In this example, it is assumed that the FortiGate EMS Fabric Connector is already successfully connected, and the FortiClient is receiving the appropriate tags.

The tag name used in this scenario is EMS1_ZTNA_SAML_TESTING.

The example demonstrates an attempt to access the backend server at IP address 11.0.0.2, which is listening on port 80.

To configure a SAML server:

blackbird-kvm26 # config user saml

blackbird-kvm26 (saml) #

blackbird-kvm26 (saml) # sho

config user saml

    edit "SAML_OKTA"

        set cert "Fortinet_Factory"

        set entity-id "http://10.21.x.x:11443/remote/saml/metadata/"

        set single-sign-on-url "https:// 10.21.x.x:11443/remote/saml/login"

        set single-logout-url "https:// 10.21.x.x:11443/remote/saml/logout"

        set idp-entity-id "http://www.okta.com/exko5iglsnmNkdP7z5d7"

        set idp-single-sign-on-url "https://dev/exko5iglsnmNkdP7z5d7/sso/saml"

        set idp-single-logout-url "https://dev-.okta.com"

        set idp-cert "REMOTE_Cert_1"

        set user-name "username"       <----- This should match the Attribute configured on OKTA.

        set group-name "group"         <----- This should match the Group Attribute configured on OKTA.

        set digest-method sha1

    next

end

blackbird-kvm26 (saml) # end

blackbird-kvm26 # config user group

blackbird-kvm26 (group) #

blackbird-kvm26 (group) # show

config user group

    edit "SAML_OKTA"

        set member "SAML_OKTA"

    next

end

OKTA Side configuration:

In this scenario, the username attribute must match the username field in the FortiGate SAML Server configuration as shown in the above configuration

Additionally, the Group attribute value can also be sent to the FortiGate.
This is optional and only required if you intend to perform group-based matching on the FortiGate based on Okta user group membership.

To configure the access proxy VIP:

blackbird-kvm26 (vip) # show

config firewall vip

    edit "ZTNA"

        set uuid bfe244aa-1413-51f0-5cb2-19904d2c614e

        set type access-proxy

        set server-type https

        set extip 10.21.x.x

        set extintf "port1"

        set extport 11443

        set ssl-certificate "Fortinet_Factory"

    next

end

To configure access proxy server mappings:

blackbird-kvm26 # config firewall access-proxy

blackbird-kvm26 (access-proxy) # show

config firewall access-proxy

    edit "ZTNA"

        set vip "ZTNA"

        config api-gateway

            edit 1

                set service http

                config realservers

                    edit 1

                        set ip 11.0.0.2

                        set port 80

                    next

                end

            next

            edit 2

                set service samlsp

                set saml-server "SAML_OKTA"

            next

        end

    next

end

blackbird-kvm26 (access-proxy) # end

To configure a firewall proxy policy for full ZTNA:

blackbird-kvm26 # config firewall proxy-policy

blackbird-kvm26 (proxy-policy) #

blackbird-kvm26 (proxy-policy) # show

config firewall proxy-policy

    edit 1

        set uuid 97cf010a-1414-51f0-e652-437f1a12cec9

        set name "ZTNA"

        set proxy access-proxy

        set access-proxy "ZTNA"

        set srcintf "port1"

        set srcaddr "all"

        set dstaddr "all"

        set ztna-ems-tag "EMS1_ZTNA _SAML_TESTING"

        set action accept

        set schedule "always"

        set logtraffic all

        set groups "SAML_OKTA"

    next

end

blackbird-kvm26 (proxy-policy) # end

To configure the authentication settings, rule, and scheme to match the new SAML server:

blackbird-kvm26 # config authentication rule

blackbird-kvm26 (rule) # show

config authentication rule

    edit "SAML_OKTA"

        set srcintf "port1"

        set srcaddr "all"

        set ip-based disable

        set active-auth-method "SAML_OKTA"

        set web-auth-cookie enable

    next

end

blackbird-kvm26 (rule) # end

blackbird-kvm26 # config authentication scheme

blackbird-kvm26 (scheme) #

blackbird-kvm26 (scheme) # show

config authentication scheme

    edit "SAML_OKTA"

        set method saml

        set saml-server "SAML_OKTA"

    next

end

blackbird-kvm26 (scheme) # end

blackbird-kvm26 #

Testing the connection.

1. On a client PC, try to access the webpage through the HTTPS access proxy. For example, go to https://x.x.x.x:11443 in a browser.
2. The client PC is prompted for a client certificate. After the certificate is validated, you are redirected to a SAML log in portal.
3. Enter your user credentials. The SAML server authenticates and sends a SAML assertion response message to the FortiGate.
4. The user is proxied to the webpage on the real web server.

Logs and debugs.

Use the following command to check the user information after the user has been authenticated.

blackbird-kvm26 # diagnose wad user list

ID: 1, VDOM: root, IPv4: 10.x.x.x

  user name   : xxxxxx@fortinet.com

  worker      : 0

  duration    : 674

  auth_type   : Session

  auth_method : SAML

  pol_id      : 1

  g_id        : 2

  user_based  : 0

  expire      : no

  LAN:

    bytes_in=15080 bytes_out=111238

  WAN:

    bytes_in=101311 bytes_out=1867

blackbird-kvm26 #

Related documents:

• Technical Tip: Configuring SAML SSO login for SSL VPN web mode with OKTA acting as SAML IdP
• ZTNA proxy access with SAML authentication example - FortiGate documentation