Description
This article describes how to configure SAML SSO for administrator login with Okta acting as SAML IdP.
Scope
FortiManager / FortiAnalyzer 6.2, 6.4, 7.0
Solution
- In the Okta admin console go to Applications -> Applications -> Create App Integration:
- Select SAML 2.0 as a Sign-in method:
- Configure App name and upload App Logo:
- In the Configure SAML tab "Download Okta Certificate":
- Import the Okta certificate in FortiManager/FortiAnalyzer -> System Settings -> Certificates -> Remote Certificates:
- Go to FortiManager/FortiAnalyzer -> System Settings -> SAML SSO -> Service Provider,
switch to Custom IdP and select the Okta certificate, imported in step 5 as IdP Certificate:
- Copy the SP URLs from FortiManager/FortiAnalyzer (see the previous step) to Okta as follows:
1) SP ACS (Login) URL -> Single sign-on URL
2) SP Entity ID -> Audience URI (SP Entity ID)
3) Set the Name ID format to EmailAddress and Application username to the email
4) Under Attribute Statements create attribute "username" with value "user.email"
Note: "username" is a mandatory attribute for the Fortinet SAML implementation
- Click Next and Finish which will automatically open the application Sign On tab
- In the Sign On tab click the "View Setup Instructions" button:
- Copy the IdP URLs to the FortiManager/FortiAnalyzer SAML configuration as follows:
Identity Provider Single Sign-On URL -> IdP Login URL
Identity Provider Issuer -> IdP Entity ID
https://<subdomain>.okta.com/login/signout -> IdP Logout URL
- In the FortiManager/FortiAnalyzer SAML SSO page enable "Auto Create Admin" (option available as of 7.0) and select a "Default Admin Profile". Usually a low permission profile.
This will automatically create local entries for the Okta users after their first login.
After that a super admin can assign them different admin profiles.
- In Okta -> Applications -> Applications, edit the application and assign users/groups
Or under Directory -> People(Groups), edit user and assign the application to them:
- Login to FortiManager/FortiAnalyzer using the option "Login with Single Sign-On"
- The auto-created SSO user can be then edited in FortiManager/FortiAnalyzer by another administrator with enough permissions and assigned a different profile if required.