We are an MSP with around 120 different managed fortigates. If we want to quickly troubleshoot something on a client's network remotely, we would make a VPN connection using a custom local user that is joined in a userVPN group.
We are starting to implement SAML SSO via Azure for our managed devices so our users' VPN connections are secured by their MFA as well. Now we want to extend this security feature to our own technicians. So our goal is to either have an authenticator for that one local vpn user which all of the technicians can share (not sure if this is even possible). Or find a way for our technicians to log in with their own M365 accounts (protected by MFA) on every firewall, without the need for extra MFA accounts in our authenticator app.
Will this work by inviting ourselves as guest users in the customer's tenant and adding those accounts to the SAML group?
Other suggestions or techniques to add a protected SSLVPN user account that can be accessed by multiple people are more than welcome. Could this be done by for example a FortiToken or FortiAuthenticator solution?
With SAML, the 2FA is completely under control of the IdP. The FortiGate takes no part in it, to such a degree that the FortiGate doesn't even know if 2FA was performed during login or not. So from the FortiGate's point of view the answer to "can multiple users use a single token?" is: "depends on the IdP".
Generic TOTP/HOTP 2FA with mobile apps is typically activated by scanning/entering the seed (+some additional info), often in the form of a QR code. There's typically nothing stopping you from "activating" this token on multiple mobile devices, so sharing a token should not be a problem. (again to highlight: speaking in generic terms; vendor specific ways of activation can and will have vendor-specific limitations)
With regards to FortiTokens, sharing a single token is mostly unrealistic.
Mobile FortiTokens allow only a single activation, after which the activation code becomes nonfunctional (one of its advertised security features) and further attempts to activate will fail.
Hardware tokens can be shared physically (d'uh), but this is only feasible if all relevant users are together in one location.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.