rules 168 Tiered architecture 169 FortiClient SSO Mobility Agent 170 Fake client protection 171 RADIUS Single Sign-On 172 RADIUS accounting proxy 172 General 172 Rule sets 173 Sources 176 FortiAuthenticator 6.0.3 Administration Guide 6 Fortinet Technologies Inc. Destinations 177 Monitoring 178 SSO 178 Domains 178 SSO sessions 178 Windows event log sources 179 FortiGates 179 DC/TS agents 179 NTLM statistics 180 Authentication 180 Locked-out users 180 RADIUS sessions 180 Windows AD 181 Windows device logins 181 Learned RADIUS users 181 Certificate management 182 Policies 182 Certificate expiry 182 End entities 183 Certificate authorities 191 Local CAs 191 Certificate revocations lists 196 Trusted CAs 198 SCEP 198 General 199 Enrollment requests 199 Logging 205 Log access 205 Log configuration 207 Log settings 207 Syslog servers 209 Audit reports 210 Users audit 210 Troubleshooting 212 Troubleshooting 212 Debug logs 213 RADIUS debugging 214 TCP stack hardening 215 LDAP filter syntax 216 Examples 216 Caveats 217 FortiAuthenticator 6.0.3 Administration Guide 7 Fortinet Technologies Inc. Change Log Date Change Description 2019-10-09 Initial release. 2019-10-15 Added additional information about HA priority to Administration on page 40. 2019-11-01 Added information about supported VM environments to Initial setup on page 18. 2019-11-18 Added information about installation switches to FortiClient SSO Mobility Agent on page 170 2020-02-05 Added additional information about SCEP key usages and interfaces to SCEP on page 198. 2020-03-05 Added additional information about the CAs used with SCEP to SCEP on page 198. 2020-03-09 Added additional information about importing groups in FortiGate filtering on page 167. 2020-04-09 Updated information about the number of load-balancers supported in High availability. FortiAuthenticator 6.0.3 Administration Guide 8 Fortinet Technologies Inc. What's new in FortiAuthenticator What's new in FortiAuthenticator This section provides a summary of the new features and enhancements in FortiAuthenticator: l FortiAuthenticator 6.0.3 on page 9 l FortiAuthenticator 6.0.2 on page 10 l FortiAuthenticator 6.0.1 on page 10 l FortiAuthenticator 6.0.0 on page 11 Always review the FortiAuthenticator Release Notes prior to upgrading your device. FortiAuthenticator 6.0.3 The following list contains new and expanded features added in FortiAuthenticator 6.0.3. SAML SP single logout enhancements for FSSO New enhancements have been introduced for SAML SP single logout for FSSO: l Support for the handling of IdP-initiated logout. l The logout button on the SAML SP Logout Page replacement message also triggers a logout from the IdP. l A new button has been added to the SAML SP Logout Success Page replacement message to return to the login page. SAML remote authentication enhancements FortiAuthenticator SPs include the "RequestedAuthnContext" assertion in their authentication request to any IdP. FortiAuthenticator 6.0.3 now includes a setting to define the authentication context value. The Default value is "PasswordProtectedTransport," which requires that users are authenticated using a password- based method. When alternative authentication methods are used, None can be selected to omit this requirement (e.g. when a X.509 certificate is used in Azure). Low HA sync activity SNMP trap A new "HA sync activity is low" trap is available that can be used by administrators to monitor the health of the HA cluster. The SNMP trap is sent by the cluster's standby member. To use this trap, create or edit an SNMPv1/v2c/v3 at System > Administration > SNMP and enable the toggle for "HA sync activity is low." FortiAuthenticator 6.0.3 Administration Guide 9 Fortinet Technologies Inc. What's new in FortiAuthenticator Reject usernames containing uppercase letters FortiAuthenticator includes the option to reject usernames that contain uppercase letters when using RADIUS authentication. When the option is enabled, RADIUS authentication automatically fails when the username contains an uppercase
Recommended publications
  • Raw Slides (Pdf)

    Raw Slides (Pdf)

