- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fortigate 200F integrate with Okta - SSL VPN
Hi all,
I am planning to conduct feasibility check on Fortigate 200F with Okta authentication for SSL VPN.
So I need some clarification on configurations changes and impact to productions environment.
Here are my questions: -
- Is it possible to integrate with Okta using specific VDOM only? does it affect global config?
- Is there any impacts if t testing on VDOM in production environment?
- Any guidance or steps that I can refer?
- Is it possible to test integration with Okta developer account?
Thanks,
Solved! Go to Solution.
- Labels:
-
FortiClient
-
FortiGate
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @MHRNetwork,
If still not working, you need to run the following debugs and try to connect again to see what's wrong:
di deb res
diagnose debug application samld -1
di deb app sslvpn -1
di deb en
Regards,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @MHRNetwork ,
Here are your answers:
1-Yes it is possible
2-There will not be any impact if you create new test user,group,server ect only for this purpose without overlapping with existing working configuration .
3.Here is the guide:
https://docs.fortinet.com/document/fortigate/7.4.1/administration-guide/499536/ssl-vpn-with-okta-as-...
4.The guide above describes the steps that you take if using the free Okta developer edition.
So i believe you will be good
If you have found a solution, please like and accept it to make it easily accessible for others.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi MHRNetwork,
Also additionally you can review the following article that might help in your implementation:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-SAML-SSO-login-for-SSL-VPN-web...
-BR-
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi all,
Does anyone here can help me to verify the fortigate saml config?
xxxxfw01 (saml) # show
config user saml
edit "okta-idp"
set cert "Fortinet_Factory"
set entity-id "https://xxx.xxx.xxx.228:10443/remote/saml/metadata"
set single-sign-on-url "https://xxx.xxx.xxx.228:10443/remote/saml/login"
set single-logout-url "https://xxx.xxx.xxx.228:10443/remote/saml/logout"
set idp-entity-id "http://www.okta.com/exkds32da6QYHb1re5d7"
set idp-single-sign-on-url "https://dev-24xxxxx.okta.com/app/dev-24113602_samlsslvpnapp_1/exkds32da6QYHb1re5d7/sso/saml"
set idp-single-logout-url "https://dev-24xxxxx.okta.com/app/dev-24113602_samlsslvpnapp_1/exkds32da6QYHb1re5d7/slo/saml"
set idp-cert "REMOTE_Cert_1"
set user-name "hafizxxxxx@gmail.com"
set digest-method sha256
next
end
I believe my config already correct. I have follow steps inside the guide
I tried login SSL VPN using webpage. the SSO button is there but after successfully logged in, it shows error 'Session ended'.
Picture 1
Picture 3
Please help to clarify on this issue
Thanks,
Hafiz
Created on 12-14-2023 12:18 AM Edited on 12-14-2023 12:24 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @MHRNetwork ,
I think your saml configuration on Fortigate is wrong.
You configured the "user-name" area with your e-mail. This area is for the username attribute. And this attribute helps to Fortigate determine your username . Generally, this area fills with a "username" attribute.
Can you try this configuration?
config user saml
edit "okta-idp"
set user-name "username"
next
end
NSE 4-5-6-7 OT Sec - ENT FW
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Always take backups: Before making any configuration changes, create backups of your Fortigate settings to ensure you can revert in case of any issues.
- Follow best practices: Ensure that you're following recommended practices from both Fortinet and Okta to set up secure and functional authentication.
- Consider the impact: Testing in a production environment, even within a specific VDOM, can potentially impact users. Plan and communicate any potential disruptions or downtime accordingly.
Regards:
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @MHRNetwork,
If still not working, you need to run the following debugs and try to connect again to see what's wrong:
di deb res
diagnose debug application samld -1
di deb app sslvpn -1
di deb en
Regards,