Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
MHRNetwork
New Contributor II

Fortigate 200F integrate with Okta - SSL VPN

Hi all,

 

I am planning to conduct feasibility check on Fortigate 200F with Okta authentication for SSL VPN.

 

So I need some clarification on configurations changes and impact to productions environment.

 

Here are my questions: -

  1. Is it possible to integrate with Okta using specific VDOM only? does it affect global config?
  2. Is there any impacts if t testing on VDOM in production environment?
  3. Any guidance or steps that I can refer?
  4. Is it possible to test integration with Okta developer account? 

 

Thanks,

1 Solution
hbac
Staff
Staff

Hi @MHRNetwork,

 

If still not working, you need to run the following debugs and try to connect again to see what's wrong:

 

di deb res

diagnose debug application samld -1

di deb app sslvpn -1 

di deb en 

 

Regards, 

View solution in original post

6 REPLIES 6
dbu
Staff
Staff

Hi @MHRNetwork ,

 

Here are your answers: 

1-Yes it is possible

2-There will not be any impact if you create new test user,group,server ect  only for this purpose without overlapping with existing working configuration .

3.Here is the guide:
https://docs.fortinet.com/document/fortigate/7.4.1/administration-guide/499536/ssl-vpn-with-okta-as-...

4.The guide above describes the steps that you take if using the free Okta developer edition.
So i believe you will be good

Regards!
If you have found a solution, please like and accept it to make it easily accessible for others.
ndumaj

Hi MHRNetwork,

Also additionally you can review the following article that might help in your implementation:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-SAML-SSO-login-for-SSL-VPN-web...

-BR-

- Happy to help, hit like and accept the solution -
MHRNetwork
New Contributor II

Hi all,

 

Does anyone here can help me to verify the fortigate saml config? 

 

xxxxfw01 (saml) # show
config user saml
    edit "okta-idp"
        set cert "Fortinet_Factory"
        set entity-id "https://xxx.xxx.xxx.228:10443/remote/saml/metadata"
        set single-sign-on-url "https://xxx.xxx.xxx.228:10443/remote/saml/login"
        set single-logout-url "https://xxx.xxx.xxx.228:10443/remote/saml/logout"
        set idp-entity-id "http://www.okta.com/exkds32da6QYHb1re5d7"
        set idp-single-sign-on-url "https://dev-24xxxxx.okta.com/app/dev-24113602_samlsslvpnapp_1/exkds32da6QYHb1re5d7/sso/saml"
        set idp-single-logout-url "https://dev-24xxxxx.okta.com/app/dev-24113602_samlsslvpnapp_1/exkds32da6QYHb1re5d7/slo/saml"
        set idp-cert "REMOTE_Cert_1"
        set user-name "hafizxxxxx@gmail.com"
        set digest-method sha256
    next
end

 

 

I believe my config already correct. I have follow steps inside the guide

https://docs.fortinet.com/document/fortigate/7.4.1/administration-guide/499536/ssl-vpn-with-okta-as-...

 

I tried login SSL VPN using webpage. the SSO button is there but after successfully logged in, it shows error 'Session ended'. 

 

 

Picture 1

1.PNG
Picture 2
2.PNG

 

Picture 3

3.PNG

 

Please help to clarify on this issue

 

Thanks,

Hafiz

 

ozkanaltas

Hello @MHRNetwork ,

 

I think your saml configuration on Fortigate is wrong. 

 

You configured the "user-name" area with your e-mail. This area is for the username attribute. And this attribute helps to Fortigate determine your username . Generally, this area fills with a "username" attribute.

 

Can you try this configuration? 

 

config user saml
    edit "okta-idp"
       set user-name "username"
    next
end

 

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE4-5-6-7 OT Sec - ENT FW
derckedshaw21
New Contributor

  • Always take backups: Before making any configuration changes, create backups of your Fortigate settings to ensure you can revert in case of any issues.
  • Follow best practices: Ensure that you're following recommended practices from both Fortinet and Okta to set up secure and functional authentication.
  • Consider the impact: Testing in a production environment, even within a specific VDOM, can potentially impact users. Plan and communicate any potential disruptions or downtime accordingly.

Regards:

Sonic Menu With Prices

hbac
Staff
Staff

Hi @MHRNetwork,

 

If still not working, you need to run the following debugs and try to connect again to see what's wrong:

 

di deb res

diagnose debug application samld -1

di deb app sslvpn -1 

di deb en 

 

Regards, 

Top Kudoed Authors