    2550 Intro to cybersecurity L5: Distributed Authentication abhi shelat/Ran Cohen Agenda • The problem of distributed authentication • The Needham-Schroeder protocol • Kerberos protocol • Oauth So far: authenticating to a server Mallory Alice Bob Gen pw pw Authenticating to an organization Mallory Alice Gen pw pw Authenticating to an organization Mallory Alice Gen pw pw Distributed authentication • Organizations have many entities (users/services) • Secure communication over insecure channels • Password-based authentication • Passwords are never transmitted (except for the setup phase) • Enable mutual authentication Basic tool: symmetric encryption Alice Bob 푚 푚 Eve Basic tool: symmetric encryption • Gen: generates secret key 푘 • Enc: given 푘 and 푚 output a ciphertext 푐 Denote 퐸푛푐푘 푚 , 퐸푘 푚 , 푚 푘 • Dec: given 푘 and 푐 output a message 푚 • Security (informal): Whatever Eve can learn on 푚 given 푐 can be learned without 푐 • Examples: – DES (Data Encryption Standard) – AES (Advanced Encryption Standard) 푚 Authentication from Encryption • Alice and Bob share a key • They communicate over an insecure channel • Alice wants to prove her identity to Bob • Eve’s goal: impersonate Alice Alice Bob 푘퐴퐵 푘퐴퐵 Eve Attempt #1 Alice Bob I am Alice 푘퐴퐵 푘퐴퐵 I am Alice Eve Attempt #2: use the key Alice Bob I am Alice 푘퐴퐵 푘퐴퐵 푘퐴퐵 I am Alice 푘퐴퐵 Replay attack Eve Attempt #3: use nonce Alice I am Alice Bob 푁푎 푘퐴퐵 Pay Eve 500$ 푁푎 − 1 푘퐴퐵 푘퐴퐵 푘퐴퐵 푘퐴퐵 Nonce: a random number for a one-time use Eve Attempt #3: use nonce Alice I am Alice Bob 푁푎 푘퐴퐵 Pay Eve 500$ 푁푎 −
  • The Essential Oauth Primer: Understanding Oauth for Securing Cloud Apis

    The Essential Oauth Primer: Understanding Oauth for Securing Cloud Apis

    THE ESSENTIAL OAUTH PRIMER: UNDERSTANDING OAUTH FOR SECURING CLOUD APIS WHITE PAPER TABLE OF CONTENTS 03 EXECUTIVE OVERVIEW 03 MOTIVATING USE CASE: TRIPIT 05 TERMINOLOGY 06 INTRODUCTION 07 THE OAUTH 2.0 MODEL 07 OAUTH 2.0 OVERVIEW USING A TOKEN TOKEN TYPE 09 RELATIONSHIP TO OTHER STANDARDS 11 USE CASES TRIPIT REVISITED TOKEN EXCHANGE MOBILE WORKFORCE 13 RECENT DEVELOPMENT 14 SUMMARY 2 WHITE PAPER ESSENTIAL OAUTH PRIMER EXECUTIVE OVERVIEW A key technical underpinning of the cloud and the Internet of Things are Application Programming Interfaces (APIs). APIs provide consistent methods for outside entities such as web services, clients and desktop applications to interface with services in the cloud. More and more, cloud data will move through APIs, but the security and scalability of APIs are currently threatened by a problem call the password anti-pattern. This is the need for API clients to collect and replay the password for a user at an API in order to access information on behalf of that user via that API. OAuth 2.0 defeats the password anti-pattern, creating a consistent, flexible identity and policy architecture for web applications, web services, devices and desktop clients attempting to communicate with cloud APIs. MOTIVATING USE CASE: TRIPIT Like many applications today, TripIt (http://tripit.com) is a cloud-based service. It’s a travel planning application that allows its users to track things like flights, car rentals, and hotel stays. Users email their travel itineraries to TripIt, which then builds a coordinated view of the users’ upcoming trips (as well as those of their TripIt friends—the inevitable social aspect).
  • LDAP Authentication for IBM DS8000 Systems Updated for DS8000 Release 9.1

