Hi all,
I am planning to conduct feasibility check on Fortigate 200F with Okta authentication for SSL VPN.
So I need some clarification on configurations changes and impact to productions environment.
Here are my questions: -
Thanks,
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi @MHRNetwork,
If still not working, you need to run the following debugs and try to connect again to see what's wrong:
di deb res
diagnose debug application samld -1
di deb app sslvpn -1
di deb en
Regards,
Hi @MHRNetwork ,
Here are your answers:
1-Yes it is possible
2-There will not be any impact if you create new test user,group,server ect only for this purpose without overlapping with existing working configuration .
3.Here is the guide:
https://docs.fortinet.com/document/fortigate/7.4.1/administration-guide/499536/ssl-vpn-with-okta-as-...
4.The guide above describes the steps that you take if using the free Okta developer edition.
So i believe you will be good
Hi MHRNetwork,
Also additionally you can review the following article that might help in your implementation:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-SAML-SSO-login-for-SSL-VPN-web...
-BR-
Hi all,
Does anyone here can help me to verify the fortigate saml config?
xxxxfw01 (saml) # show
config user saml
edit "okta-idp"
set cert "Fortinet_Factory"
set entity-id "https://xxx.xxx.xxx.228:10443/remote/saml/metadata"
set single-sign-on-url "https://xxx.xxx.xxx.228:10443/remote/saml/login"
set single-logout-url "https://xxx.xxx.xxx.228:10443/remote/saml/logout"
set idp-entity-id "http://www.okta.com/exkds32da6QYHb1re5d7"
set idp-single-sign-on-url "https://dev-24xxxxx.okta.com/app/dev-24113602_samlsslvpnapp_1/exkds32da6QYHb1re5d7/sso/saml"
set idp-single-logout-url "https://dev-24xxxxx.okta.com/app/dev-24113602_samlsslvpnapp_1/exkds32da6QYHb1re5d7/slo/saml"
set idp-cert "REMOTE_Cert_1"
set user-name "hafizxxxxx@gmail.com"
set digest-method sha256
next
end
I believe my config already correct. I have follow steps inside the guide
I tried login SSL VPN using webpage. the SSO button is there but after successfully logged in, it shows error 'Session ended'.
Picture 1
Picture 3
Please help to clarify on this issue
Thanks,
Hafiz
Created on 12-14-2023 12:18 AM Edited on 12-14-2023 12:24 AM
Hello @MHRNetwork ,
I think your saml configuration on Fortigate is wrong.
You configured the "user-name" area with your e-mail. This area is for the username attribute. And this attribute helps to Fortigate determine your username . Generally, this area fills with a "username" attribute.
Can you try this configuration?
config user saml
edit "okta-idp"
set user-name "username"
next
end
Regards:
Hi @MHRNetwork,
If still not working, you need to run the following debugs and try to connect again to see what's wrong:
di deb res
diagnose debug application samld -1
di deb app sslvpn -1
di deb en
Regards,
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1670 | |
1082 | |
752 | |
446 | |
226 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.