Technical Tip: Configuring SAML SSO login for SSL VPN web mode with OKTA acting as SAML IdP
Description
This article describes how to set up both OKTA and FortiGate for SAML SSO for web mode SSL VPN with FortiGate acting as SP.
Scope
FortiGate.
Solution
Configuring the OKTA developer account IDP application:
- Set up an OKTA developer account.
- Open a browser, log in to the OKTA developer account, and select 'Admin' under the user settings.
- Go to the 'Applications' tab and select 'Add Application'.
- Select 'Create New App' and create a new application with the SAML 2.0 sign on method.
- Enter an App name. The App name is the name of the portal the user logs into.
- Set the sign on URL and Audience URI as per the SSL VPN settings on the FortiGate.
Example: In this case, the FortiGate SSL VPN is listening on https://x.x.x.x:8443/
Select 'Download OKTA Certificate'. This will be imported to the FortiGate later.
- Set the user attribute statements. These are the values that will be passed on to the FortiGate by the OKTA IdP.
Note:
- Additionally, Group attribute value can also be passed on FortiGate. This is optional and is needed only if perform group matching based of group membership of OKTA users on FortiGate is intended.
- In the 'Sign On' tab, select 'setup instructions' to get the IdP single sign on URL and the identity provider issuer:
- In the Assignments tab, select Assign -> Assign to People. Assign the users to add to the application.
- In OKTA 2.0, there is option to upload SP certificate as well. In that case, FortiGate certificate can be uploaded in Okta from SP settings using browse button as per the screenshot:
Configuring the FortiGate for SSL VPN and as SP.
- Upload the OKTA certificate as a 'remote certificate' on FortiGate.
- SAML CLI configuration of the FortiGate:
config user saml
edit "oka-saml-vpn"
set cert "Fortinet_Factory"
set entity-id https://x.x.x.x:8443/remote/saml/metadata <----- Same as set up on OKTA.
set single-sign-on-url https://x.x.x.x:8443/remote/saml/login <----- Same as setup on OKTA.
set single-logout-url https://x.x.x.x:8443/remote/saml/logout <----- Same as setup on OKTA.
set idp-entity-id http://www.okta.com/exkqd4u2jRYahxjUr4x6 <----- Available under 'setup instructions' (step 10 on OKTA).
set idp-single-sign-on-url https://dev-760674.okta.com/app/fortinetdev760674_samlfgt_2/exkqd4u2jRYahxjUr4x6/sso/saml <----- Available under 'setup instructions' (step 10 on OKTA).
set idp-single-logout-url "https://dev-760674.okta.com/app/fortinetdev760674_samlfgt_2/exkqd4u2jRYahxjUr4x6/slo/saml"
set idp-cert "REMOTE_Cert_1"
set user-name "FirstName" <----- The parameter to map as username. In this case, it is FirstName.
next
end
- Create a user group as below on FortiGate:
config user group
edit "ssl-saml-ngrp"
set member "oka-saml-vpn"
end
Complete the SSL VPN configuration:
config vpn ssl settings
set servercert "self-sign"
set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
set port 8443
set source-interface "port1"
set source-address "all"
set source-address6 "all"
set default-portal "web-access"
config authentication-rule
edit 1
set groups "ssl-saml-ngrp"
set portal "web-access"
next
end
end
config firewall policy
edit 1
set name "samltest"
set srcintf "ssl.root"
set dstintf "port2"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
set groups "ssl-saml-ngrp"
set nat enable
end
Testing SSL VPN:
- Connect to SSL VPN portal and select 'SSO'.
- Enter the OKTA credentials in order to be redirected to the SSL VPN page.
SSL VPN Login Users:
Index User Group Auth Type Timeout From HTTP in/out HTTPS in/out
0 user1 ssl-user-grp 256(1) 187 y.y.y.y. 0/0 0/0
SSL VPN sessions:
Index User Group Source IP Duration I/O Bytes Tunnel/Dest IP