Fortinet Document Library

Version:

Version:


Table of Contents

Cookbook

Download PDF
Copy Link

SAML 2.0 FSSO with FortiAuthenticator and Okta

This example shows you how to provide a Security Assertion Markup Language (SAML) FSSO cloud authentication solution using FortiAuthenticator as the service provider (SP) and Okta as the identity provider (IdP).

Okta is a cloud-based user directory providing a secure authentication and identity-access management service that offer secure SSO solutions. Okta can be implemented with different technologies and services including Office 365, G Suite, Dropbox, AWS, and others.

In the above sample diagram, a user starts by trying to make an unauthenticated web request (1). The FortiGate’s captive portal offloads the authentication request to the FortiAuthenticator’s SAML SP portal (2) which in turn redirects that client/browser to the SAML IdP login page (3). If the user successfully logs into the portal (4), a positive SAML assertion is sent back to the FortiAuthenticator (5), converting the user’s credentials into those of an FSSO user (6).

In this example, the FortiGate has a WAN IP address of 172.25.176.92, and the FortiAuthenticator has the WAN IP address of 172.25.176.141. For testing purposes, the FortiAuthenticator’s IP and FQDN are added to the host’s file of trusted host names; this is not necessary for a typical network.

Before you begin:

  • Create an Okta developer account.
  • On the FortiAuthenticator, create two user groups (one local user group and one SSO user group). These groups must have identical names, in this example, saml_users.

SAML 2.0 FSSO with FortiAuthenticator and Okta

This example shows you how to provide a Security Assertion Markup Language (SAML) FSSO cloud authentication solution using FortiAuthenticator as the service provider (SP) and Okta as the identity provider (IdP).

Okta is a cloud-based user directory providing a secure authentication and identity-access management service that offer secure SSO solutions. Okta can be implemented with different technologies and services including Office 365, G Suite, Dropbox, AWS, and others.

In the above sample diagram, a user starts by trying to make an unauthenticated web request (1). The FortiGate’s captive portal offloads the authentication request to the FortiAuthenticator’s SAML SP portal (2) which in turn redirects that client/browser to the SAML IdP login page (3). If the user successfully logs into the portal (4), a positive SAML assertion is sent back to the FortiAuthenticator (5), converting the user’s credentials into those of an FSSO user (6).

In this example, the FortiGate has a WAN IP address of 172.25.176.92, and the FortiAuthenticator has the WAN IP address of 172.25.176.141. For testing purposes, the FortiAuthenticator’s IP and FQDN are added to the host’s file of trusted host names; this is not necessary for a typical network.

Before you begin:

  • Create an Okta developer account.
  • On the FortiAuthenticator, create two user groups (one local user group and one SSO user group). These groups must have identical names, in this example, saml_users.