Description
This article describes the use of email tokens, which are commonly adopted as an initial step to enhance security for remote VPN or administration on FortiGate devices as detailed in Technical Tip: Importing LDAP user and applying two factor email Token and Technical Tip: Email Two-Factor Authentication on FortiGate.
A common challenge in large deployments is how to automatically import and manage LDAP users with FortiGate.
Scope
FortiGate, Remote user access.
Solution
Two-Factor Authentication (2FA) or Multi-Factor Authentication (MFA) should be a requirement in any deployment and stronger and more secure methods should be preferable whenever possible.
Preferable methods:
- FortiToken: Provides robust security.
- Certificate Authentication: Ensures secure user verification.
- SAML(Security Assertion Markup Language): Utilizes an external provider for authentication, offloading 2FA/MFA management to the IDP
Less preferable methods:
- SMS: Normally requires a license or pay for credits and is also commonly considered insecure for critical deployments.
- Email: While functional, it is less secure compared to other methods.
On FortiGate devices, each user must be manually mapped to an email address to retrieve the email token, as group-based automation for this process is currently unsupported. This manual mapping requirement can significantly increase administrative overhead in large deployments, where automating configurations is crucial for efficiency and scalability.
Options to Escalate and Automate Deployment:
- FortiAuthenticator: As an Identity and Access Management (IAM) solution, it can leverage Synchronization Attributes to map 2FA to users. It also facilitates integration with both Fortinet and non-Fortinet products, supporting Single Sign-On (SSO) across multiple devices.
2. External Identity Provider (IDP) via SAML:
- Incorporating SAML with an external IDP not only centralizes the management of 2FA/MFA but also significantly enhances security and operational efficiency. By delegating authentication to a trusted IDP, organizations reduce their exposure to security risks associated with in-house data storage and management. Additionally, SAML streamlines the login processes, reducing password fatigue and minimizing the chances of phishing attacks, as fewer passwords are required. This single sign-on (SSO) capability ensures a smoother user experience across multiple services and platforms, substantially easing administrative burdens.
- FortiAuthenticator can also serve as the IDP. Refer to documentation FAC SAML IdP.
- Examples of external identity providers include Azure, Google, Okta, JumpCloud, etc.
- Refer to the article FortiGate SAML authentication resource list.
Related documents:
