Description
This article describes how to use Okta as the SAML IdP for FortiGate GUI access.
Optionally enable Multi-Factor Authentication.
Scope
FortiGate 6.2+ Web Administration and Okta.
Solution
Unlike SAML configuration for users in FortiGate, SAML configuration for administrators does not accept custom settings for SP configuration. Because of that, starting the configuration from Okta is recommended.
Okta Configuration Steps:
Login to Okta portal as an Administrator to create and configure the SAML Application
a) Expand Applications, select Applications, and select on 'Create App Integration'.
b) Select 'SAML 2.0' and then 'Next'.
c) Under 'General Settings', give the application a name and select 'Next'.
d) Under 'Configure SAML', define the parameters below:
Single sign on URL: https://<FGT IP or FQDN>:<ADMIN PORT>/saml/?acs
Audience URI (SP Entity ID): http://<FGT IP or FQDN>:<ADMIN PORT>/metadata/
Name ID format: EmailAddress
Application username: Email
Note.
What is defined under 'server-address' in CLI or 'SP Address' in GUI will define what is needed to be typed in '<FGT IP or FQDN>:<ADMIN PORT>'
If port 443 is set for FortiGate's HTTPS admin, then omit :<ADMIN PORT>. For example, it should look like below:
Single sign on URL: https://<FGT IP or FQDN>/saml/?acs
Audience URI (SP Entity ID): http://<FGT IP or FQDN>/metadata/
In the example below, Administrator access FortiGate via FQDN colombasfgt1.ddns.net and port 5555.
Note.
Pay close attention at the Audience URI (SP Entity ID). It starts with 'http' and not 'https'. Additionally, there is a trailing forward slash.
e) Since FortiGate does not support Logout URL initiated by IdP, leave the option 'Allow application to initiate Single Logout' disabled under 'Show Advanced Settings'.
f) Define attribute 'username' with value 'user.email' and select 'Next'. 'Name format' may be 'Unspecified' or 'Basic'.
However attribute name must be 'username', which is the only one FortiGate will accept
'Group Attribute' is irrelevant and should be left empty.
g) Select 'I'm an Okta customer adding an internal app' and 'This is an internal app that we have created', then select 'Finish'.
h) Assign the newly created application to users or groups. On the 'Assignments' tab of the application, select on 'Assign' and select 'Assign to People' or 'Assign to Groups'.
Select 'Assign' for the desired group or user, then select 'Done'.
i) Back on the 'Sign On' tab of the newly created application, select on 'View SAML setup instructions'.
A new browser tab opens. Make a note of the 'Identity Provider Single Sign-On URL', 'Identity Provider Issuer', and download the certificate to be imported to FortiGate.
Next steps will be done as per below.
FortiGate Configuration Steps:
Import Okta certificate to FortiGate.
a) Login to FortiGate and navigate to System/Certificates. Select 'Create/Import' and select 'Remote Certificate'.
b) Rename the certificate to have a more descriptive name.
Check the certificate name under 'Remote Certificate', which should be named 'REMOTE_Cert_X' where 'X' would be the next available in sequence.
From CLI Console run the following commands.
SIGMA # config vpn certificate remote
SIGMA (remote) # rename REMOTE_Cert_1 to Okta-Admin
SIGMA (remote) # end
c) Configure the SSO Settings according to URL's and certificate from Okta SAML instructions.
Navigate to Security Fabric -> Fabric Connectors -> Security Fabric Setup, select 'Edit' then select on 'Single Sign-On Setting' button.
As the 'SP address' is filled out, the 'SP Details' are populated and can be compared with what has been configured in Okta.
Note.
To prevent a loop issue after logging out, define the 'IdP single logout URL' with the Web Admin URL.
CLI Configuration:
# config system saml
set status enable
set default-profile "super_admin"
set idp-entity-id "http://www.okta.com/exk5bw0crfdgnwCzL5d7"
set idp-single-sign-on-url "https://dev-5027942.okta.com/app/dev 5027942__1/exk5bw0crfdgnwCzL5d7/sso/saml"
set idp-single-logout-url "https://colombasfgt1.ddns.net:5555"
set idp-cert "Okta-Admin"
set server-address "colombasfgt1.ddns.net:5555"
end
Okta Multifactor with Okta Verify method.
a) Enable Okta Verify by navigating to Security -> Multifactor. Activate it, enable push notification and select Save.
b) Enable MFA in a Sign On policy.
Either add a rule to the Default Sign On policy or create a new policy.
Navigate to Security -> Authentication, select the 'Sign On' tab.
Add a rule to Default or new policy, and make sure 'Prompt for Factor' is enabled.
Verification of configuration.
a) A new option is now shown when accessing FortiGate's Web Admin URL.
b) Select on 'Sign in with Security Fabric'. Request is redirected to IdP login page.
c) Since MFA is enabled, 'Okta Verify' needs to send a push notification.
d) After 'Okta Verify' push notification is accepted, a new SSO administrator account is created for the first login.
e) Navigate to System -> Administrators to check the new account created.
f) This can also be checked from CLI with following commands.
Troubleshooting.
a) Enable debugs for SAML process with commands below, then perform the login attempt.
# diagnose debug console timestamp enable
# diagnose debug application samld -1
# diagnose debug enable
Note.
If a test is performed via Okta Application directly, it will fail with a 'Bad request' error message. That occurs because the SAML assertion does not have the proper payload.
Related Articles.
