- On FortiAuthenticator, go to Authentication > Remote Auth. Servers > SAML, and import the IdP metadata and certificate downloaded from Okta.
This will automatically fill in the IdP fields. Select OK to save your changes.
- Enable SAML single logout and add the IdP single logout URL under the Single Logout section of the Okta Remote SAML Server.
For example, if your Okta organization is "facschool" then the IdP single logout URL: entry would be
- Go to Fortinet SSO Methods > SSO > FortiGate Filtering, and create a new FortiGate filter.
Enter a name and the FortiGate's DMZ-interface IP address, and click OK.
Once created, enable Forward FSSO information for users from the following subset of users/groups/containers only. Select Create New to create SSO group filtering objects that match each group inside Okta, and select OK to apply all changes.
The names entered for the filter must be the same as the group names created in Okta. Failing to enter the exact same names will result in the SSO information not being pushed to FortiGate.