This article describes how to setup both OKTA and FortiGAte for SAML SSO for web mode SSL VPN with FortiGate acting as SP.
Configuring the OKTA developer account IDP application.
1) Setup an OKTA developer account.
2) Open a browser, log in to the Okta developer account, and select 'Admin' under the user settings.
3) Go to the 'Applications' tab and select 'Add Application'.4) Select 'Create New App' and create a new application with the SAML 2.0 sign on method.5) Enter an App name. The App name is the name of the portal the user logs into.Select 'Next' once done.6) Set the sign on URL and Audience URI as per the SSL VPN settings on the FortiGate.
Example.In this case, the FortiGate SSL VPN is listening on https://x.x.x.x:8443/
Select 'Download OKTA Certificate'. This will be imported to the FortiGate later.
7) Set the user attribute statements.
These are the values that will be passed on to the FortiGate by the OKTA IDP.
Note.In this case, the 'FirstName' attribute will be used as the SSL vpn username on FortiGate (will be seen in later FortiGate configuration).8) Additionally, Group attribute value can also be passed on FortiGate.This is optional and is needed only if perform group matching based of group membership of OKTA users on FortiGate is intended.9) Confirm to be an OKTA customer and set the 'App type' to an internal App.Then select 'Finish'.10) In the 'Sign On' tab, select 'setup instructions' to get the IDP single sign on URL and the identity provider issuer:11) In the Assignments tab, select Assign -> Assign to People.
Assign the users to add to the application.This allows the user to log in to the application’s portal.Save the changes and select 'Done'.Configuring the FortiGate for SSL VPN and as SP.
1) Upload the OKTA certificate as a 'remote certificate' on FortiGate.2) Setup SAML as below:
# config user saml3) Create a user group as below on FortiGate.
set cert "Fortinet_Factory"
set entity-id https://x.x.x.x:8443/remote/saml/metadata <----- Same as set up on OKTA.
set single-sign-on-url https://x.x.x.x:8443/remote/saml/login <----- Same as setup on OKTA.
set single-logout-url https://x.x.x.x:8443/remote/saml/logout <----- Same as setup on OKTA.
set idp-entity-id http://www.okta.com/exkqd4u2jRYahxjUr4x6 <----- Available under 'setup instructions' (step 10 on OKTA).
set idp-single-sign-on-url https://dev-760674.okta.com/app/fortinetdev760674_samlfgt_2/exkqd4u2jRYahxjUr4x6/sso/saml <----- Available under 'setup instructions' (step 10 on OKTA).
set idp-single-logout-url "https://dev-760674.okta.com/app/fortinetdev760674_samlfgt_2/exkqd4u2jRYahxjUr4x6/slo/saml"
set idp-cert "REMOTE_Cert_1"
set user-name "FirstName" <----- The parameter to map as username. In this case, it is FirstName.
# config user group4) Complete the SSL VPN configuration.
set member "oka-saml-vpn"
# config vpn ssl settings
set servercert "self-sign"
set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
set port 8443
set source-interface "port1"
set source-address "all"
set source-address6 "all"
set default-portal "web-access"
# config authentication-rule
set groups "ssl-saml-ngrp"
set portal "web-access"
end# config firewall policy
set name "samltest"
set uuid e231b862-e6df-51ea-363e-3e20a512b4d6
set srcintf "ssl.root"
set dstintf "port2"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
set groups "ssl-saml-ngrp"
set nat enable
Testing SSL VPN.
1) Connect to SSL VPN portal and select 'SSO'.2) Enter the OKTA credentials and it will redirect to SSL VPN page.
# get vpn ssl monitor
SSL VPN Login Users:
Index User Group Auth Type Timeout From HTTP in/out HTTPS in/out
0 user1 ssl-user-grp 256(1) 187 y.y.y.y. 0/0 0/0
SSL VPN sessions:
Index User Group Source IP Duration I/O Bytes Tunnel/Dest IP