Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
MHRNetwork
New Contributor II

Fortigate and Okta authentication integration

Hi all,

 

Previously I have implemented Fortigate integrate with Okta authen. but now we still having some issues which is I am not really sure about it.

 

Here is the config that I implemented in Fortigate

 

 

config user saml
    edit "okta-idp"
        set cert "Fortinet_Factory"
        set entity-id "https://xxx.xxxx.xxx.xx:10443/remote/saml/metadata/"
        set single-sign-on-url "https://xxx.xxxx.xxx.xx:10443/remote/saml/login/"
        set single-logout-url "https://xxx.xxxx.xxx.xx:10443/remote/saml/logout/"
        set idp-entity-id "http://www.okta.com/exxxxxxxxxxxxxxxxxxxxx"
        set idp-single-sign-on-url "https://xxxxx-url.apac.xxxx.com/app/apac-xxxxx/xxxxxxxxxxxxxxxxx/sso/saml"
        set idp-cert "REMOTE_Cert_1"
        set user-name "username"
        set digest-method sha256
    next
end


xxxxxfw01 (corporate-saml) # show
config user group
    edit "corporate-saml"
        set member "okta-idp"
        config match
            edit 1
                set server-name "okta-idp"
                set group-name "corporate-saml"
            next
        end
    next
end

 

 

 

Firewall policy:

pppp.PNG

 

Debug output:

 

 

samld_send_common_reply [122]:     Attr: 17, 27, magic=178af1777bb9xxxx
[336:vdom_xxxx:c117]fsv_saml_login_response:510 No group info in SAML response.
[336:vdom_xxxx:c117]fsv_saml_login_response:514 No user name info in SAML response. Please check saml configuration.
[336:vdom_xxxx:c117]fsv_saml_login_resp_cb:163 SAML response error: 3.
[336:vdom_xxxx:c117]req: /remote/saml/login/(null)
[336:vdom_xxxx:c117]def: (nil) /remote/saml/login/(null)
[336:vdom_xxxx:c117]sslvpn_read_request_common,686, ret=-1 error=-1, sconn=0x7f0cf2a0af00.
[336:vdom_xxxx:c117]Destroy sconn 0x7f0cf2a0af00, connSize=0. (vdom_xxxx)

 

 

 

Please let me know how to troubleshoot on this issue.

 

Thanks,

1 Solution
hbac

@MHRNetwork,

 

Because the debug output saying 'No group info in SAML response.' which could be caused by attribute mismatch. That's why we need to verify the attribute. 

 

[336:vdom_xxxx:c117]fsv_saml_login_response:510 No group info in SAML response.
[336:vdom_xxxx:c117]fsv_saml_login_response:514 No user name info in SAML response. Please check saml configuration.

 

Regards, 

View solution in original post

7 REPLIES 7
funkylicious
SuperUser
SuperUser

Hi,

As the logs say, the username that you are trying to use is not part of corporate-saml group in Okta, that you have defined in your settings.

You can try and follow this link as a guide to configure SSLVPN with Okta : https://sites.google.com/frellsen.se/kimfrellsen/fortinet-ssl-vpn-with-okta-mfa-using-saml

---------------------------
geek
---------------------------
---------------------------geek---------------------------
hbac
Staff
Staff

Hi @MHRNetwork,

 

Please verify the group attribute on both sides. Please refer to https://community.fortinet.com/t5/Support-Forum/Fortigate-and-Okta-authentication-integration/td-p/2...

 

Regards, 

MHRNetwork
New Contributor II

Hi hbac,

 

is that link correct? seems it redirect to this post.

 

thanks,

hbac
MHRNetwork
New Contributor II

Hi hbac,

 

from saml tracer, I can see that the attribute "username" is correct and we didn't configure attribute for group. but actually we are not sure whether need to configure group attribute or not. is it necessary? no right? because our okta team said it will be more complicated to maintain.

        </saml2:AuthnStatement>
        <saml2:AttributeStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
            <saml2:Attribute Name="username"
                             NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
                             >
                <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                                      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                      xsi:type="xs:string"
                                      />
            </saml2:Attribute>
        </saml2:AttributeStatement>
    </saml2:Assertion>
</saml2p:Response>

 

hbac

@MHRNetwork,

 

Because the debug output saying 'No group info in SAML response.' which could be caused by attribute mismatch. That's why we need to verify the attribute. 

 

[336:vdom_xxxx:c117]fsv_saml_login_response:510 No group info in SAML response.
[336:vdom_xxxx:c117]fsv_saml_login_response:514 No user name info in SAML response. Please check saml configuration.

 

Regards, 

MHRNetwork
New Contributor II

Hi hbac,

 

Appreciated your help for this issue.

 

we have concluded that the config from my side (firewall) was all good, seems IAM engineer side made some changes with the Okta attribute. after that we tested again and all was successful!

 

Now SSL-VPN can be establish using Okta SSO.

 

Here is the debug commands that I used.

diagnose debug application sslvpn -1
diagnose debug application samld -1
diagnose debug enable

 

Hope this can help everyone that need to troubleshoot SAML integration.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors