FortiAnalyzer
FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
iyotov
Staff
Staff
Article Id 202884

Description

This article describes how to configure SAML SSO for administrator login with Okta acting as SAML IdP.

 

Scope

FortiManager / FortiAnalyzer 6.2, 6.4, 7.0

 

Solution

  1. In the Okta admin console go to Applications -> Applications -> Create App Integration:

    iyotov_3-1641804808436.png



  2. Select SAML 2.0 as a Sign-in method:

    iyotov_4-1641804853623.png

     

  3. Configure App name and upload App Logo:

    iyotov_5-1641805515697.png



  4. In the Configure SAML tab "Download Okta Certificate":

    iyotov_7-1641806321001.png


  5. Import the Okta certificate in FortiManager/FortiAnalyzer -> System Settings -> Certificates -> Remote Certificates:

    iyotov_8-1641806612374.png



  6. Go to FortiManager/FortiAnalyzer -> System Settings -> SAML SSO -> Service Provider,
    switch to Custom IdP and select the Okta certificate, imported in step 5 as IdP Certificate:

    iyotov_10-1641807184593.png



  7. Copy the SP URLs from FortiManager/FortiAnalyzer (see the previous step) to Okta as follows:
    1) SP ACS (Login) URL                  ->                  Single sign-on URL
    2) SP Entity ID                              ->                  Audience URI (SP Entity ID)
    3) Set the Name ID format to EmailAddress and Application username to the email
    4) Under Attribute Statements create attribute "username" with value "user.email"
    Note: "username" is a mandatory attribute for the Fortinet SAML implementation


    iyotov_11-1641807700964.png



  8. Click Next and Finish which will automatically open the application Sign On tab
  9. In the Sign On tab click the "View Setup Instructions" button:

    iyotov_13-1641809250346.png



  10. Copy the IdP URLs to the FortiManager/FortiAnalyzer SAML configuration as follows:
    Identity Provider Single Sign-On URL                   ->         IdP Login URL
    Identity Provider Issuer                                        ->         IdP Entity ID
    https://<subdomain>.okta.com/login/signout     ->         IdP Logout URL


    iyotov_14-1641810862595.png



  11. In the FortiManager/FortiAnalyzer SAML SSO page enable "Auto Create Admin" (option available as of 7.0) and select a "Default Admin Profile". Usually a low permission profile.
    This will automatically create local entries for the Okta users after their first login.
    After that a super admin can assign them different admin profiles.

    iyotov_15-1641811661280.png



  12. In Okta -> Applications -> Applications, edit the application and assign users/groups
    Or under Directory -> People(Groups), edit user and assign the application to them:

    iyotov_17-1641812064097.png


  13. Login to FortiManager/FortiAnalyzer using the option "Login with Single Sign-On"

    iyotov_18-1641812659847.png      iyotov_19-1641813386375.png



  14. The auto-created SSO user can be then edited in FortiManager/FortiAnalyzer by another administrator with enough permissions and assigned a different profile if required.

    iyotov_21-1641813829434.png