Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
MHRNetwork
New Contributor II

Created on ‎12-04-2023 06:14 AM

Fortigate 200F integrate with Okta - SSL VPN

Hi all,

 

I am planning to conduct feasibility check on Fortigate 200F with Okta authentication for SSL VPN.

 

So I need some clarification on configurations changes and impact to productions environment.

 

Here are my questions: -

  1. Is it possible to integrate with Okta using specific VDOM only? does it affect global config?
  2. Is there any impacts if t testing on VDOM in production environment?
  3. Any guidance or steps that I can refer?
  4. Is it possible to test integration with Okta developer account? 

 

Thanks,

Labels:
680
0 Kudos
1 Solution
hbac
Staff
Staff

Created on ‎12-14-2023 06:09 AM

Hi @MHRNetwork,

 

If still not working, you need to run the following debugs and try to connect again to see what's wrong:

 

di deb res

diagnose debug application samld -1

di deb app sslvpn -1 

di deb en 

 

Regards, 

View solution in original post

532
0 Kudos
6 REPLIES 6
dbu
Staff
Staff

Created on ‎12-04-2023 06:34 AM Edited on ‎12-04-2023 06:35 AM

Hi @MHRNetwork ,

 

Here are your answers: 

1-Yes it is possible

2-There will not be any impact if you create new test user,group,server ect  only for this purpose without overlapping with existing working configuration .

3.Here is the guide:
https://docs.fortinet.com/document/fortigate/7.4.1/administration-guide/499536/ssl-vpn-with-okta-as-...

4.The guide above describes the steps that you take if using the free Okta developer edition.
So i believe you will be good

Regards!
If you have found a solution, please like and accept it to make it easily accessible for others.
668
ndumaj
Staff
Staff
In response to dbu

Created on ‎12-04-2023 06:48 AM

Hi MHRNetwork,

Also additionally you can review the following article that might help in your implementation:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-SAML-SSO-login-for-SSL-VPN-web...

-BR-

- Happy to help, hit like and accept the solution -
660
MHRNetwork
New Contributor II

Created on ‎12-13-2023 10:58 PM

Hi all,

 

Does anyone here can help me to verify the fortigate saml config? 

 

xxxxfw01 (saml) # show
config user saml
    edit "okta-idp"
        set cert "Fortinet_Factory"
        set entity-id "https://xxx.xxx.xxx.228:10443/remote/saml/metadata"
        set single-sign-on-url "https://xxx.xxx.xxx.228:10443/remote/saml/login"
        set single-logout-url "https://xxx.xxx.xxx.228:10443/remote/saml/logout"
        set idp-entity-id "http://www.okta.com/exkds32da6QYHb1re5d7"
        set idp-single-sign-on-url "https://dev-24xxxxx.okta.com/app/dev-24113602_samlsslvpnapp_1/exkds32da6QYHb1re5d7/sso/saml"
        set idp-single-logout-url "https://dev-24xxxxx.okta.com/app/dev-24113602_samlsslvpnapp_1/exkds32da6QYHb1re5d7/slo/saml"
        set idp-cert "REMOTE_Cert_1"
        set user-name "hafizxxxxx@gmail.com"
        set digest-method sha256
    next
end

 

 

I believe my config already correct. I have follow steps inside the guide

https://docs.fortinet.com/document/fortigate/7.4.1/administration-guide/499536/ssl-vpn-with-okta-as-...

 

I tried login SSL VPN using webpage. the SSO button is there but after successfully logged in, it shows error 'Session ended'. 

 

 

Picture 1

1.PNG
Picture 2
2.PNG

 

Picture 3

3.PNG

 

Please help to clarify on this issue

 

Thanks,

Hafiz

 

571
0 Kudos
ozkanaltas
Contributor III
In response to MHRNetwork

Created on ‎12-14-2023 12:18 AM Edited on ‎12-14-2023 12:24 AM

Hello @MHRNetwork ,

 

I think your saml configuration on Fortigate is wrong. 

 

You configured the "user-name" area with your e-mail. This area is for the username attribute. And this attribute helps to Fortigate determine your username . Generally, this area fills with a "username" attribute.

 

Can you try this configuration? 

 

config user saml
    edit "okta-idp"
       set user-name "username"
    next
end

 

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
563
0 Kudos
derckedshaw21
New Contributor

Created on ‎12-14-2023 01:52 AM

  • Always take backups: Before making any configuration changes, create backups of your Fortigate settings to ensure you can revert in case of any issues.
  • Follow best practices: Ensure that you're following recommended practices from both Fortinet and Okta to set up secure and functional authentication.
  • Consider the impact: Testing in a production environment, even within a specific VDOM, can potentially impact users. Plan and communicate any potential disruptions or downtime accordingly.

Regards:

Sonic Menu With Prices

550
0 Kudos
hbac
Staff
Staff

Created on ‎12-14-2023 06:09 AM

Hi @MHRNetwork,

 

If still not working, you need to run the following debugs and try to connect again to see what's wrong:

 

di deb res

diagnose debug application samld -1

di deb app sslvpn -1 

di deb en 

 

Regards, 

533
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.