Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
MHRNetwork
New Contributor II

Created on ‎12-04-2023 06:14 AM

Fortigate 200F integrate with Okta - SSL VPN

Hi all,

 

I am planning to conduct feasibility check on Fortigate 200F with Okta authentication for SSL VPN.

 

So I need some clarification on configurations changes and impact to productions environment.

 

Here are my questions: -

  1. Is it possible to integrate with Okta using specific VDOM only? does it affect global config?
  2. Is there any impacts if t testing on VDOM in production environment?
  3. Any guidance or steps that I can refer?
  4. Is it possible to test integration with Okta developer account? 

 

Thanks,

Labels:
1897
0 Kudos
1 Solution
hbac
Staff
Staff

Created on ‎12-14-2023 06:09 AM

Hi @MHRNetwork,

 

If still not working, you need to run the following debugs and try to connect again to see what's wrong:

 

di deb res

diagnose debug application samld -1

di deb app sslvpn -1 

di deb en 

 

Regards, 

View solution in original post

1749
6 REPLIES 6
dbu
Staff
Staff

Created on ‎12-04-2023 06:34 AM Edited on ‎12-04-2023 06:35 AM

Hi @MHRNetwork ,

 

Here are your answers: 

1-Yes it is possible

2-There will not be any impact if you create new test user,group,server ect  only for this purpose without overlapping with existing working configuration .

3.Here is the guide:
https://docs.fortinet.com/document/fortigate/7.4.1/administration-guide/499536/ssl-vpn-with-okta-as-...

4.The guide above describes the steps that you take if using the free Okta developer edition.
So i believe you will be good

Regards!
If you have found a solution, please like and accept it to make it easily accessible for others.
1885
ndumaj
Staff
Staff
In response to dbu

Created on ‎12-04-2023 06:48 AM

Hi MHRNetwork,

Also additionally you can review the following article that might help in your implementation:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-SAML-SSO-login-for-SSL-VPN-web...

-BR-

- Happy to help, hit like and accept the solution -
1877
MHRNetwork
New Contributor II

Created on ‎12-13-2023 10:58 PM

Hi all,

 

Does anyone here can help me to verify the fortigate saml config? 

 

xxxxfw01 (saml) # show
config user saml
    edit "okta-idp"
        set cert "Fortinet_Factory"
        set entity-id "https://xxx.xxx.xxx.228:10443/remote/saml/metadata"
        set single-sign-on-url "https://xxx.xxx.xxx.228:10443/remote/saml/login"
        set single-logout-url "https://xxx.xxx.xxx.228:10443/remote/saml/logout"
        set idp-entity-id "http://www.okta.com/exkds32da6QYHb1re5d7"
        set idp-single-sign-on-url "https://dev-24xxxxx.okta.com/app/dev-24113602_samlsslvpnapp_1/exkds32da6QYHb1re5d7/sso/saml"
        set idp-single-logout-url "https://dev-24xxxxx.okta.com/app/dev-24113602_samlsslvpnapp_1/exkds32da6QYHb1re5d7/slo/saml"
        set idp-cert "REMOTE_Cert_1"
        set user-name "hafizxxxxx@gmail.com"
        set digest-method sha256
    next
end

 

 

I believe my config already correct. I have follow steps inside the guide

https://docs.fortinet.com/document/fortigate/7.4.1/administration-guide/499536/ssl-vpn-with-okta-as-...

 

I tried login SSL VPN using webpage. the SSO button is there but after successfully logged in, it shows error 'Session ended'. 

 

 

Picture 1

1.PNG
Picture 2
2.PNG

 

Picture 3

3.PNG

 

Please help to clarify on this issue

 

Thanks,

Hafiz

 

1788
0 Kudos
ozkanaltas
Valued Contributor III
In response to MHRNetwork

Created on ‎12-14-2023 12:18 AM Edited on ‎12-14-2023 12:24 AM

Hello @MHRNetwork ,

 

I think your saml configuration on Fortigate is wrong. 

 

You configured the "user-name" area with your e-mail. This area is for the username attribute. And this attribute helps to Fortigate determine your username . Generally, this area fills with a "username" attribute.

 

Can you try this configuration? 

 

config user saml
    edit "okta-idp"
       set user-name "username"
    next
end

 

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
1780
hbac
Staff
Staff

Created on ‎12-14-2023 06:09 AM

Hi @MHRNetwork,

 

If still not working, you need to run the following debugs and try to connect again to see what's wrong:

 

di deb res

diagnose debug application samld -1

di deb app sslvpn -1 

di deb en 

 

Regards, 

1750
chisrobin
New Contributor

Created on ‎05-30-2025 03:23 AM

Thanks for sharing your config and the troubleshooting steps you’ve followed so far. Since the SSO button appears and login initiates, your SAML setup with Okta is almost complete. The “Session ended” error typically points to session handling or attribute mapping issues.

Here are a few things to check:

  • Attribute Statements: Ensure that the SAML response from Okta includes the expected attributes, especially the username or email. FortiGate uses these to map users correctly.

  • Session Timeout Settings: Confirm both Okta and FortiGate timeout settings are aligned. A mismatch can cause abrupt session terminations.

  • Time Sync: Ensure both Okta and your FortiGate appliance are synced with an NTP server. Time differences often cause SAML session validation issues.

  • VDOM Testing: Since you mentioned using a specific VDOM, be aware that certain authentication settings are global. While testing, isolate config changes to prevent any unintended production impact.

I recently came across similar authentication challenges while managing content and backend access for my site, and documenting that process helped a lot. If you're interested in how secure configurations can impact user-facing platforms, feel free to check out https://5guyzmenu.com — the focus is different, but the technical takeaways might be useful.

Hope your integration gets sorted soon!

181
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.