MFA on the VPN.
SAML or RADIUS.
Add Monosign MFA to Fortigate, Palo Alto, Pulse Secure, Ivanti, OpenVPN, and more — through SAML or RADIUS. Risk-aware policies fire only when something looks off, so users barely notice.
- SAML 2 or RADIUS
- FIDO2, push, OTP
- ~5 minutes to read
Pick a protocol, point it at Monosign.
The shape works for any RADIUS- or SAML-speaking VPN. Specific vendor pages live in the help center.
- 01
Pick the protocol your VPN speaks
Most modern VPN gateways federate over SAML 2; legacy or appliance-style VPNs prefer RADIUS. Monosign supports both — Fortigate SSL VPN, Palo Alto, Pulse Secure, Ivanti Connect Secure, and OpenVPN are all covered.
Tip — If your VPN supports both, choose SAML — it gives you adaptive MFA and risk policy at the IdP layer. - 02
Add Monosign as the authentication target
In the VPN admin console, register Monosign as a SAML IdP or RADIUS server. Drop in the metadata or shared secret, and point the user-pool attribute at the user identifier Monosign provides.
- 03
Set the MFA policy in Monosign
In Monosign, create or extend a flow that requires a second factor (FIDO2, push, OTP) for the VPN application. Step-up policies can fire on impossible-travel, untrusted devices, or specific groups.
Tip — For RADIUS clients, enable push-with-OTP-fallback — many RADIUS clients still need a numeric prompt as a safety net. - 04
Pilot, then roll out
Test with a single user group. Confirm the VPN client opens the Monosign challenge correctly, MFA fires, and the session lands. Then expand to the rest of the workforce.
The complete walkthrough — with every screenshot, every flag, and version-specific notes — lives in our help center.
Ready to start managing
identities the right way?
Spin up a fully-loaded trial tenant in under five minutes. No credit card. No sales gate.