    LDAP Authentication for IBM DS8000 Systems Updated for DS8000 Release 9.1

    Front cover LDAP Authentication for IBM DS8000 Systems Updated for DS8000 Release 9.1 Bjoern Wesselbaum Claudio Di Celio Bert Dufrasne Connie Riggins Robert Tondini Alex Warmuth Redpaper IBM Redbooks LDAP Authentication for IBM DS8000 Systems March 2021 REDP-5460-01 Note: Before using this information and the product it supports, read the information in “Notices” on page vii. Second Edition (March 2021) This edition applies to IBM DS8900F storage systems that are available with IBM DS8000 Licensed Machine Code (LMC) 7.9.10 (bundle version 89.10.xx.x), referred to as Release 9.1 or later. © Copyright International Business Machines Corporation 2018, 2021. All rights reserved. Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Contents Notices . vii Trademarks . viii Preface . ix Authors. ix Now you can become a published author, too! . .x Comments welcome. .x Stay connected to IBM Redbooks . xi Chapter 1. IBM DS8000 user authentication. 1 1.1 Introduction to the DS8000 user authentication . 2 1.2 Storage Authentication Service by using CSM as an LDAP proxy . 2 1.3 Remote authentication by using the native implementation . 4 1.4 Benefits of using remote authentication for a DS8000 system . 5 1.5 Determining the remote authentication solution . 5 Chapter 2. Lightweight Directory Access Protocol for IBM DS8000 administrators . 7 2.1 Directory services and LDAP . 8 2.2 Basic LDAP and directory services terms explained. 9 2.2.1 Directory entry. 9 2.2.2 Groups . 10 Nested groups . 12 2.2.3 The directory structure .
  • OK: Oauth 2.0 Interface for the Kerberos V5 Authentication Protocol

    OK: Oauth 2.0 Interface for the Kerberos V5 Authentication Protocol

    OK: OAuth 2.0 interface for the Kerberos V5 Authentication Protocol James Max Kanter Bennett Cyphers Bruno Faviero John Peebles [email protected] [email protected] [email protected] [email protected] 1. Problem Kerberos is a powerful, convenient framework for user authentication and authorization. Within MIT, Kerberos is used with many online institute services to verify users as part of Project Athena. However, it can be difficult for developers unfamiliar with Kerberos development to take advantage of its resources for use in third-party apps. OAuth 2.0 is an open source protocol used across the web for secure delegated access to resources on a server. Designed to be developer-friendly, OAuth is the de facto standard for authenticating users across sites, and is used by services including Google, Facebook, and Twitter. Our goal with OK Server is to provide an easy way for developers to access third-party services using Kerberos via OAuth. The benefits of this are twofold: developers can rely on an external service for user identification and verification, and users only have to trust a single centralized server with their credentials. Additionally, developers can request access to a subset of Kerberos services on behalf of a user. 2. Implementation overview Our system is composed of two main components: a server (the Kerberos client) to retrieve and process tickets from the MIT KDC, and an OAuth interface (the OAuth server) to interact with a client app (the app) wishing to make use of Kerberos authentication. When using our system, a client application uses the OAuth protocol to get Kerberos service tickets for a particular user.
  • Vmware Workspace ONE Access 20.01 Managing User Authentication Methods in Vmware Workspace ONE Access

    Vmware Workspace ONE Access 20.01 Managing User Authentication Methods in Vmware Workspace ONE Access

