Fortinet black logo

Admin Guide

Home FortiToken Cloud Admin Guide

One Token shared by different applications

One Token shared by different applications

You can share the same token used by one end-user but with different applications. A single end-user can be defined by the same user name on different applications but in the same realm or the same email address on different applications. If multi-realm mode is enabled, the newly registered application will be assigned to a new realm; if multi-realm mode is disabled, the newly registered application will only be assigned to the “default” realm.

For example, if you have one user named “user1” with FTC MFA on FGT, you need to create a new user named “user1” with FTC MFA on FAC, “user1” can share the first token without allocating a new token for the “user1” on FAC if the application for FGT and FAC are under the same realm on FTC. Having the same user name is the default condition for sharing the same token between different applications on FTC. The same email address can be set for token-sharing from FTC as well.

This use case also applies when you have the same auth device but the auth device serial number is changed. If there are multiple users with FTC MFA on one application, but the application serial number is changed for any reason, the users can be synced to FTC with the new serial number under the same realm as the application with the preceding serial number. Then all users can keep the previous token without going through the re-activation process.

Note

If you are trying to add a new FortiGate and are having difficulties with getting the new FortiGate’s application(s) to show up, it may help to use the exec fortitoken-cloud update command in the CLI on the new FortiGate.

  1. Create a user “user1” in the application “client1”, which is assigned under the realm “realm1”. For more information on creating a user under application for FTC, refer to https://docs.fortinet.com/document/fortitoken-cloud/latest/admin-guide/367002/add-a-local-user-for-ftc-service.

  2. Activate the token in the FortiToken Mobile.

  3. Create a user with the same username “user1” in another application “client2”, which is also assigned under the same realm “realm1”. Note that if you are trying to assign the token on the FortiGate, there may be a warning message that says that you don’t have enough resources to add the new user. This is a false negative and you should still click “OK” after editing the user.

  4. The activated token will also be assigned to the newly created user in “client2” which can use MFA login.

Once you have completed the steps above, the application count for the user should be higher than 1 and it should look like this:

And if you click the number, you should be able to see the details about the user having more applications under it:

Previous
Next

One Token shared by different applications

You can share the same token used by one end-user but with different applications. A single end-user can be defined by the same user name on different applications but in the same realm or the same email address on different applications. If multi-realm mode is enabled, the newly registered application will be assigned to a new realm; if multi-realm mode is disabled, the newly registered application will only be assigned to the “default” realm.

For example, if you have one user named “user1” with FTC MFA on FGT, you need to create a new user named “user1” with FTC MFA on FAC, “user1” can share the first token without allocating a new token for the “user1” on FAC if the application for FGT and FAC are under the same realm on FTC. Having the same user name is the default condition for sharing the same token between different applications on FTC. The same email address can be set for token-sharing from FTC as well.

This use case also applies when you have the same auth device but the auth device serial number is changed. If there are multiple users with FTC MFA on one application, but the application serial number is changed for any reason, the users can be synced to FTC with the new serial number under the same realm as the application with the preceding serial number. Then all users can keep the previous token without going through the re-activation process.

Note

If you are trying to add a new FortiGate and are having difficulties with getting the new FortiGate’s application(s) to show up, it may help to use the exec fortitoken-cloud update command in the CLI on the new FortiGate.

  1. Create a user “user1” in the application “client1”, which is assigned under the realm “realm1”. For more information on creating a user under application for FTC, refer to https://docs.fortinet.com/document/fortitoken-cloud/latest/admin-guide/367002/add-a-local-user-for-ftc-service.

  2. Activate the token in the FortiToken Mobile.

  3. Create a user with the same username “user1” in another application “client2”, which is also assigned under the same realm “realm1”. Note that if you are trying to assign the token on the FortiGate, there may be a warning message that says that you don’t have enough resources to add the new user. This is a false negative and you should still click “OK” after editing the user.

  4. The activated token will also be assigned to the newly created user in “client2” which can use MFA login.

Once you have completed the steps above, the application count for the user should be higher than 1 and it should look like this:

And if you click the number, you should be able to see the details about the user having more applications under it:

Previous
Next