Skip to main content
pro79
pro79
New Member
February 25, 2026
Question

Complex login forms/chained auth - FortiADC vs. BIG-IP APM

  • February 25, 2026
  • 3 replies
  • 323 views

Hi there,

 

due to crazy pricing in subscription models and such we're considering FortiADC as a possible replacement for our F5 BIG-IP 2-node-cluster.

 

I have FortiADC v7.4.4 running in an eve-ng lab and some questions arose.

 

We have BIG-IP LTM & APM but we do nothing with App Portals, we just use 1:1 mappings (almost) with a portal front with complex logic.

 

So something I would need, and I do not know if FortiADC can do that, or if things would have to be designed differently: On BIG-IP I have an Access Profile, an equivalent I assume to HTLM Forms, where I have a form with CAPTCHA, user name and password, which then goes to AD/LDAP, then a second dialog for internal MFA authenticating over RADIUS, and then it saves the successful auth state as a user session variable, which is then used in a script for Remote Desktop Gateway clearance in the background. The BIG-IP then internally transitions to a forwardable Kerberos ticket for the user to access all the published servers as SSO associated with a session cookie in the user's browser.

 

So I wonder if FortiADC can do something remotely similar to this - chain or combine authentications like an internal MFA (not FortiToken) and traditional AD. There are custom forms in FortiADC but, if I understand correctly, only for branding.

 

If that's not possible I guess the only alternative would be using our on-premise AD FS in a SAML way where at least those two auths could be combined. Regrettably there is no CAPTCHA protection for on-premise AD FS I know of. Would using the "AD FS Proxy" on FortiADC also fall under the WAF/DoS Protection regime?

 

Thanks!

 

Regards, Markus

 

FortiADC 

3 replies

Jean-Philippe_P
Staff & Editor
Jean-Philippe_P
Staff & Editor
March 2, 2026

Hello pro79, 

 

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible. 

Jean-Philippe - Fortinet Community Team
Jean-Philippe_P
Staff & Editor
Jean-Philippe_P
Staff & Editor
March 3, 2026

Hello,

 

We are still looking for an answer to your question.

 

We will come back to you ASAP.

Jean-Philippe - Fortinet Community Team
pro79
pro79Author
New Member
March 3, 2026

Thank you very much for your efforts :) (y) Take your time.

Jean-Philippe_P
Staff & Editor
Jean-Philippe_P
Staff & Editor
March 4, 2026

Hello again Markus :)

 

I found this answer, can you tell us if it helps, please?

 

FortiADC Capabilities for Complex Authentication Scenarios

FortiADC offers several features that can be leveraged for complex authentication scenarios, although it may not directly replicate the exact functionality of F5 BIG-IP APM. Here's a breakdown of what FortiADC can offer:

 

Authentication Methods

  1. SAML-Based Authentication:

    • FortiADC can act as a SAML 2.0 Service Provider (SP), which allows it to integrate with external Identity Providers (IdPs) like Microsoft Entra ID (formerly Azure AD) or FortiAuthenticator. This setup supports federated authentication and Single Sign-On (SSO).
    • For more details, see Configure an SAML service provider.

  2. AD FS Proxy:

    • FortiADC can function as an AD FS Proxy, acting as a gateway between clients and the internal AD FS infrastructure. This setup is useful for federated authentication scenarios.
    • The AD FS Proxy module ensures compatibility with applications relying on AD FS, including those using WS-Federation and SAML protocols.
    • Note: AD FS Proxy is not currently supported for AAG portal access.

  3. OAuth Proxy: FortiADC supports integration with OAuth 2.0 Authorization Servers, allowing for token-based access control. This can be used for secure client-side authentication and token introspection.

Multi-Factor Authentication (MFA): FortiADC supports MFA for AAG App Portal login when using Local or RADIUS user authentication. However, it does not natively support chaining multiple authentication methods like CAPTCHA, LDAP, and RADIUS in a single flow as described in your scenario.

Custom Forms and Branding: FortiADC allows for custom branding of forms, but it does not support complex logic or chaining of authentication methods within these forms.

 

Security Features

  • Web Application Firewall (WAF): FortiADC includes a WAF that provides protection against various web threats, including DDoS and other attacks. This can be leveraged to protect the AD FS Proxy setup.

  • DoS Protection: FortiADC offers DoS protection, which can be applied to the AD FS Proxy to enhance security.

 

Recommendations

Given the complexity of your current setup with F5 BIG-IP APM, you may need to consider redesigning the authentication flow if you switch to FortiADC. Here are some options:

  1. SAML Integration: Use FortiADC's SAML capabilities to integrate with your existing AD FS setup for federated authentication. This can help combine multiple authentication methods at the IdP level.

  2. AD FS Proxy: Utilize FortiADC as an AD FS Proxy to facilitate secure access to internal applications while leveraging its WAF and DoS protection features.

  3. External MFA Solutions: Consider using an external MFA solution that can integrate with FortiADC's supported authentication methods.

