Fortinet black logo

Cookbook

Importing the IdP certificate and metadata on FortiAuthenticator

Copy Link
Copy Doc ID 23809264-eafe-11eb-97f7-00505692583a:352648
Download PDF

Importing the IdP certificate and metadata on FortiAuthenticator

  1. On FortiAuthenticator, go to Authentication > Remote Auth. Servers > SAML, and import the IdP metadata and certificate downloaded from Okta.
    This will automatically fill in the IdP fields. Select OK to save your changes.
  2. Enable SAML single logout and add the IdP single logout URL under the Single Logout section of the Okta Remote SAML Server.
    For example, if your Okta organization is "facschool" then the IdP single logout URL: entry would be https://facschool.okta.com/login/default.
  3. Go to Fortinet SSO Methods > SSO > FortiGate Filtering, and create a new FortiGate filter.
    Enter a name and the FortiGate's DMZ-interface IP address, and click OK.
    Once created, enable Forward FSSO information for users from the following subset of users/groups/containers only. Select Create New to create SSO group filtering objects that match each group inside Okta, and select OK to apply all changes.
    Caution

    The names entered for the filter must be the same as the group names created in Okta. Failing to enter the exact same names will result in the SSO information not being pushed to FortiGate.

Importing the IdP certificate and metadata on FortiAuthenticator

  1. On FortiAuthenticator, go to Authentication > Remote Auth. Servers > SAML, and import the IdP metadata and certificate downloaded from Okta.
    This will automatically fill in the IdP fields. Select OK to save your changes.
  2. Enable SAML single logout and add the IdP single logout URL under the Single Logout section of the Okta Remote SAML Server.
    For example, if your Okta organization is "facschool" then the IdP single logout URL: entry would be https://facschool.okta.com/login/default.
  3. Go to Fortinet SSO Methods > SSO > FortiGate Filtering, and create a new FortiGate filter.
    Enter a name and the FortiGate's DMZ-interface IP address, and click OK.
    Once created, enable Forward FSSO information for users from the following subset of users/groups/containers only. Select Create New to create SSO group filtering objects that match each group inside Okta, and select OK to apply all changes.
    Caution

    The names entered for the filter must be the same as the group names created in Okta. Failing to enter the exact same names will result in the SSO information not being pushed to FortiGate.