Fortinet black logo

Admin Guide

One Token shared by different auth clients

Copy Link
Copy Doc ID 0a6c5280-a080-11ee-8673-fa163e15d75b:551980
Download PDF

One Token shared by different auth clients

You can share the same token used by one end-user but with different auth clients. A single end-user can be defined by the same user name on different auth clients but in the same realm or the same email address on different auth clients. If multi-realm mode is enabled, the newly registered auth client will be assigned to a new realm; if multi-realm mode is disabled, the newly registered auth client will only be assigned to the “default” realm.

For example, if you have one user named “user1” with FTC MFA on FGT, you need to create a new user named “user1” with FTC MFA on FAC, “user1” can share the first token without allocating a new token for the “user1” on FAC if the auth client for FGT and FAC are under the same realm on FTC. Having the same user name is the default condition for sharing the same token between different auth clients on FTC. The same email address can be set for token-sharing from FTC as well.

This use case also applies when you have the same auth device but the auth device serial number is changed. If there are multiple users with FTC MFA on one auth client, but the auth client serial number is changed for any reason, the users can be synced to FTC with the new serial number under the same realm as the auth client with the preceding serial number. Then all users can keep the previous token without going through the re-activation process.

Note

If you are trying to add a new FortiGate and are having difficulties with getting the new FortiGate’s auth client(s) to show up, it may help to use the exec fortitoken-cloud update command in the CLI on the new FortiGate.

  1. Create a user “user1” in the auth client “client1”, which is assigned under the realm “realm1”. For more information on creating a user under auth client for FTC, refer to https://docs.fortinet.com/document/fortitoken-cloud/latest/admin-guide/367002/add-a-local-user-for-ftc-service.

  2. Activate the token in the FortiToken Mobile.

  3. Create a user with the same username “user1” in another auth client “client2”, which is also assigned under the same realm “realm1”. Note that if you are trying to assign the token on the FortiGate, there may be a warning message that says that you don’t have enough resources to add the new user. This is a false negative and you should still click “OK” after editing the user.

  4. The activated token will also be assigned to the newly created user in “client2” which can use MFA login.

Once you have completed the steps above, the auth client count for the user should be higher than 1 and it should look like this:

And if you click the number, you should be able to see the details about the user having more auth clients under it:

One Token shared by different auth clients

You can share the same token used by one end-user but with different auth clients. A single end-user can be defined by the same user name on different auth clients but in the same realm or the same email address on different auth clients. If multi-realm mode is enabled, the newly registered auth client will be assigned to a new realm; if multi-realm mode is disabled, the newly registered auth client will only be assigned to the “default” realm.

For example, if you have one user named “user1” with FTC MFA on FGT, you need to create a new user named “user1” with FTC MFA on FAC, “user1” can share the first token without allocating a new token for the “user1” on FAC if the auth client for FGT and FAC are under the same realm on FTC. Having the same user name is the default condition for sharing the same token between different auth clients on FTC. The same email address can be set for token-sharing from FTC as well.

This use case also applies when you have the same auth device but the auth device serial number is changed. If there are multiple users with FTC MFA on one auth client, but the auth client serial number is changed for any reason, the users can be synced to FTC with the new serial number under the same realm as the auth client with the preceding serial number. Then all users can keep the previous token without going through the re-activation process.

Note

If you are trying to add a new FortiGate and are having difficulties with getting the new FortiGate’s auth client(s) to show up, it may help to use the exec fortitoken-cloud update command in the CLI on the new FortiGate.

  1. Create a user “user1” in the auth client “client1”, which is assigned under the realm “realm1”. For more information on creating a user under auth client for FTC, refer to https://docs.fortinet.com/document/fortitoken-cloud/latest/admin-guide/367002/add-a-local-user-for-ftc-service.

  2. Activate the token in the FortiToken Mobile.

  3. Create a user with the same username “user1” in another auth client “client2”, which is also assigned under the same realm “realm1”. Note that if you are trying to assign the token on the FortiGate, there may be a warning message that says that you don’t have enough resources to add the new user. This is a false negative and you should still click “OK” after editing the user.

  4. The activated token will also be assigned to the newly created user in “client2” which can use MFA login.

Once you have completed the steps above, the auth client count for the user should be higher than 1 and it should look like this:

And if you click the number, you should be able to see the details about the user having more auth clients under it: