2FA in FortiPortal example
To enable 2FA for a user:
-
Go to System > Settings > Authentication, and enable two-factor authentication.
Two-factor authentication can be enabled for a local or a remote user.
Email information is mandatory for 2FA users.
It is recommended that 2FA users use email as the username.
If the username is the email and no Tenant Identification Attribute is set, the domain part of the email can be used for tenant identification.
-
Ensure that two-factor authentication is enabled when creating or editing an admin in System > Admins.
For organizational users, you can enable two-factor authentication when creating a new user or editing an existing user for the organization.
-
Log in to FortiPortal as the admin or user with two-factor authentication enabled.
The Activation Code window appears and an activation email is sent to the user.
- Click Confirm.
- In the Enter your Token Code window, enter token code from the email and click Submit to log in to FortiPortal.
Alternatively, scan the QR code image in the activation email with the FortiToken mobile application to activate it. Click Submit to log in to FortiPortal.
SSO 2FA users
If the email cannot be used as the username:
-
In the SAML server, SAML user-defined email attribute can be used to set the user email.
-
In FortiPortal, user-defined email attribute name needs to be configured in Email Attribute. See Authentication.
RADIUS 2FA users
Fortinet-Access-Profile
attribute can be used to set email if the email cannot be used as the username in the RADIUS server.
FortiAuthenticator users
In FortiAuthenticator, if email cannot be used as the username, you can set the email in the User Information pane when creating or editing a user in Authentication > User Management > Local Users or Authentication > User Management > Remote Users.