Configuring FortiSASE with Okta SSO
You can configure a single sign on (SSO) connection with Okta via SAML, where Okta is the identity provider (IdP) and FortiSASE is the service provider (SP). This feature allows end users to connect to VPN by logging in with their Okta credentials.
To configure FortiSASE with Okta SSO:
- In FortiSASE, go to Configuration > VPN User SSO. The first step of the SSO configuration wizard displays the entity ID, SSO URL, and single logout URL. You use these values to configure FortiSASE as an SP in Okta. Copy these values.
- Create and configure your FortiSASE environment in Okta:
- Add the FortiSASE application to Okta:
- On the Okta administration page, go to Applications.
- Click Add Application.
- In the searchbox, search for and select FortiSASE.
- Click Add.
- Under General Settings, click Done.
- On the Assignment tab, from the Assign dropdown list, select Assign to People.
- In the dialog, assign the desired users to the FortiSASE Okta application.
- On the Sign On tab, click Edit.
- Paste the entity ID value from FortiSASE in the Base URL field in Okta. After pasting, edit this value to remove everything after the URL,"fortisase.com".
- Click Save.
- Add the FortiSASE application to Okta:
- Obtain the IdP information from Okta:
- On the Sign On tab in Okta, click View Setup Instructions.
- Scroll to step 5. This step lists the IdP information that you must provide to FortiSASE. Copy the values in the IdP Entity ID, IdP Single Sign-On URL, and IdP Single Log-Out URL fields.
- Download the IdP certificate from the provided link. Save the certificate to your device.
- Configure the IdP information in FortiSASE:
- In FortiSASE, click Next in the SSO wizard. In the IdP Entity ID, IdP Single Sign-On URL, IdP Single Log-Out URL fields, paste the values that you copied from the IdP Entity ID, IdP Single Sign-On URL, and IdP Single Log-Out URL fields, respectively.
- In SAML Claims Mapping, in the Username field, enter username. In the Group Name field, enter group. Both fields are case-sensitive. If you have configured to use SAML attribute names other than username or group on Okta, you can enter the SAML attribute name in the Username and Group Name fields accordingly.
- From the IdP Certificate dropdown list, select Create, then upload the certificate that you downloaded. Click Next.
- In the Service Provider Certificate field, use FortiSASE Default Certificate or your own custom certificate. Click + to add your own custom certificate.
- For Digest Method, select SHA-1 or SHA-256. The digest method should match the digest method on Okta if Certificate Verification is enabled on Okta.
FortiSASE Default Certificate is a built-in wildcard certificate on FortiSASE that a well-known public CA signed and remains same across all of your points of presence.
FortiSASE Default Certificate periodically renews. Thus, if IdPs use Service Provider Certificate in their configuration, administrators must periodically update their IdP configuration with the new SP certificate. To avoid updating your IdP configuration frequently, uploading your own certificate is recommended.
- Review the SAML configuration, then click Submit.
- Invite Okta users to FortiSASE:
- (Optional) If you want to define a group of users, create a user group:
- Go to Configuration > Users.
- Click Create > User Group.
- In the Members field, click +.
- In the Select Entries pane, select the desired users to add to this user group.
- In the Remote Groups field, select Create.
- From the Remote Server dropdown list, select the desired server.
- In the Groups field, add the desired groups from the selected server to this user group. Click OK.
- Click OK.
- In Configuration > Single Sign On (SSO), click Onboard Users.
- Under Invite Users, enter the email addresses of the users that you want to add to FortiSASE.
- Click Send. FortiSASE sends invitation emails to these users so that they can download FortiClient and connect to FortiSASE.
- (Optional) If you want to define a group of users, create a user group: