Fortinet black logo

Administration Guide

SAML IdP configuration with Okta

Copy Link
Copy Doc ID 30b84173-e130-11ec-bb32-fa163e15d75b:871715
Download PDF

SAML IdP configuration with Okta

To configure general SAML IdP portal settings:
  1. Before starting to configure SAML on Okta, you must download and save SP data from the FortiEDR SAML configuration page (fortiEDR.sp.metedata.id.1.xml), as described in SAML authentication
  2. Sign in to the Okta Admin dashboard. The following displays:

  3. In your Okta org, click Applications and then Add Applications.
  4. Click Create New App . The following displays:

  5. In the Platform field, select Web.
  6. In the Sign on method field, select SAML 2.0.
  7. Click Create.
  8. In the General Settings page, select a name for the application. For example, FortiEDRConsole. Optionally, you can also add the FortiEDR logo here.

  9. Click Next. The Configure SAML page displays:

  10. Copy the following values that are taken from the FortiEDR SP metadata file (fortiEDR.sp.metedata.id.1.xml) that was downloaded from FortiEDR SAML configuration page, as described in SAML authentication.
    • Single sign on URL: Under the md:AssertionConsumerService tag, in the Location attribute (For example, https://myexample.fortiedr.com/saml/SSO/alias/1).
    • Audience URI (SP entity ID): Under the md:EntityDescriptor tag, in the entityID attribute (For example, https://myexample.fortiedr.com/saml/metadata/alias/1).
  11. In Advanced Settings, in the Assertion Encryption field, select Encrypted.
  12. Use Notepad or another text editor to copy the entire attribute <ds:X509Certificate>XXX </ds:X509Certificate> from the FortiEDR SP metadata file (fortiEDR.sp.metedata.id.1.xml) that was downloaded from FortiEDR SAML configuration page. Then, save this attribute as a .crt file to be used as a certificate.
  13. Upload this .crt file to the Encryption Certificate box on Okta, as shown below:

  14. Leave the default values in the rest of the settings. For example, as shown below:

  15. Groups will be used in the assertion so that FortiEDR roles will be assigned according to the current groups in the Okta directory. For example, to assign the Okta Engineering group to have Admin roles on FortiEDR, add it to Okta as follows:

    The mapping of this group to the FortiEDR Admin role is then performed in the SAML settings page of the FortiEDR Central Manager console as follows:

  16. Previewing the assertion should appear similar to the following example:

  17. Click Next and then click Finish.
  18. When you configure SAML SSO on the FortiEDR console, use the URL for Identity Provide Metadata from the application Sign On settings in Okta, as shown below:

  19. Paste it into the FortiEDR Central Manager as follows:

Okta can now be used as an IdP that awards authorization and authentication to users trying to access the FortiEDR Central Manager console. When logging into FortiEDR console via the SSO URL that is specified under the SAML settings page, an Okta user is awarded access rights to the FortiEDR Central Manager according to the User Groups to which that user was added in Okta.

SAML IdP configuration with Okta

To configure general SAML IdP portal settings:
  1. Before starting to configure SAML on Okta, you must download and save SP data from the FortiEDR SAML configuration page (fortiEDR.sp.metedata.id.1.xml), as described in SAML authentication
  2. Sign in to the Okta Admin dashboard. The following displays:

  3. In your Okta org, click Applications and then Add Applications.
  4. Click Create New App . The following displays:

  5. In the Platform field, select Web.
  6. In the Sign on method field, select SAML 2.0.
  7. Click Create.
  8. In the General Settings page, select a name for the application. For example, FortiEDRConsole. Optionally, you can also add the FortiEDR logo here.

  9. Click Next. The Configure SAML page displays:

  10. Copy the following values that are taken from the FortiEDR SP metadata file (fortiEDR.sp.metedata.id.1.xml) that was downloaded from FortiEDR SAML configuration page, as described in SAML authentication.
    • Single sign on URL: Under the md:AssertionConsumerService tag, in the Location attribute (For example, https://myexample.fortiedr.com/saml/SSO/alias/1).
    • Audience URI (SP entity ID): Under the md:EntityDescriptor tag, in the entityID attribute (For example, https://myexample.fortiedr.com/saml/metadata/alias/1).
  11. In Advanced Settings, in the Assertion Encryption field, select Encrypted.
  12. Use Notepad or another text editor to copy the entire attribute <ds:X509Certificate>XXX </ds:X509Certificate> from the FortiEDR SP metadata file (fortiEDR.sp.metedata.id.1.xml) that was downloaded from FortiEDR SAML configuration page. Then, save this attribute as a .crt file to be used as a certificate.
  13. Upload this .crt file to the Encryption Certificate box on Okta, as shown below:

  14. Leave the default values in the rest of the settings. For example, as shown below:

  15. Groups will be used in the assertion so that FortiEDR roles will be assigned according to the current groups in the Okta directory. For example, to assign the Okta Engineering group to have Admin roles on FortiEDR, add it to Okta as follows:

    The mapping of this group to the FortiEDR Admin role is then performed in the SAML settings page of the FortiEDR Central Manager console as follows:

  16. Previewing the assertion should appear similar to the following example:

  17. Click Next and then click Finish.
  18. When you configure SAML SSO on the FortiEDR console, use the URL for Identity Provide Metadata from the application Sign On settings in Okta, as shown below:

  19. Paste it into the FortiEDR Central Manager as follows:

Okta can now be used as an IdP that awards authorization and authentication to users trying to access the FortiEDR Central Manager console. When logging into FortiEDR console via the SSO URL that is specified under the SAML settings page, an Okta user is awarded access rights to the FortiEDR Central Manager according to the User Groups to which that user was added in Okta.