Commit 68a10a7a authored by Gabriel Mazetto's avatar Gabriel Mazetto

Merge branch 'doc-forti_authenticator' into 'master'

Add FortiAuthenticator documentation

See merge request gitlab-org/gitlab!45544
parents a6e75cfe 5799459f
...@@ -27,16 +27,16 @@ be prompted to activate your U2F device (usually by pressing a button on it), ...@@ -27,16 +27,16 @@ be prompted to activate your U2F device (usually by pressing a button on it),
and it will perform secure authentication on your behalf. and it will perform secure authentication on your behalf.
It is highly recommended that you set up 2FA with both a It is highly recommended that you set up 2FA with both a
[one-time password authenticator](#enable-2fa-via-one-time-password-authenticator) [one-time password authenticator](#one-time-password) or use [FortiAuthenticator](#one-time-password-via-fortiauthenticator)
and a [U2F device](#enable-2fa-via-u2f-device), so you can still access your account and a [U2F device](#u2f-device), so you can still access your account if you
if you lose your U2F device. lose your U2F device.
## Enabling 2FA ## Enabling 2FA
There are two ways to enable two-factor authentication: via a one time password authenticator There are two ways to enable two-factor authentication: via a one time password authenticator
or a U2F device. or a U2F device.
### Enable 2FA via one time password authenticator ### One-time password
To enable 2FA: To enable 2FA:
...@@ -66,7 +66,81 @@ two-factor authentication has been enabled, and you'll be presented with a list ...@@ -66,7 +66,81 @@ two-factor authentication has been enabled, and you'll be presented with a list
of [recovery codes](#recovery-codes). Make sure you download them and keep them of [recovery codes](#recovery-codes). Make sure you download them and keep them
in a safe place. in a safe place.
### Enable 2FA via U2F device ### One-time password via FortiAuthenticator
> - Introduced in [GitLab 13.5](https://gitlab.com/gitlab-org/gitlab/-/issues/212312)
> - It's deployed behind a feature flag, disabled by default.
> - To use it in GitLab self-managed instances, ask a GitLab administrator to [enable it](#enable-fortiauthenticator-integration).
You can use FortiAuthenticator as an OTP provider in GitLab. Users must exist in
both FortiAuthenticator and GitLab with the exact same username, and users must
have FortiToken configured in FortiAuthenticator.
You'll also need a username and access token for FortiAuthenticator. The
`access_token` in the code samples shown below is the FortAuthenticator access
key. To get the token, see the `REST API Solution Guide` at
[`Fortinet Document Library`](https://docs.fortinet.com/document/fortiauthenticator/6.2.0/rest-api-solution-guide/158294/the-fortiauthenticator-api).
GitLab 13.5 has been tested with FortAuthenticator version 6.2.0.
First configure FortiAuthenticator in GitLab. On your GitLab server:
1. Open the configuration file.
For Omnibus GitLab:
```shell
sudo editor /etc/gitlab/gitlab.rb
```
For installations from source:
```shell
cd /home/git/gitlab
sudo -u git -H editor config/gitlab.yml
```
1. Add the provider configuration:
For Omnibus package:
```ruby
gitlab_rails['forti_authenticator_enabled'] = true
gitlab_rails['forti_authenticator_host'] = 'forti_authenticator.example.com'
gitlab_rails['forti_authenticator_port'] = 443
gitlab_rails['forti_authenticator_username'] = '<some_username>'
gitlab_rails['forti_authenticator_access_token'] = 's3cr3t'
```
For installations from source:
```yaml
forti_authenticator:
enabled: true
host: forti_authenticator.example.com
port: 443
username: <some_username>
access_token: s3cr3t
```
1. Save the configuration file.
1. [Reconfigure](../../../administration/restart_gitlab.md#omnibus-gitlab-reconfigure)
or [restart GitLab](../../../administration/restart_gitlab.md#installations-from-source)
for the changes to take effect if you installed GitLab via Omnibus or from
source respectively.
#### Enable FortiAuthenticator integration
This feature comes with the `:forti_authenticator` feature flag disabled by
default.
To enable this feature, ask a GitLab administrator with [Rails console access](../../../administration/feature_flags.md#how-to-enable-and-disable-features-behind-flags)
to run the following command:
```ruby
Feature.enable(:forti_authenticator, User.find(<user ID>))
```
### U2F device
> Introduced in [GitLab 8.9](https://about.gitlab.com/blog/2016/06/22/gitlab-adds-support-for-u2f/). > Introduced in [GitLab 8.9](https://about.gitlab.com/blog/2016/06/22/gitlab-adds-support-for-u2f/).
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment