In this configuration, the FortiGate acts as a SAML service provider (SP) requesting authentication from Okta, which acts as a SAML identity provider (IdP). The following shows the topology in this configuration:
The authentication process is as follows in this deployment:
1. The user initiates an SSL VPN request to the FortiGate.
2. The FortiGate sends the browser POST redirect to FortiClient.
3. FortiClient redirects the SAML authentication request to Okta.
4. The user authenticates with Okta using their credentials.
5. Okta sends a SAML assertion that contains the user and group authentication in a POST redirect to the SSL VPN login page.
6. FortiClient sends the redirected Okta request that contains the SAML assertion to the FortiGate.
7. The FortiGate consumes the assertion and provides the user with access to resources based on the defined firewall security policy.
The example assumes that you already have an Okta account. This example uses users locally defined within the Okta directory and does not include LDAP mapping. The instructions describe the steps that you take if using the free Okta developer edition.
To configure Okta for SSL VPN with FortiOS:
1. Log in to the Okta portal as the registered admin user.
2. Add the FortiGate application:
a. Go toApplications.
b. ClickApplications, then clickCreate App Integration.
c. ClickSAML 2.0, thenNext.
d. Configure SAML settings:
i. Proceed through the application creation wizard. In theSingle sign on URLfield, enter https://<FortiGate IP address>:<port>/remote/saml/login/. In this example, it is https://10.0.3.254:10443/remote/saml/login/.
ii. EnableUse this for Recipient URL and Destination URL.
iii. In theAudience URI (SP Entity ID)field, enter the https://<FortiGate IP address>:<port>/remote/saml/metadata/. In this example, it is
https://10.0.3.254:10443/remote/saml/metadata/.
iv. ClickDownload Okta Certificateto download the Okta certificate to your machine. You will provide this certificate to the FortiGate.
v. ClickShow Advanced Settings. From theResponsedropdown list, selectSigned.
vi. From theAssertion Signaturedropdown list, selectSigned.
vii. In theSingle Logout URLfield, enter https://<FortiGate IP address>:<port>/remote/saml/logout/. In this example, it is https://10.0.3.254:10443/remote/saml/logout/.
viii. In theSP Issuerfield, enter https://<FortiGate IP address>:<port>/remote/saml/metadata/. In this example, it is https://10.0.3.254:10443/remote/saml/metadata/.
ix. In theSignature Certificatefield, first download the Fortinet_Factory certificate by logging into FortiOS, going toSystem > Local Certificate, then browsing to and uploading the FortiGate certificate. Okta uses this to authenticate the SAML SP.
e. UnderATTRIBUTE STATEMENTSandGROUP ATTRIBUTE STATEMENTS, define attribute mappings for Okta to use in SAML assertion. In this example, the following is entered as a attribute statement and a group attribute statement, respectively:
l username, with value user.login
l group, withMatches regexfilter
f. On theFeedbackstep, selectI'm an Okta customer adding an internal app.
g. SelectThis is an internal app that we have created.
h. ClickFinish.
3. Go toDirectory > People.
4. ClickAdd Person.
5. Enter the person's details as desired. ClickSave.
6. Add a group:
a. Go toDirectory > Groups.
b. ClickAdd Group.
c. Enter the desired name, then clickAdd Group. In this example, the name is corporate-saml.
d. Select the newly added group, then clickAssign People.
e. Add the person that you created as a member of the new group. ClickSave.
7. Assign the group to the FortiGate application:
a. Go toApplications > FortiGate application > Assignments.
b. From theAssigndropdown list, selectAssign to Groups.
c. Assign the group that you created to the FortiGate application.
8. To view the SAML setup instructions, do the following:
a. Click the newly created application's name.
b. ClickSign On.
c. Go toView SAML Setup Instructions. Note down theIdentity Provider Single Sign-On URL,Identity Provider Single Logout URL, andIdentity Provider Issuervalues.
9. Download the Okta certificate and upload it to FortiOS:
a. FromView SAML Setup Instructions, download the certificate.
b. In FortiOS, go toSystem > Certificates.
c. From theCreate/Importdropdown list, selectRemote Certificate.
d. ClickUploadand upload the downloaded Okta certificate.
To configure the FortiGate:
1. Configure the FortiGate SP to be a SAML user:
config user saml edit "okta-idp"
set cert "Fortinet_Factory"
set entity-id "https://10.0.3.254:10443/remote/saml/metadata/"
set single-sign-on-url "https://10.0.3.254:10443/remote/saml/login"
set single-logout-url "https://10.0.3.254:10443/remote/saml/logout"
set idp-entity-id "http://www.okta.com/exk103foxaa8gk5qy4x7"
set idp-single-sign-on-url "https://fortinet01.okta.com/app/fortinetorg878484_
fortigate_1/exk103foxaa8gk5qy4x7/sso/saml"
set idp-single-logout-url "https://fortinet01.okta.com/app/fortinetorg878484_
fortigate_1/exk103foxaa8gk5qy4x7/slo/saml"
set idp-cert "Okta-IDP_Certificate"
set user-name "username"
set group-name "group"
next end
2. Configure user group assertion on Okta as part of the SAML assertion attributes. It is important that the group attribute value received is locally matched with thegroup-namevalue:
config user group
edit "corporate-saml"
set member "okta-idp"
config match edit 1
set server-name "okta-idp"
set group-name "corporate-saml"
next end next end
3. Go toVPN > SSL-VPN Settings. Configure VPN settings as desired. When testing the VPN solution, starting with a web-based configuration, then moving to a tunnel-based configuration is recommended. Web-based testing can help in troubleshooting.
4. Configure a local or RADIUS user as a backup. This setting also provides a login web user with a choice of local or SSO login.
5. Go toPolicy and Objects > Firewall Policies. Configure a policy as desired.
6. Increase the global authentication timeout period to allow users to fill in their credentials in time. The default timeout is five seconds:
config system global
set remoteauthtimeout 60 end
To configure EMS:
1. In EMS, go toEndpoint Profiles > Manage Profiles. Edit a VPN profile.
2. UnderVPN Tunnels, clickAdd Tunnel.
3. In theRemote Gatewayfield, enter the FortiGate IP address. In this example, it is 10.0.3.254.
4. In thePortfield, enter the port number. In this example, it is 10443.
5. InAdvanced Settings, enableEnable SAML Login.
6. ClickAdd Tunnel.
7. Save the profile.
8. After the policy synchronizes to the endpoint, theSAML Loginbutton is visible on the Remote Access tab in FortiClient.
To test the configuration:
1. You will first test web-based SSL VPN authentication using Firefox with the SAML tracer plugin enabled. Install the SAML-tracer pluginto Firefox.
2. In Firefox, go to the FortiOS SSL VPN login page. In this example, this is https://10.0.3.254:10443.
3. Open the SAML tracer.
4. The browser redirects to the Okta SAML login page. Enter the Okta credentials, then clickSign in.
5. Upon successful authentication, the browser redirects to the authenticated SSL VPN page. If authentication does not succeed, review the SAML tracer to confirm the SAML assertion attributes that are passed during the
authentication session. Select the POST message with the SAML information. On the SAML tab, confirm the username and group attributes.
6. To test tunnel mode, go to theRemote Accesstab in FortiClient. Click theSAML Loginbutton.
7. A FortiAuthenticator web login page opens within FortiClient. Enter the Okta credentials, then log in to connect to the VPN tunnel.
To troubleshoot the configuration:
You can view FortiOS event logs inLog & Report > Eventsto verify successful authentication and user group allocation.
You can also run thediagnose debug application samld -1command to verify that the SAML IdP sent the correct information. The following shows example output for this scenario: