• Enter an App name. The App name is the name of the portal the user logs into.
  

• Set the sign on URL and Audience URI as per the SSL VPN settings on the FortiGate.
  
  

Example.

 

 

Select 'Download OKTA Certificate'. This will be imported to the FortiGate later.

• Set the user attribute statements. These are the values that will be passed on to the FortiGate by the OKTA IdP.
  
  

Note:

• Additionally, Group attribute value can also be passed on FortiGate. This is optional and is needed only if perform group matching based of group membership of OKTA users on FortiGate is intended.

 

 

•  In the 'Sign On' tab, select 'setup instructions' to get the IdP single sign on URL and the identity provider issuer:

  

• In the Assignments tab, select Assign -> Assign to People. Assign the users to add to the application.
  

 

• In OKTA 2.0, there is option to upload SP certificate as well. In that case, FortiGate certificate can be uploaded in Okta from SP settings using browse button as per the screenshot:

 

 

Configuring the FortiGate for SSL VPN and as SP.

• Upload the OKTA certificate as a 'remote certificate' on FortiGate.

• Setup SAML as below:

config user saml
    edit "oka-saml-vpn"
        set cert "Fortinet_Factory"
        set entity-id https://x.x.x.x:8443/remote/saml/metadata                                                        <----- Same as set up on OKTA.
        set single-sign-on-url https://x.x.x.x:8443/remote/saml/login                                                  <----- Same as setup on OKTA.
        set single-logout-url https://x.x.x.x:8443/remote/saml/logout                                                  <----- Same as setup on OKTA.
        set idp-entity-id http://www.okta.com/exkqd4u2jRYahxjUr4x6                                                           <----- Available under 'setup instructions' (step 10 on OKTA).
        set idp-single-sign-on-url https://dev-760674.okta.com/app/fortinetdev760674_samlfgt_2/exkqd4u2jRYahxjUr4x6/sso/saml <----- Available under 'setup instructions' (step 10 on OKTA).
        set idp-single-logout-url "https://dev-760674.okta.com/app/fortinetdev760674_samlfgt_2/exkqd4u2jRYahxjUr4x6/slo/saml"
        set idp-cert "REMOTE_Cert_1"
        set user-name "FirstName"                                                                                            <----- The parameter  to map as username. In this case, it is FirstName.
    next
end3

• Create a user group as below on FortiGate:

config user group
    edit "ssl-saml-ngrp"
        set member "oka-saml-vpn"
        end
    next4) Complete the SSL VPN configuration.
config vpn ssl settings
    set servercert "self-sign"
    set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
    set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
    set port 8443
    set source-interface "port1"
    set source-address "all"
    set source-address6 "all"
    set default-portal "web-access"
        config authentication-rule
        edit 1
            set groups "ssl-saml-ngrp"
            set portal "web-access"
        next
    end
end

config firewall policy
    edit 1
        set name "samltest"
        set srcintf "ssl.root"
        set dstintf "port2"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set groups "ssl-saml-ngrp"
        set nat enable
    next

Testing SSL VPN.

• Connect to SSL VPN portal and select 'SSO'.

• Enter the OKTA credentials and it will redirect to SSL VPN page.

 

 

 

 

 

On FortiGate.

 

get vpn ssl monitor
SSL VPN Login Users:
 Index   User    Group   Auth Type      Timeout         From     HTTP in/out    HTTPS in/out
 0       user1          ssl-user-grp    256(1)                  187     y.y.y.y. 0/0     0/0

SSL VPN sessions:
 Index   User    Group   Source IP      Duration        I/O Bytes       Tunnel/Dest IP