    Managing User Authentication Methods in VMware Workspace ONE Access JAN 2020 VMware Workspace ONE Access 20.01 Managing User Authentication Methods in VMware Workspace ONE Access You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/ VMware, Inc. 3401 Hillview Ave. Palo Alto, CA 94304 www.vmware.com © Copyright 2020 VMware, Inc. All rights reserved. Copyright and trademark information. VMware, Inc. 2 Contents 1 Configuring Authentication in VMware Workspace ONE Access 5 2 User Auth Service Authentication Methods in Workspace ONE Access 8 Configuring Password (Cloud) Authentication in Workspace ONE Access 9 Configure Password (Cloud) Authentication with Your Enterprise Directory 10 Configuring RSA SecurID (Cloud) For Workspace ONE Access 13 Prepare the RSA SecurID Server 13 Configure RSA SecurID Authentication in Workspace ONE Access 14 Configuring RADIUS for Workspace ONE Access 16 Prepare the RADIUS Server 16 Configure RADIUS Authentication in Workspace ONE Access 16 Enable User Auth Service Debug Logs In Workspace ONE Access Connector 19 3 Configuring Kerberos Authentication In Workspace ONE Access 21 Configure and Enable Kerberos Authentication in Workspace ONE Access 21 Configuring your Browser for Kerberos 23 Configure Internet Explorer to Access the Web Interface 23 Configure Firefox to Access the Web Interface 24 Configure the Chrome Browser to Access the Web Interface 25 Kerberos Initialization Error in Workspace ONE Access 26 4 Associate Workspace ONE Access Authentication Methods
  • Nist Sp 800-77 Rev. 1 Guide to Ipsec Vpns

    Nist Sp 800-77 Rev. 1 Guide to Ipsec Vpns

    NIST Special Publication 800-77 Revision 1 Guide to IPsec VPNs Elaine Barker Quynh Dang Sheila Frankel Karen Scarfone Paul Wouters This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-77r1 C O M P U T E R S E C U R I T Y NIST Special Publication 800-77 Revision 1 Guide to IPsec VPNs Elaine Barker Quynh Dang Sheila Frankel* Computer Security Division Information Technology Laboratory Karen Scarfone Scarfone Cybersecurity Clifton, VA Paul Wouters Red Hat Toronto, ON, Canada *Former employee; all work for this publication was done while at NIST This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-77r1 June 2020 U.S. Department of Commerce Wilbur L. Ross, Jr., Secretary National Institute of Standards and Technology Walter Copan, NIST Director and Under Secretary of Commerce for Standards and Technology Authority This publication has been developed by NIST in accordance with its statutory responsibilities under the Federal Information Security Modernization Act (FISMA) of 2014, 44 U.S.C. § 3551 et seq., Public Law (P.L.) 113-283. NIST is responsible for developing information security standards and guidelines, including minimum requirements for federal information systems, but such standards and guidelines shall not apply to national security systems without the express approval of appropriate federal officials exercising policy authority over such systems. This guideline is consistent with the requirements of the Office of Management and Budget (OMB) Circular A-130. Nothing in this publication should be taken to contradict the standards and guidelines made mandatory and binding on federal agencies by the Secretary of Commerce under statutory authority.
  • Cloudvision As-A-Service (Cvaas) Quick Start Guide

    Cloudvision As-A-Service (Cvaas) Quick Start Guide

    CloudVision as-a-Service (CVaaS) Quick Start Guide Arista Networks www.arista.com September 2021 Headquarters Support Sales 5453 Great America Parkway +1 408 547-5502 +1 408 547-5501 Santa Clara, CA 95054 +1 866 476-0000 +1 866 497-0000 USA [email protected] [email protected] +1 408 547-5500 www.arista.com © Copyright 2021 Arista Networks, Inc. All rights reserved. The information contained herein is subject to change without notice. The trademarks, logos and service marks ("Marks") displayed in this documentation are the property of Arista Networks in the United States and other countries. Use of the Marks are subject to Arista Network’s Term of Use Policy, available at www.arista.com/en/terms-of-use. Use of marks belonging to other parties is for informational purposes only. ii Contents Contents 1 CloudVision as-a-Service....................................................................1 1.1 Onboarding at a Glance.........................................................................................................1 1.2 User Onboarding Prerequisites.............................................................................................. 3 1.2.1 Invitation URL........................................................................................................... 3 1.2.2 Authentication Details............................................................................................... 3 1.3 User Onboarding Workflow.................................................................................................... 4 1.3.1
  • Single Sign-On the Way It Should Be