 

Follow-ups and Clarification Questions

  • Current Authentication Flow: Can you provide more details on the specific authentication flow and logic used in your current F5 BIG-IP APM setup?
  • MFA Requirements: What are your specific requirements for MFA, and are there any existing solutions you are using that could be integrated with FortiADC?
  • Security Concerns: Are there specific security concerns or requirements that need to be addressed in the new setup with FortiADC?
Jean-Philippe - Fortinet Community Team
pro79
pro79Author
New Member
March 9, 2026

Hi Jean-Philippe,

thanks for all the info!

 

To answer your questions:

 

Current Authentication Flow

 

The most complex flow for a portal/SSO login mapping several intranet servers using BIG-IP's APM module (Access Policy Manager) goes like this (simplified):
Geolocation Check/Block -> Check for RDP/NTLM

Not RPD/NTLM -> Logon Page w/ user/password/CAPTCHA -> AD Auth -> Check AD groups

If by AD group not exempt from MFA -> Logon Page w/ text field for OTP -> OTP Auth via RADIUS -> BIG-IP-specific finishing steps (credential mapping/resource assign)

 

Also, a session variable gets set when authentication was successful. This is then checked in another virtual server/rule to allow or deny Remote Desktop Gateway connections (as they are not MFA-friendly due to their NTLM-nature of the credentials and yes, our RD deployment is also all-on-premise not cloud).

 

MFA Requirements

 

We have an existing on-premise solution we had paid for in the past but are now using its open-source variant. The standardized interface to authenticate against is RADIUS.

There is also a simple HTTP API but this is custom and no industry standard of any kind. Should you wonder the product is LinOTP. We've issued several hundred TOTP tokens (RFC-conformant phone app like MS Authenticator) so introducing a new token system is not an option.

 

Security Concerns:

 

Only as far as the current authentication requirements/methods go:

 

* Prevent "script kiddies"/bots from login attempts with arbitrary credentials to not produce false alarms in SIEM (CAPTCHA aspect)

* Continue combined authentication via AD and on-premise-TOTP

* Have a way to set timed session variables on successful auth for lookup/use in another virtual server (Remote Desktop Gateway scenario)

Thanks :)

Regards, Markus

 

Jean-Philippe_P
Staff & Editor
Jean-Philippe_P
Staff & Editor
March 10, 2026

Hello Markus :),

 

Glad it could help! Here are answers found, I hope it will help you further:

 

Based on your detailed description of the current authentication flow and requirements, here is how FortiADC might be able to address your needs:

 

Current Authentication Flow

  1. Geolocation Check/Block: FortiADC can perform geolocation-based access control, allowing you to block or allow access based on the geographic location of the request.

  2. Logon Page with User/Password/Captcha: FortiADC supports custom login pages, but its capabilities for integrating CAPTCHA directly into the authentication flow may be limited compared to F5 BIG-IP APM. You might need to implement CAPTCHA at the application level or use an external service.

  3. AD Authentication and Group Check: FortiADC can integrate with Active Directory for authentication and can perform group checks to enforce access policies.

  4. MFA with OTP via RADIUS: FortiADC supports RADIUS for MFA, which should work with your existing LinOTP solution. This allows you to continue using your TOTP tokens without introducing a new token system.

  5. Session Variables for Remote Desktop Gateway: FortiADC does not natively support setting session variables in the same way as F5 BIG-IP APM. You may need to explore alternative methods, such as using cookies or integrating with an external session management system, to achieve similar functionality.

 

MFA Requirements

  • RADIUS Integration: FortiADC's support for RADIUS should allow seamless integration with your existing LinOTP solution for MFA.

  • TOTP Tokens: Since FortiADC can work with RADIUS, your existing TOTP tokens should remain functional without requiring changes.

 

Security Concerns

  • Preventing Unauthorized Login Attempts: While FortiADC may not have built-in CAPTCHA support, you can implement rate limiting and IP blocking to mitigate unauthorized login attempts. Additionally, integrating with a third-party CAPTCHA service at the application level could help.

  • Combined Authentication: FortiADC's ability to integrate with both AD and RADIUS should allow you to maintain your current combined authentication approach.

  • Session Management: As mentioned, FortiADC may require alternative methods for session management, such as using cookies or external systems, to replicate the session variable functionality you currently have.

 

Follow-ups and Clarification Questions

  1. CAPTCHA Integration: Would you be open to using a third-party CAPTCHA service at the application level if FortiADC cannot natively support it?

  2. Session Management: Are you open to exploring external session management solutions or using cookies to replicate the session variable functionality?

  3. Additional Security Features: Are there any other specific security features or requirements you have that were not covered in the current flow?

 

These considerations should help you evaluate whether FortiADC can meet your needs or if additional solutions are required to fully replicate your current setup.

Jean-Philippe - Fortinet Community Team
Terms & ConditionsAccessibility statement