FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes how to use Okta as the SAML IdP for FortiGate GUI access.

Optionally enable Multi-Factor Authentication

1) Configure FortiGate as the SAML SP.
# config system saml
    set status enable
    set role service-provider
    set server-address "<FGT IP Address of interface connecting to Okta>"
    set default-profile “<Profile that will be assigned to Admin after successful authentication>”

2) Login to Okta portal as an Administrator and configure the SAML Application.

-Go to Applications -> Add Application and select 'Create New App'.
Platform of type Web and sign-on method of SAML 2.0.

- General Settings.
App name: Give the application a name and select 'Next'.

- SAML Integration. Enter the following detail.
Single sign on URL: Use the SP ACS (login) URL
https://<FortiGate IP>/saml/?acs
Audience URI: Use the SP entity ID
https://<FortiGate IP>/metadata/
Name ID format: EmailAddress
Application username: Email
Advanced Settings:
Single Logout URL: Use the SP SLS (logout) URL
https://<FortiGate IP>/saml/?sls
Under Name-Value pair, it is necessary to have the following. Else it will report an error saying 'Username missing in SAML Assertion Attributes'.
Name: username
Name format: Unspecified
Value: user email
Download the Okta Certificate for use in FortiGate in the next step.

- Feedback.
Okta customer adding an Internal app. Select 'Finish'.

3) Assign applications to Users in the Okta Portal
- Go to Applications, assign 'Applications' and confirm the assignments.

4) Configure the Okta IdP on the FortiGate.
- Select 'View Setup Instructions' will give the information below.

-Use that information in the FortiGate for the IdP settings as given below.
Type: custom
Certificate: Upload Okta cert from the local drive folder that the Okta certificate was downloaded in Step before.
Once uploaded, the certificate will be displayed as Remote Certificate.

Entity ID: Identity Provider Issuer obtained from the Okta portal.
Sign on URL: Identity Provider SSO URL.
Single Logout URL: Identity Provider Single Logout URL. 

Enabling Multi Factor Authentication.

In Okta Portal go to Security -> MultiFactor, enable the MFA mechanisms and who’s enrolled in MFA.





Related Articles

Technical Tip: Configuring SAML SSO login for FortiGate administrators with Azure AD acting as SAML ...