SAML SSO with Okta as IdP
You can configure a single sign on (SSO) connection with Okta via SAML, where Okta is the identity provider (IdP) and FortiClient EMS is the service provider (SP). This feature allows administrators to log in to EMS by logging in with their Okta credentials.
To configure FortiClient EMS with Okta SSO:
- In FortiClient EMS, go to Administration > SAML SSO.
- Toggle on Enable SAML SSO. Service Provider Settings displays the SP entity ID. You use these values to configure FortiClient EMS as an SP in Okta. Copy these values.
- Create and configure your FortiClient EMS environment in Okta:
- Add the FortiClient EMS application to Okta:
- On the Okta administration page, go to Applications.
- Click Add Application.
- In the searchbox, search for and select FortiClient EMS.
- Click Add.
- Under General Settings, click Done.
- On the Assignment tab, from the Assign dropdown list, select Assign to People.
- In the dialog, assign the desired users to the FortiClient EMS Okta application.
- On the Sign On tab, click Edit.
- Paste the entity ID value from FortiClient EMS in the Base URL field in Okta.
- Click Save.
- Add the FortiClient EMS application to Okta:
- Obtain the IdP information from Okta:
- On the Sign On tab in Okta, click View Setup Instructions.
- Scroll to step 5. This step lists the IdP information that you must provide to FortiClient EMS. Copy the values in the IdP Entity ID and IdP Single Sign-On URL fields.
- Download the IdP certificate from the provided link. Save the certificate to your device.
- Configure the IdP information in FortiClient EMS:
- In FortiClient EMS, in the IdP Entity ID and IdP single sign-on URL fields, paste the values that you copied from the IdP Entity ID and IdP Single Sign-On URL fields, respectively.
- (Optional) If desired, configure the Assertion Attributes > Username Claim field. Only configure this option if you want to use a value other than
username
. - From the IdP Certificate dropdown list, select Create, then upload the certificate that you downloaded. Click Next.
-
In Access Control, click Add to assign the roles for the group members:
-
Create a member with the Super Administrator role and the highest Priority.
-
Assign the access of other group members.
-
For each Rule that is not assigned to a Super Administrator role, click Advanced Settings:
-
Configure domain access. This enables finer control over the specific authorization levels assigned to administrators.
-
Click Finish.
-
-
Configure other settings as needed.
-
Click Save.
Deleting an authorization rule does not remove its associated users as admin users from EMS. You must delete them from Administration > Admin Users.
-
- Review the SAML configuration, then click Save.