SAML FSSO with FortiAuthenticator and Okta

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

In this example, you will provide a Security Assertion Markup Language (SAML) FSSO cloud authentication solution using FortiAuthenticator as the service provider (SP) and Okta, a cloud-based user directory, as the identity provider (IdP).

Okta is a secure authentication and identity-access management service that offer secure SSO solutions. Okta can be implemented with a variety of technologies and services including Office 365, G Suite, Dropbox, AWS, and more.

A user will start by attempting to make an unauthenticated web request (1). The FortiGate’s captive portal will offload the authentication request to the FortiAuthenticator’s SAML SP portal (2), which in turn redirects that client/browser to the SAML IdP login page (3). Assuming the user successfully logs into the portal (4), a positive SAML assertion will be sent back to the FortiAuthenticator (5), converting the user’s credentials into those of an FSSO user (6).

The FortiGate has a WAN IP address of 172.25.176.92, and the FortiAuthenticator has the WAN IP address of 172.25.176.141. Note that, for testing purposes, the FortiAuthenticator’s IP and FQDN have been added to the host’s file of trusted host names; this is not necessary for a typical network.

This configuration assumes that you have already created an Okta developer account. It is also assumed that two user groups have been created on the FortiAuthenticator both called saml_users: one local user group, and an SSO user group. Note that SAML version 2.0 is used for this configuration.

1. Configure DNS and FortiAuthenticator’s FQDN

On the FortiAuthenticator, go to System > Dashboard > Status. In the System Information widget, select Change next to Device FQDN.

Enter a domain name; for this example, fac.school.net. This will help identify where the FortiAuthenticator is located in the DNS hierarchy.

Enter the same name for the Host Name. This is so you can add the unit to the FortiGate’s DNS list, so that the local DNS lookup of this FQDN can be resolved.

On the FortiGate, open the CLI Console and enter the following command, entering the FortiAuthenticator’s host name and Internet-facing IP address:

config system dns-database
   edit school.net
      config dns-entry
         edit 1
            set hostname fac.school.net
            set ip 172.25.176.141
         next
      end
      set domain school.net
   next
end

2. Enable FSSO and SAML on the FortiAuthenticator

On the FortiAuthenticator, go to Fortinet SSO Methods > SSO > General and set FortiGate SSO options. Make sure to Enable authentication.

Enter a Secret key and select OK to apply your changes. This key will be used on the FortiGate to add the FortiAuthenticator as the FSSO server.

Then go to Fortinet SSO Methods > SSO > SAML Authentication and select Enable SAML portal. All necessary URLs are automatically generated:

  • Portal url – Captive Portal URL for the FortiGate and user.
  • Entity id – Used in the Okta SAML IdP application setup.
  • ACS (login) url – Assertion POST URL used by the SAML IdP.

Enable Implicit group membership and assign the saml_users group from the dropdown menu. This will place SAML authenticated users into this group.

Keep this window open as these URLs will be needed during the IdP application configuration and for testing.

Note that, at this point, you will not be able to save these settings, as IdP information — IDP entity id, IDP single sign-on URL, and IDP certificate fingerprint — needs to be entered. These fields will be filled once the IdP application configuration is complete.

3. Configure the Okta developer account IDP application

Open a browser, log in to your Okta developer account, and select Admin under your user settings.

Go to the Applications tab and select Add Application.

Select Create New App and create a new application with the SAML 2.0 sign on method.

 

Enter a custom App name and select Next (upload an App logo if you wish).

Note that the name entered here is the name of the portal the user will log into.

Under A – SAML Settings, set Single sign on URL and Audience URI (SP Entity ID) to the ACS and Entity URLs (respectively) from the Edit SAML Portal Settings page on the FortiAuthenticator.

Users will be required to provide their email address as their username, and their first and last names (as seen in the example).

 

Before continuing, make sure to select Download Okta Certificate. This will be imported to the FortiAuthenticator later.

You do not need to configure group attributes or section B below.

In the last step, confirm that you are an Okta customer, and set the App type to an internal app. Then select Finish.
Once created, open the Sign On tab and download the Identity Provider metadata.

Finally, open the Assignments tab and select Assign > Assign to People.

Assign the users you wish to add to the application. This will permit the user to log in to the application’s portal. Save your changes and select Done.