    Single Sign-On the Way It Should Be

    Single sign-on the way it should be 6 ways Citrix Workspace delivers seamless access to all apps while improving security and the user experience Contents Single sign-on (SSO) solutions .......................................................................3 Secure access to everything ...........................................................................5 Granular controls for SaaS apps and the web ...........................................6 Control over your user identity ......................................................................7 Security beyond user names and passwords ............................................8 Seamless integration with your existing environment ..........................9 Resolving issues faster with end-to-end visibility ............................... 10 ↑ Back← Pg. to 2 contents | Pg. 4 → Citrix.com 2 Single sign-on (SSO) solutions were designed to make life easier for employees and IT. They’re meant to reduce the cost of management and provide better security, all while delivering an improved user experience. However, many solutions fall short, covering only one type or a subset of application types. This forces you to implement several access solutions from different vendors to cover your entire application landscape — negating the productivity and user experience benefits you hoped for. The complexity this type of implementation creates also runs counter to the Zero Trust initiatives that many organizations are undertaking Citrix Workspace helps you unify all apps and data across your distributed IT architecture to provide single sign-on to all the applications and data people need to be productive. Working with your existing infrastructure, Citrix Access Control consolidates multiple remote access solutions, like traditional VPNs or SSO solutions, simplifying management for IT and providing unified access for employees. ↑ Back to contents ← Pg. 2 | Pg. 4 → 3 Citrix.com | e-book | Choosing a Single Sign-On Solution ↓ 6 benefits of the Citrix Workspace SSO solution ↑ ← Pg.
  • Securing Digital Identities in the Cloud by Selecting an Apposite Federated Identity Management from SAML, Oauth and Openid Connect

    Securing Digital Identities in the Cloud by Selecting an Apposite Federated Identity Management from SAML, Oauth and Openid Connect

    Securing Digital Identities in the Cloud by Selecting an Apposite Federated Identity Management from SAML, OAuth and OpenID Connect Nitin Naik and Paul Jenkins Defence School of Communications and Information Systems Ministry of Defence, United Kingdom Email: [email protected] and [email protected] Abstract—Access to computer systems and the information this sensitive data over insecure channels poses a significant held on them, be it commercially or personally sensitive, is security and privacy risk. This risk can be mitigated by using naturally, strictly controlled by both legal and technical security the Federated Identity Management (FIdM) standard adopted measures. One such method is digital identity, which is used to authenticate and authorize users to provide access to IT in the cloud environment. Federated identity links and employs infrastructure to perform official, financial or sensitive operations users’ digital identities across several identity management within organisations. However, transmitting and sharing this systems [1], [2]. FIdM defines a unified set of policies and sensitive information with other organisations over insecure procedures allowing identity management information to be channels always poses a significant security and privacy risk. An transportable from one security domain to another [3], [4]. example of an effective solution to this problem is the Federated Identity Management (FIdM) standard adopted in the cloud Thus, a user accessing data/resources on one secure system environment. The FIdM standard is used to authenticate and could then access data/resources from another secure system authorize users across multiple organisations to obtain access without both systems needing individual identities for the to their networks and resources without transmitting sensitive single user.
  • Introduc^On to Oauth

    Introduc^On to Oauth

    Introduc)on to OAuth 2.0 Jus)n Richer ©2016 Bespoke Engineering LLC Bespoke Engineering 1 APIs are meant to be used • Much of my data and the func)onality of my life is available through APIs today • I want to have applicaons access my APIs • I don’t want the applicaons to have to impersonate me ©2016 Bespoke Engineering LLC • I don’t want to share my keys with everyone 2 A valet key for APIs • A valet key gives someone else limited access to a car • What if we could do that for web APIs? ©2016 Bespoke Engineering LLC 3 OAUTH 2.0 ©2016 Bespoke Engineering LLC 4 From the spec (RFC6749) The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its ©2016 Bespoke Engineering LLC own behalf. 5 The good bits The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its ©2016 Bespoke Engineering LLC own behalf. 6 In other words OAuth 2.0 is a delegation protocol that lets people allow applications to access things (like APIs) on their behalf. ©2016 Bespoke Engineering LLC 7 Who is involved? Resource Authorization Owner Server ©2016 Bespoke Engineering LLC
  • Recent Evolutions in the Oauth 2.0 and Openid Connect Landscape

