Skip to main content
MHRNetwork
MHRNetwork
Explorer
December 4, 2023
Solved

Fortigate 200F integrate with Okta - SSL VPN

  • December 4, 2023
  • 3 replies
  • 2869 views

Hi all,

 

I am planning to conduct feasibility check on Fortigate 200F with Okta authentication for SSL VPN.

 

So I need some clarification on configurations changes and impact to productions environment.

 

Here are my questions: -

  1. Is it possible to integrate with Okta using specific VDOM only? does it affect global config?
  2. Is there any impacts if t testing on VDOM in production environment?
  3. Any guidance or steps that I can refer?
  4. Is it possible to test integration with Okta developer account? 

 

Thanks,

Best answer by hbac

Hi @MHRNetwork,

 

If still not working, you need to run the following debugs and try to connect again to see what's wrong:

 

di deb res

diagnose debug application samld -1

di deb app sslvpn -1 

di deb en 

 

Regards, 

3 replies

dbu
Staff
dbu
Staff
December 4, 2023

Hi @MHRNetwork ,

 

Here are your answers: 

1-Yes it is possible

2-There will not be any impact if you create new test user,group,server ect  only for this purpose without overlapping with existing working configuration .

3.Here is the guide:
https://docs.fortinet.com/document/fortigate/7.4.1/administration-guide/499536/ssl-vpn-with-okta-as-saml-idp

4.The guide above describes the steps that you take if using the free Okta developer edition.
So i believe you will be good

    ndumaj
    Staff
    ndumaj
    Staff
    December 4, 2023

    Hi MHRNetwork,

    Also additionally you can review the following article that might help in your implementation:
    https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-SAML-SSO-login-for-SSL-VPN-web-mode/ta-p/192259

    -BR-

      MHRNetwork
      MHRNetworkAuthor
      Explorer
      December 14, 2023

      Hi all,

       

      Does anyone here can help me to verify the fortigate saml config? 

       

      xxxxfw01 (saml) # show config user saml     edit "okta-idp"         set cert "Fortinet_Factory"         set entity-id "https://xxx.xxx.xxx.228:10443/remote/saml/metadata"         set single-sign-on-url "https://xxx.xxx.xxx.228:10443/remote/saml/login"         set single-logout-url "https://xxx.xxx.xxx.228:10443/remote/saml/logout"         set idp-entity-id "http://www.okta.com/exkds32da6QYHb1re5d7"         set idp-single-sign-on-url "https://dev-24xxxxx.okta.com/app/dev-24113602_samlsslvpnapp_1/exkds32da6QYHb1re5d7/sso/saml"         set idp-single-logout-url "https://dev-24xxxxx.okta.com/app/dev-24113602_samlsslvpnapp_1/exkds32da6QYHb1re5d7/slo/saml"         set idp-cert "REMOTE_Cert_1"         set user-name "hafizxxxxx@gmail.com"         set digest-method sha256     next end

       

       

      I believe my config already correct. I have follow steps inside the guide

      https://docs.fortinet.com/document/fortigate/7.4.1/administration-guide/499536/ssl-vpn-with-okta-as-saml-idp

       

      I tried login SSL VPN using webpage. the SSO button is there but after successfully logged in, it shows error 'Session ended'. 

       

       

      Picture 1

      1.PNG
      Picture 2
      2.PNG

       

      Picture 3

      3.PNG

       

      Please help to clarify on this issue

       

      Thanks,

      Hafiz

       

      ozkanaltas
      ozkanaltas
      Valued Contributor III
      December 14, 2023

      Hello @MHRNetwork ,

       

      I think your saml configuration on Fortigate is wrong. 

       

      You configured the "user-name" area with your e-mail. This area is for the username attribute. And this attribute helps to Fortigate determine your username . Generally, this area fills with a "username" attribute.

       

      Can you try this configuration? 

       

      config user saml     edit "okta-idp"        set user-name "username"     next end

       

        hbac
        Staff
        hbacAnswer
        Staff
        December 14, 2023

        Hi @MHRNetwork,

         

        If still not working, you need to run the following debugs and try to connect again to see what's wrong:

         

        di deb res

        diagnose debug application samld -1

        di deb app sslvpn -1 

        di deb en 

         

        Regards, 

          Terms & ConditionsAccessibility statement