Technical Tip: SAML SSO – Configuration with Okta

Description

This article describes how to configure SAML SSO for administrator login with Okta acting as SAML IdP.

Scope

FortiManager / FortiAnalyzer 6.2, 6.4, 7.0

Solution

1. In the Okta admin console go to Applications -> Applications -> Create App Integration:
   
   

   
   
   

2. Select SAML 2.0 as a Sign-in method:
   
   

   

    
   
   
3. Configure App name and upload App Logo:
   
   

   
   
   

4. In the Configure SAML tab "Download Okta Certificate":
   
   
   
   
   
5. Import the Okta certificate in FortiManager/FortiAnalyzer -> System Settings -> Certificates -> Remote Certificates:
   
   

   
   
   

6. Go to FortiManager/FortiAnalyzer -> System Settings -> SAML SSO -> Service Provider,
   switch to Custom IdP and select the Okta certificate, imported in step 5 as IdP Certificate:
   
   

   
   
   

7. Copy the SP URLs from FortiManager/FortiAnalyzer (see the previous step) to Okta as follows:
   1) SP ACS (Login) URL                  ->                  Single sign-on URL
   2) SP Entity ID                              ->                  Audience URI (SP Entity ID)
   3) Set the Name ID format to EmailAddress and Application username to the email
   4) Under Attribute Statements create attribute "username" with value "user.email"
   Note: "username" is a mandatory attribute for the Fortinet SAML implementation
   
   
   

   
   
   

8. Click Next and Finish which will automatically open the application Sign On tab
9. In the Sign On tab click the "View Setup Instructions" button:
   
   

   
   
   

10. Copy the IdP URLs to the FortiManager/FortiAnalyzer SAML configuration as follows:
    Identity Provider Single Sign-On URL                   ->         IdP Login URL
    Identity Provider Issuer                                        ->         IdP Entity ID
    https://<subdomain>.okta.com/login/signout     ->         IdP Logout URL
    
    
    

    
    
    

11. In the FortiManager/FortiAnalyzer SAML SSO page enable "Auto Create Admin" (option available as of 7.0) and select a "Default Admin Profile". Usually a low permission profile.
    This will automatically create local entries for the Okta users after their first login.
    After that a super admin can assign them different admin profiles.
    
    

    
    
    

12. In Okta -> Applications -> Applications, edit the application and assign users/groups
    Or under Directory -> People(Groups), edit user and assign the application to them:
    
    
    
    
    
13. Login to FortiManager/FortiAnalyzer using the option "Login with Single Sign-On"
    
        

    
    
    

14. The auto-created SSO user can be then edited in FortiManager/FortiAnalyzer by another administrator with enough permissions and assigned a different profile if required.