    Recent Evolutions in the Oauth 2.0 and Openid Connect Landscape

    RECENT EVOLUTIONS IN THE OAUTH 2.0 AND OPENID CONNECT LANDSCAPE DR. PHILIPPE DE RYCK https://Pragmatic Web Security.com DR. PHILIPPE DE RYCK - Deep understanding of the web security landscape - Google Developer Expert (not employed by Google) - Course curator of the SecAppDev course (https://secappdev.org) Pragmatic Web Security High-quality security training for developers and managers Custom courses covering web security, API security, Angular security, … Consulting services on security, Oauth 2.0, OpenID Connect, … @PHILIPPEDERYCK @PhilippeDeRyck HTTPS://PRAGMATICWEBSECURITY.COM2 User authentication Read & write data @PhilippeDeRyck 3 User authentication Read & write data @PhilippeDeRyck 4 User authentication Read & write data @PhilippeDeRyck 5 OpenID Connect User authentication Read & write data OAuth 2.0 @PhilippeDeRyck 6 OpenID Connect User authentication Read & write data Read data OAuth 2.0 OAuth 2.0 @PhilippeDeRyck 7 Results in an identity token and access token User authentication Read & write data Read data Uses an access Uses an access token token @PhilippeDeRyck 8 OAUTH 2.0 AND OPENID CONNECT OpenID Connect provides user authentication OAuth 2.0 allows a client to access resources on behalf of the user Modern applications use a combination of both protocols @PhilippeDeRyck 9 THE OIDC HYBRID FLOW 5 Request client authorization 3 Authenticate yourself 4 Login credentials 6 Authorize client Authorization code 10 11 Access token / refresh token Redirect for with client credentials authentication 2 Redirect with 7 authorization
  • Fortiauthenticator - Administration Guide VERSION 5.3.1 FORTINET DOCUMENT LIBRARY

    Fortiauthenticator - Administration Guide VERSION 5.3.1 FORTINET DOCUMENT LIBRARY

    FortiAuthenticator - Administration Guide VERSION 5.3.1 FORTINET DOCUMENT LIBRARY https://docs.fortinet.com FORTINET VIDEO GUIDE https://video.fortinet.com FORTINET KNOWLEDGE BASE http://kb.fortinet.com FORTINET BLOG https://blog.fortinet.com CUSTOMER SERVICE & SUPPORT https://support.fortinet.com http://cookbook.fortinet.com/how-to-work-with-fortinet-support/ FORTINET COOKBOOK http://cookbook.fortinet.com FORTINET TRAINING AND CERTIFICATION PROGRAM https://www.fortinet.com/support-and-training/training.html NSE INSTITUTE https://training.fortinet.com/ FORTIGUARD CENTER https://fortiguard.com FORTICAST http://forticast.fortinet.com END USER LICENSE AGREEMENT https://www.fortinet.com/doc/legal/EULA.pdf June 5, 2018 FortiAuthenticator - Administration Guide 23-531-493255-20180605 TABLE OF CONTENTS Change log 8 What's new in FortiAuthenticator 5.3.1 9 What's new in FortiAuthenticator 5.3 9 Introduction 17 Before you begin 18 How this guide is organized 19 Registering your Fortinet product 19 Setup 20 Initial setup 20 FortiAuthenticator VM setup 20 Administrative access 21 Adding FortiAuthenticator to your network 22 Maintenance 23 Backing up the configuration 23 Upgrading the firmware 24 Licensing 24 CLI commands 24 Standardized CLI 27 Troubleshooting 27 FortiAuthenticator settings 28 FortiGate settings 28 System 29 Dashboard 29 Customizing the dashboard 30 System information widget 31 System resources widget 35 Authentication activity widget 35 User inventory widget 35 License information widget 35 Top user lockouts widget 35 Network 36