Tuesday, May 9, 2017

Securing Fortimail User Mailboxes Access with MFA + SSO by using Auth Anvil

In this blog I will demo how simple the process is for securing FortiMail access. This was done for a appliance acting as a "server mode" where the users mailboxes are localize on the mail appliance

AuthAnvil  handles the  MFA and SSO function
AuthAnvil  SSO plugin  has been installed as chrome extension
Authy extention also has been installed if you decide to use  OTP and manual  input
The AuthAnvil  Mobile Android can be use as an alternative for push-notification or OTP

This blog assume you are  knowledgeable with typical MFA user enrollment process, and I will not detail that process out, since it mimic most other MFA platforms.

The 1t step is to  authentication to the AuthAnvil  portal as a administrator and craft a user group that will be bound to the app that we are securing with MFA+SSO.

In my case I have  two group of users OWA and FML , my  users are members of  either group &   will be authenticated  via MFA and SSO for the fortimail mailbox.

Next we craft a custom APP. My app is named "FML" but you can name yours in whatever fashion that you want & suits your needs.

Identity needs to be set and configured in the application. Take note of the  "arrows"

Now a attribute needs to be set. In this case we are using User.EmailAddress for the SSO credentials.


And don't forget to bind your groups to the app. This is what place the  APPlications on the launchpad for that user btw.

The final application looks like this and with my  default policy

Now when ever that mailuser who's part of the  group logins to the AuthAnvil Portal,  he|she will authentication via 1st and 2nd factor,  and will  be carried via SSO directly to the fortimail user mailbox.

After MFA, the user only needs to execute the FortiMail APP to login into  FortiMail.

AuthAnvil will  carried the credentials for SSO into FortiMail if everything is successful

if SSO fails,  then  the user must  execute the actual login process  for the fortimail email account

Ken Felix

NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
        /  \

No comments:

Post a Comment