FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ppatel
Staff
Staff

Description
This article describes how to setup both OKTA and FortiGAte for SAML SSO for web mode SSL VPN with FortiGate acting as SP.

Solution
Configuring the OKTA developer account IDP application.

1) Setup an OKTA developer account.

2) Open a browser, log in to the Okta developer account, and select 'Admin' under the user settings.



 
3) Go to the 'Applications' tab and select 'Add Application'.
 
 

 
 
4) Select 'Create New App' and create a new application with the SAML 2.0 sign on method.
 
 
 
 
 
 
 
5) Enter an App name. The App name is the name of the portal the user logs into.
 
Select 'Next' once done.
 
 
 
 
 
 
6) Set the sign on URL and Audience URI as per the SSL VPN settings on the FortiGate.

Example.
In this case, the FortiGate SSL VPN is listening on https://x.x.x.x:8443/
 
 
irfan_FTNT_0-1655799593675.png

 

 
 
Select 'Download OKTA Certificate'. This will be imported to the FortiGate later.

7) Set the user attribute statements.

These are the values that will be passed on to the FortiGate by the OKTA IDP.

Note.
In this case, the 'FirstName' attribute will be used as the SSL vpn username on FortiGate (will be seen in later FortiGate configuration).
 
 

 
 
8) Additionally, Group attribute value can also be passed on FortiGate.
This is optional and is needed only if perform group matching based of group membership of OKTA users on FortiGate is intended.
 
 

 
 
9) Confirm to be an OKTA customer and set the 'App type' to an internal App.
Then select 'Finish'.
 
 

 
 
10) In the 'Sign On' tab, select 'setup instructions' to get the IDP single sign on URL and the identity provider issuer:
 
 

 
 
11) In the Assignments tab, select Assign -> Assign to People.
Assign the users to add to the application.
This allows the user to log in to the application’s portal.
 
Save the changes and select 'Done'.
 
 

 
 
Configuring the FortiGate for SSL VPN and as SP.

1) Upload the OKTA certificate as a 'remote certificate' on FortiGate.
 
 

 
 
2) Setup SAML as below:
# config user saml
    edit "oka-saml-vpn"
        set cert "Fortinet_Factory"
        set entity-id https://x.x.x.x:8443/remote/saml/metadata                                                        <----- Same as set up on OKTA.
        set single-sign-on-url https://x.x.x.x:8443/remote/saml/login                                                  <----- Same as setup on OKTA.
        set single-logout-url https://x.x.x.x:8443/remote/saml/logout                                                  <----- Same as setup on OKTA.
        set idp-entity-id http://www.okta.com/exkqd4u2jRYahxjUr4x6                                                           <----- Available under 'setup instructions' (step 10 on OKTA).
        set idp-single-sign-on-url https://dev-760674.okta.com/app/fortinetdev760674_samlfgt_2/exkqd4u2jRYahxjUr4x6/sso/saml <----- Available under 'setup instructions' (step 10 on OKTA).
        set idp-single-logout-url "https://dev-760674.okta.com/app/fortinetdev760674_samlfgt_2/exkqd4u2jRYahxjUr4x6/slo/saml"
        set idp-cert "REMOTE_Cert_1"
        set user-name "FirstName"                                                                                            <----- The parameter  to map as username. In this case, it is FirstName.
    next
end
3) Create a user group as below on FortiGate.
# config user group
    edit "ssl-saml-ngrp"
        set member "oka-saml-vpn"
        end
    next
4) Complete the SSL VPN configuration.
# config vpn ssl settings
    set servercert "self-sign"
    set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
    set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
    set port 8443
    set source-interface "port1"
    set source-address "all"
    set source-address6 "all"
    set default-portal "web-access"
    # config authentication-rule
        edit 1
            set groups "ssl-saml-ngrp"
            set portal "web-access"
        next
    end
end
# config firewall policy
    edit 1
        set name "samltest"
        set uuid e231b862-e6df-51ea-363e-3e20a512b4d6
        set srcintf "ssl.root"
        set dstintf "port2"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set groups "ssl-saml-ngrp"
        set nat enable
    next

Testing SSL VPN.

1) Connect to SSL VPN portal and select 'SSO'.
 
 

 
 
2) Enter the OKTA credentials and it will redirect to SSL VPN page.
 
 
 
 
irfan_FTNT_2-1655799923960.png

 


 

 
On FortiGate.
# get vpn ssl monitor
SSL VPN Login Users:
 Index   User    Group   Auth Type      Timeout         From     HTTP in/out    HTTPS in/out
 0       user1          ssl-user-grp    256(1)                  187     y.y.y.y. 0/0     0/0

SSL VPN sessions:
 Index   User    Group   Source IP      Duration        I/O Bytes       Tunnel/Dest IP
Contributors