The user is successfully assigned. This concludes the steps necessary in configuring SAML 2.0.

4. Import the IDP certificate and metadata on the FortiAuthenticator

Back on the FortiAuthenticator, go to Fortinet SSO Methods > SSO > SAML Authentication and import the IDP metadata and certificate downloaded earlier.

This will automatically fill the IDP fields (as shown in the example). Make sure to select OK to save these changes.

Next, go to Fortinet SSO Methods > SSO > FortiGate Filtering and create a new FortiGate filter.

Enter a name and the FortiGate’s wan-interface IP address, and select OK.

Once created, enable Fortinet Single Sign-On (FSSO). Select Create New to create an SSO group filtering object (as shown already created in the example), and select OK to apply all changes.

Note that the name entered for the filter must be the same as the group name created for SAML users (saml_users). Failing to enter the exact same name will result in the SSO information not being pushed to the FortiGate.

5. Configure FSSO on the FortiGate

On the FortiGate, go to User & Device > Single Sign-On and select Create New.

Set Type to Fortinet Single Sign-On Agent, enter a Name, the FortiAuthenticator’s wan-interface IP, and the password, using the secret key entered into the FortiAuthenticator earlier.

 

Select Apply & Refresh. The SAML user group name has been successfully pushed to the FortiGate from the FortiAuthenticator, appearing when you select View.

Note that you may have to wait a few minutes before the user group appears.

Once created, the server will be listed. Mouse over the entry under the Users/Groups column and make sure that the FSSO group has been pushed down.

Then go to User & Device > User Groups and create a new user group.

Enter a Name, set Type to Fortinet Single Sign-On (FSSO), and add the FSSO group as a Member.

6. Configure Captive Portal and security policies 

On the FortiGate, go to Network > Interface and edit the internal interface.

Under Admission Control, set Security Mode to Captive Portal.

Set Authentication Portal to External, and enter the SAML authentication portal URL.

Set User Access to Restricted to Groups, and set User Groups to any local group, as you’ll notice the FSSO group is not available; this local group won’t be used for access.

Next go to Policy & Objects > Addresses and add the FortiAuthenticator as an address object.

 

Then create five FQDN objects: one of your Okta developer page and the following:

  • eum-col.appdynamics.com
  • login.okta.com
  • ocsp.digicert.com
  • op1static.oktacdn.com

As these are FQDN’s, make sure to set Type to FQDN.

Then go to Policy & Objects > IPv4 Policy and create all policies shown in the examples: one policy for DNS, FortiAuthenticator access, for Okta bypass, and the last policy for FSSO, including the SAML user group.

When finished, open the CLI Console and configure the following setting for each policy except the FSSO policy:

config firewall policy
   edit <policy-id>
      set captive-portal-exempt enable
   next
end

This command will exempt users of this policy from the captive portal interface.

Results: Testing

To test the connection, open a new browser window and attempt to browse the Internet. The browser will redirect to the FortiAuthenticator SAML portal, which pushes the browser to the SAML IdP.

Alternatively, you can directly navigate to the portal URL.

Enter the user’s credentials and select Sign In.

The assertion is pushed back to the FortiAuthenticator where the user is authenticated.

On the FortiAuthenticator, go to Monitor > SSO > SSO Sessions to view the user and assigned user group.

On the FortiGate, go to Monitor > Firewall User Monitor to view user information, and confirm that the user has been authenticated via FSSO.

Adam Bristow

Adam Bristow

Technical Writer at Fortinet
Adam Bristow is a Technical Writer working for the FortiOS technical documentation team. He has a Honours Bachelor of Arts in English and Minor in Film Studies and a graduate certificate in Technical Writing from Algonquin College. Stay tuned for more FortiOS Cookbook videos!
Adam Bristow
  • Was this helpful?
  • Yes   No
Where instead of providing Internet, the FortiAuthenticator provides a service to the FortiGate.
An authorization request to allow the assertion subject, or user, to access the specified resource.
Failing to enter the exact same name will result in the SSO information not being pushed to the FortiGate.
In the example, https://fac.school.net/login/saml-auth.
In this example, the FQDN is dev-241684-admin.oktapreview.com.
To edit policies you must know their IDs. Right-click the IPv4 Policy column-row and add ID to view policy IDs.
In the example, https://fac.school.net/login/saml-auth.