Two-factor authentication in FortiPortal example
2FA authentication depends on proper configuration of an SMTP server. See Email. |
To enable 2FA for a user:
-
Go to System > Settings > Authentication and enable two-factor authentication.
Two-factor authentication can be enabled for a local or a remote user.
Email information is mandatory for 2FA users.
If the username is the email and no Tenant Identification Attribute is set, the domain part of the email will be used for tenant identification.
-
Ensure that two-factor authentication is enabled when creating or editing an admin in System > Admins.
For organizational users, you can enable two-factor authentication when creating a new user or editing an existing user for the organization.
-
Log in to FortiPortal as the user with two-factor authentication enabled.
The Activation Code window appears and an activation email is sent to the user.
- Click Confirm.
- In the Enter your Token Code window, enter token code from the email and click Submit to log in to FortiPortal.
Alternatively, scan the QR code image in the activation email with the FortiToken mobile application to activate it. Click Submit to log in to FortiPortal.
SSO users
If the email cannot be used as the username:
-
On the SAML server, a SAML user-defined email attribute can be used to set the user's email.
-
In FortiPortal, a user-defined email attribute name needs to be configured in Email Attribute. See Authentication.
RADIUS users
Fortinet-Access-Profile
attribute can be used to set the email if the email cannot be used as the username on the RADIUS server.
FortiAuthenticator users
In FortiAuthenticator, if email cannot be used as the username, you can set the email in the User Information pane when creating or editing a user in Authentication > User Management > Local Users or Authentication > User Management > Remote Users.
OAuth users
If the email cannot be used as the username, specify the field in the OAuth2 response that contains the email in User ID Attribute.