Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Use MFA with a shared SSLVPN account

Hello there,


We are an MSP with around 120 different managed fortigates. If we want to quickly troubleshoot something on a client's network remotely, we would make a VPN connection using a custom local user that is joined in a userVPN group.


We are starting to implement SAML SSO via Azure for our managed devices so our users' VPN connections are secured by their MFA as well. Now we want to extend this security feature to our own technicians. So our goal is to either have an authenticator for that one local vpn user which all of the technicians can share  (not sure if this is even possible). Or find a way for our technicians to log in with their own M365 accounts (protected by MFA) on every firewall, without the need for extra MFA accounts in our authenticator app.


Will this work by inviting ourselves as guest users in the customer's tenant and adding those accounts to the SAML group? 


Other suggestions or techniques to add a protected SSLVPN user account that can be accessed by multiple people are more than welcome. Could this be done by for example a FortiToken or FortiAuthenticator solution?


Thanks in advance for your reply.


With SAML, the 2FA is completely under control of the IdP. The FortiGate takes no part in it, to such a degree that the FortiGate doesn't even know if 2FA was performed during login or not. So from the FortiGate's point of view the answer to "can multiple users use a single token?" is: "depends on the IdP".


Generic TOTP/HOTP 2FA with mobile apps is typically activated by scanning/entering the seed (+some additional info), often in the form of a QR code. There's typically nothing stopping you from "activating" this token on multiple mobile devices, so sharing a token should not be a problem. (again to highlight: speaking in generic terms; vendor specific ways of activation can and will have vendor-specific limitations)


With regards to FortiTokens, sharing a single token is mostly unrealistic.

Mobile FortiTokens allow only a single activation, after which the activation code becomes nonfunctional (one of its advertised security features) and further attempts to activate will fail.

Hardware tokens can be shared physically (d'uh), but this is only feasible if all relevant users are together in one location.

[ corrections always welcome ]

There might be another solution, IF the technicians in question share an email alias, or one could be set up:

- The FortiGate(s) can be configured to send a token code via email

- the existing local user on each FGT could be set up with the email alias

- whenever anyone tries to log in with that local user, a token code would be sent to the email alias

- the user in question could then provide the code and log in


This would be completely outside of SAML authentication; if the goal is to enforce SAML authentication everywhere, then this is not really a solution.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
Top Kudoed Authors