Fortinet black logo

Cookbook

Home FortiAuthenticator 5.5.0 Cookbook

SAML 2.0 FSSO with FortiAuthenticator and Okta

5.5.0
6.5.0
6.4.0
6.3.0
6.2.0
6.1.0
6.0.0
5.5.0
Copy Link
Copy Doc ID 53d09085-7746-11e9-81a4-00505692583a:143915
Download PDF

SAML 2.0 FSSO with FortiAuthenticator and Okta

In this example, you will provide a Security Assertion Markup Language (SAML) FSSO cloud authentication solution using FortiAuthenticator as the service provider (SP) and Okta, a cloud-based user directory, as the identity provider (IdP).

Okta is a secure authentication and identity-access management service that offer secure SSO solutions. Okta can be implemented with a variety of technologies and services including Office 365, G Suite, Dropbox, AWS, and more.

A user will start by attempting to make an unauthenticated web request (1). The FortiGate’s captive portal will offload the authentication request to the FortiAuthenticator’s SAML SP portal (2), which in turn redirects that client/browser to the SAML IdP login page (3). Assuming the user successfully logs into the portal (4), a positive SAML assertion will be sent back to the FortiAuthenticator (5), converting the user’s credentials into those of an FSSO user (6).

The FortiGate has a WAN IP address of 172.25.176.92, and the FortiAuthenticator has the WAN IP address of 172.25.176.141. Note that, for testing purposes, the FortiAuthenticator’s IP and FQDN have been added to the host’s file of trusted host names; this is not necessary for a typical network.

This configuration assumes that you have already created an Okta developer account. It is also assumed that two user groups have been created on the FortiAuthenticator both called saml_users: one local user group, and an SSO user group.

Previous
Next

SAML 2.0 FSSO with FortiAuthenticator and Okta

In this example, you will provide a Security Assertion Markup Language (SAML) FSSO cloud authentication solution using FortiAuthenticator as the service provider (SP) and Okta, a cloud-based user directory, as the identity provider (IdP).

Okta is a secure authentication and identity-access management service that offer secure SSO solutions. Okta can be implemented with a variety of technologies and services including Office 365, G Suite, Dropbox, AWS, and more.

A user will start by attempting to make an unauthenticated web request (1). The FortiGate’s captive portal will offload the authentication request to the FortiAuthenticator’s SAML SP portal (2), which in turn redirects that client/browser to the SAML IdP login page (3). Assuming the user successfully logs into the portal (4), a positive SAML assertion will be sent back to the FortiAuthenticator (5), converting the user’s credentials into those of an FSSO user (6).

The FortiGate has a WAN IP address of 172.25.176.92, and the FortiAuthenticator has the WAN IP address of 172.25.176.141. Note that, for testing purposes, the FortiAuthenticator’s IP and FQDN have been added to the host’s file of trusted host names; this is not necessary for a typical network.

This configuration assumes that you have already created an Okta developer account. It is also assumed that two user groups have been created on the FortiAuthenticator both called saml_users: one local user group, and an SSO user group.

Previous
Next