Hi all,
Previously I have implemented Fortigate integrate with Okta authen. but now we still having some issues which is I am not really sure about it.
Here is the config that I implemented in Fortigate
config user saml
edit "okta-idp"
set cert "Fortinet_Factory"
set entity-id "https://xxx.xxxx.xxx.xx:10443/remote/saml/metadata/"
set single-sign-on-url "https://xxx.xxxx.xxx.xx:10443/remote/saml/login/"
set single-logout-url "https://xxx.xxxx.xxx.xx:10443/remote/saml/logout/"
set idp-entity-id "http://www.okta.com/exxxxxxxxxxxxxxxxxxxxx"
set idp-single-sign-on-url "https://xxxxx-url.apac.xxxx.com/app/apac-xxxxx/xxxxxxxxxxxxxxxxx/sso/saml"
set idp-cert "REMOTE_Cert_1"
set user-name "username"
set digest-method sha256
next
end
xxxxxfw01 (corporate-saml) # show
config user group
edit "corporate-saml"
set member "okta-idp"
config match
edit 1
set server-name "okta-idp"
set group-name "corporate-saml"
next
end
next
end
Firewall policy:
Debug output:
samld_send_common_reply [122]: Attr: 17, 27, magic=178af1777bb9xxxx
[336:vdom_xxxx:c117]fsv_saml_login_response:510 No group info in SAML response.
[336:vdom_xxxx:c117]fsv_saml_login_response:514 No user name info in SAML response. Please check saml configuration.
[336:vdom_xxxx:c117]fsv_saml_login_resp_cb:163 SAML response error: 3.
[336:vdom_xxxx:c117]req: /remote/saml/login/(null)
[336:vdom_xxxx:c117]def: (nil) /remote/saml/login/(null)
[336:vdom_xxxx:c117]sslvpn_read_request_common,686, ret=-1 error=-1, sconn=0x7f0cf2a0af00.
[336:vdom_xxxx:c117]Destroy sconn 0x7f0cf2a0af00, connSize=0. (vdom_xxxx)
Please let me know how to troubleshoot on this issue.
Thanks,
Solved! Go to Solution.
Because the debug output saying 'No group info in SAML response.' which could be caused by attribute mismatch. That's why we need to verify the attribute.
[336:vdom_xxxx:c117]fsv_saml_login_response:510 No group info in SAML response.
[336:vdom_xxxx:c117]fsv_saml_login_response:514 No user name info in SAML response. Please check saml configuration.
Regards,
Hi,
As the logs say, the username that you are trying to use is not part of corporate-saml group in Okta, that you have defined in your settings.
You can try and follow this link as a guide to configure SSLVPN with Okta : https://sites.google.com/frellsen.se/kimfrellsen/fortinet-ssl-vpn-with-okta-mfa-using-saml
Hi @MHRNetwork,
Please verify the group attribute on both sides. Please refer to https://community.fortinet.com/t5/Support-Forum/Fortigate-and-Okta-authentication-integration/td-p/2...
Regards,
Hi hbac,
is that link correct? seems it redirect to this post.
thanks,
Hi @MHRNetwork,
Sorry, it was a wrong link. Please refer to https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-SAML-SSO-login-for-SSL-VPN-web...
Regards,
Hi hbac,
from saml tracer, I can see that the attribute "username" is correct and we didn't configure attribute for group. but actually we are not sure whether need to configure group attribute or not. is it necessary? no right? because our okta team said it will be more complicated to maintain.
</saml2:AuthnStatement>
<saml2:AttributeStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:Attribute Name="username"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
>
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
/>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
</saml2p:Response>
Because the debug output saying 'No group info in SAML response.' which could be caused by attribute mismatch. That's why we need to verify the attribute.
[336:vdom_xxxx:c117]fsv_saml_login_response:510 No group info in SAML response.
[336:vdom_xxxx:c117]fsv_saml_login_response:514 No user name info in SAML response. Please check saml configuration.
Regards,
Hi hbac,
Appreciated your help for this issue.
we have concluded that the config from my side (firewall) was all good, seems IAM engineer side made some changes with the Okta attribute. after that we tested again and all was successful!
Now SSL-VPN can be establish using Okta SSO.
Here is the debug commands that I used.
diagnose debug application sslvpn -1
diagnose debug application samld -1
diagnose debug enable
Hope this can help everyone that need to troubleshoot SAML integration.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.