SAML SSO with Okta as IdP
You can configure a single sign on (SSO) connection with Okta via SAML, where Okta is the identity provider (IdP) and FortiClient EMS is the service provider (SP). This feature allows administrators to log in to EMS by logging in with their Okta credentials.
To configure FortiClient EMS with Okta SSO:
- In FortiClient EMS, go to Administration > SAML SSO.
- Toggle on Enable SAML SSO. Service Provider Settings displays the SP entity ID. You use these values to configure FortiClient EMS as an SP in Okta. Copy these values.
- Create and configure your FortiClient EMS environment in Okta:
- Add the FortiClient EMS application to Okta:
- On the Okta administration page, go to Applications.
- Click Add Application.
- In the searchbox, search for and select FortiClient EMS.
- Click Add.
- Under General Settings, click Done.
- On the Assignment tab, from the Assign dropdown list, select Assign to People.
- In the dialog, assign the desired users to the FortiClient EMS Okta application.
- Add the FortiClient EMS application to Okta:
- Obtain the IdP information from Okta:
- On the Sign On tab in Okta, click View Setup Instructions.
- Scroll to step 5. This step lists the IdP information that you must provide to FortiClient EMS. Copy the values in the IdP Entity ID and IdP Single Sign-On URL fields.
- Download the IdP certificate from the provided link. Save the certificate to your device.
- Configure the IdP information in FortiClient EMS:
- In FortiClient EMS, in the IdP Entity ID and IdP single sign-on URL fields, paste the values that you copied from the IdP Entity ID and IdP Single Sign-On URL fields, respectively.
- (Optional) If desired, configure the Assertion Attributes > Username Claim field. Only configure this option if you want to use a value other than
username
. - From the IdP Certificate dropdown list, select Create, then upload the certificate that you downloaded. Click Next.
- (Optional) If desired, toggle on Enable Authorization Rules. When this feature is disabled, all SSO users from the IdP can become EMS admin users. When this feature is enabled, only SSO users from the IdP that satisfy a configured rule can become an EMS admin user. To add a rule, click Add. In the Authorization Rule field, enter a username. This field is case-insensitive. Add multiple rules as desired. Only SSO users from the IdP with usernames that match the configured authorization rules can access EMS as an admin user.
Deleting an authorization rule does not remove its associated users as admin users from EMS. You must delete them from Administration > Admin Users.
- Review the SAML configuration, then click Save.