If you’re looking to enable multi-factor authentication on Google’s G Suite without going through a third party, there is a way to do it. However, before walking down this path I must be transparent – this is NOT a supported setup by either vendor.
That said, there are elements that you can make work. This is best suited for smaller organizations that use G Suite and only need MFA for user VPN. It’s an alternative solution to implementing a third party, which can be very expensive.
Utilizing the Security Assertion Markup Language (SAML) with a third-party authenticator, such as Azure AD MFA, for FortiGate SSL VPN authentication is popular and recommended for an easy remote access MFA solution. However, the price of many of these major players hinders smaller organizations from having the same high security posture.
Google’s G Suite has met the needs of many SMBs for their files, email, and collaboration. With Google Authenticator and G Suite’s user management, MFA can be forced to your users for all your basic functions. With G Suite’s Custom SAML Application, you can utilize Google as the authenticating agent for a FortiGate SSL VPN. *
This will allow the FortiGate to forward authentication to Google, which will go through the entire logon process to include MFA. Google will then forward the user back to your FortiGate and grant the user access once authenticated.
As said before this is not a supported configuration by either vendor. However, with an understanding of SAML operations and some tinkering, this could be a quick fix to your basic MFA needs.
* This works with tunneling through the client only. Web Portal VPN redirection does not work. Only a single Realm will be available, so utilizing separate groups for access management will not work. (Groups are used only to determine if they are allowed to connect, but not what resource they are allowed to connect to.)
If you’re trying to accomplish this, or would like the step-by-step process, you can download it below.
[gravityform id=”79″ title=”true” description=”true”]