Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ramachandrans
Staff
Staff

Created on ‎01-06-2021 11:59 PM Edited on ‎01-16-2025 10:29 PM By Community Manager

Article Id 196181

Technical Tip: Configuring SAML SSO login for FortiGate administrators with Okta acting as SAML IdP

Description


This article describes how to use Okta as the SAML IdP for FortiGate GUI access. Optionally enable Multi-Factor Authentication.

Scope


FortiGate v6.2+ Web Administration and Okta.

Solution

 

Unlike SAML configuration for users in FortiGate, SAML configuration for administrators does not accept custom settings for SP configuration. Because of that, starting the configuration from Okta is recommended.

 

Okta Configuration Steps:

 

Log in to Okta portal as an Administrator to create and configure the SAML Application

  1. Expand Applications, select Applications, and select on 'Create App Integration'.
  2. Select 'SAML 2.0' and then 'Next'.

 

CarlosColombini_2-1654753908257.png

 

  1. Under 'General Settings', give the application a name and select 'Next'.

 

CarlosColombini_1-1654753896507.png

 

  1. Under 'Configure SAML', define the parameters below:


Single sign on URL: https://<FGT IP or FQDN>:<ADMIN PORT>/saml/?acs
Audience URI (SP Entity ID)http://<FGT IP or FQDN>:<ADMIN PORT>/metadata/  <----- Audience URI is case-sensitive.
Name ID format: EmailAddress
Application username: Email

Note.

What is defined under 'server-address' in CLI or 'SP Address' in GUI will define what is needed to be typed in '<FGT IP or FQDN>:<ADMIN PORT>'


If port 443 is set for FortiGate's HTTPS admin, then omit :<ADMIN PORT>. For example, it should look like below:


Single sign on URL: https://<FGT IP or FQDN>/saml/?acs
Audience URI (SP Entity ID): http://<FGT IP or FQDN>/metadata/

In the example below, Administrator access FortiGate via FQDN colombasfgt1.ddns.net and port 5555.

 

CarlosColombini_3-1654754156549.png

 

Note.

Pay close attention at the Audience URI (SP Entity ID). It starts with 'http' and not 'https'. Additionally, there is a trailing forward slash.

 

  1. Since FortiGate does not support Logout URL initiated by IdP, leave the option 'Allow application to initiate Single Logout' disabled under 'Show Advanced Settings'.

 

CarlosColombini_0-1654755257605.png

 

  1. Define attribute 'username' with value 'user.email' and select 'Next'. 'Name format' may be 'Unspecified' or 'Basic'.


However attribute name must be 'username', which is the only one FortiGate will accept
'Group Attribute' is irrelevant and should be left empty.

 

CarlosColombini_2-1654755718320.png

 

  1. Select 'I'm an Okta customer adding an internal app' and 'This is an internal app that we have created', then select 'Finish'.

 

CarlosColombini_3-1654755770404.png

 

  1. Assign the newly created application to users or groups. On the 'Assignments' tab of the application, select on 'Assign' and select 'Assign to People' or 'Assign to Groups'.

 

CarlosColombini_0-1654756712822.png

 

Select 'Assign' for the desired group or user, then select 'Done'.

 

CarlosColombini_1-1654756798944.png

 

  1. Back on the 'Sign On' tab of the newly created application, select 'View SAML setup instructions'.

 

CarlosColombini_4-1654756026992.png

 

A new browser tab opens. Make a note of the 'Identity Provider Single Sign-On URL', and 'Identity Provider Issuer', and download the certificate to be imported to FortiGate.

 

CarlosColombini_6-1654756192228.png


The next steps will be done as per below.

FortiGate Configuration Steps:

 

Import Okta certificate to FortiGate.

  • Login to FortiGate and navigate to System/Certificates. Select 'Create/Import' and select 'Remote Certificate'.

 

CarlosColombini_4-1654757539876.png

 

  1. Rename the certificate to have a more descriptive name. Check the certificate name under 'Remote Certificate', which should be named 'REMOTE_Cert_X' where 'X' would be the next available in sequence.

 

CarlosColombini_5-1654757739836.png

 

From CLI Console run the following commands.

 

SIGMA # config vpn certificate remote

SIGMA (remote) # rename REMOTE_Cert_1 to Okta-Admin

SIGMA (remote) # end

 

  1. Configure the SSO Settings according to URL and certificates from Okta SAML instructions. Navigate to Security Fabric -> Fabric Connectors -> Security Fabric Setup, select 'Edit' then select on 'Single Sign-On Setting' button. As the 'SP address' is filled out, the 'SP Details' are populated and can be compared with what has been configured in Okta.

 

CarlosColombini_6-1654758910992.png

 

Note.

To prevent a loop issue after logging out, define the 'IdP single logout URL' with the Web Admin URL.

CLI Configuration:

 

config system saml

    set status enable

    set default-profile "super_admin"

    set idp-entity-id "http://www.okta.com/exk5bw0crfdgnwCzL5d7"

    set idp-single-sign-on-url "https://dev-5027942.okta.com/app/dev 5027942__1/exk5bw0crfdgnwCzL5d7/sso/saml"

    set idp-single-logout-url "https://colombasfgt1.ddns.net:5555"

    set idp-cert "Okta-Admin"

    set server-address "colombasfgt1.ddns.net:5555"

end

 

Okta Multifactor with Okta Verify method.

  1. Enable Okta Verify by navigating to Security -> Multifactor. Activate it, enable push notification, and select Save.

 

CarlosColombini_7-1654759554574.png

 

  1. Enable MFA in a Sign On policy. Either add a rule to the Default Sign On policy or create a new policy. Navigate to Security -> Authentication, select the 'Sign On' tab.

 

CarlosColombini_8-1654759764235.png

 

Add a rule to Default or new policy, and make sure 'Prompt for Factor' is enabled.

 

CarlosColombini_9-1654759797114.png

 


Verification of configuration.

  1. A new option is now shown when accessing FortiGate's Web Admin URL.

 

CarlosColombini_10-1654760130003.png

 

  1. Select 'Sign in with Security Fabric'. The request is redirected to the IdP login page.

 

CarlosColombini_11-1654760324248.png

 

  1. Since MFA is enabled, 'Okta Verify' needs to send a push notification.

 

CarlosColombini_14-1654760815691.png

 

 

  1. After the 'Okta Verify' push notification is accepted, a new SSO administrator account is created for the first login.

 

CarlosColombini_13-1654760803360.png

 

  1. Navigate to System -> Administrators to check the new account created.

 

CarlosColombini_15-1654760997253.png

 

  1. This can also be checked from CLI with following commands.

 

CarlosColombini_16-1654761071287.png

 

Troubleshooting.
Enable debugs for the SAML process with the commands below, then perform the login attempt.

 

diagnose debug console timestamp enable

diagnose debug application samld -1
diagnose debug enable

 
Note:
If a test is performed via Okta Application directly, it will fail with a 'Bad request' error message. That occurs because the SAML assertion does not have the proper payload.
 
CarlosColombini_17-1654761521714.png
 
CarlosColombini_18-1654761560975.png

 

 

Related article:

Technical Tip: Configuring SAML SSO login for FortiGate administrators with Azure AD acting as SAML ...

21229
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.