Enabling NTLM authentication in this FortiAuthenticator SSO configuration ensures that user authentication requests are validated against the specified domain, preventing users from authenticating to an unauthorized Active Directory server.

Revoked certificates are automatically added to the CRL by FortiAuthenticator.

CRLs list the serial numbers of certificates that have been revoked, allowing clients to identify and reject them.

The log message indicates that FortiAuthenticator cannot find the user during RADIUS authentication, even though the user exists in the system. This typically happens when RADIUS authentication is not enabled for that user account, preventing FortiAuthenticator from using it for RADIUS login requests.

Realms in FortiAuthenticator allow mapping of authentication requests to different back-end databases within a single RADIUS policy, enabling user authentication across multiple directories or identity sources.

The recommended method to migrate a large local user database to a new FortiAuthenticator is to export the users from the current device into a CSV file and then import that CSV file into the new FortiAuthenticator.

Enabling Adaptive Authentication in the portal policy allows FortiAuthenticator to apply contextual rules, such as bypassing two-factor authentication when users connect from specific secured networks.

FortiAuthenticator functions as an identity management device, handling user authentication and authorization.

It provides portal services for user self-registration, guest management, and authentication portals.

It acts as a certificate authority, issuing and managing digital certificates for secure authentication.

In SP-initiated SSO, the principal (user) first attempts to access the service provider. The service provider redirects the principal to the identity provider for authentication, and upon successful authentication, the identity provider redirects the principal back to the service provider with the SAML assertion.

The FortiClient SSO Mobility Agent runs on the endpoint and communicates login and logoff events directly to FortiAuthenticator, allowing transparent detection of logged-off users without relying on external mechanisms like WMI polling.