Fortinet Document Library

Version:


Table of Contents

Cookbook

6.1.0
Download PDF
Copy Link

SAML FSSO with FortiAuthenticator and Okta

In this example, you will provide a Security Assertion Markup Language (SAML) FSSO cloud authentication solution using FortiAuthenticator as the service provider (SP) and Okta, a cloud-based user directory, as the identity provider (IdP).

Okta is a secure authentication and identity-access management service that offer secure SSO solutions. Okta can be implemented with a variety of technologies and services including Office 365, G Suite, Dropbox, AWS, and more.

A user will start by attempting to make an unauthenticated web request. The FortiGate’s captive portal will offload the authentication request to the FortiAuthenticator’s SAML SP portal, which in turn redirects that client/browser to the SAML IdP login page. Assuming the user successfully logs into the portal, a positive SAML assertion will be sent back to the FortiAuthenticator, converting the user’s credentials into those of an FSSO user.

In this example configuration, the FortiGate has a DMZ IP address of 192.168.50.1, and the FortiAuthenticator has the Port1 IP address of 192.168.50.100. Note that, for testing purposes, the FortiAuthenticator’s IP and FQDN have been added to the host’s file of trusted host names; this is not necessary for a typical network.

This configuration assumes that you have already created an Okta developer account.

SAML FSSO with FortiAuthenticator and Okta

In this example, you will provide a Security Assertion Markup Language (SAML) FSSO cloud authentication solution using FortiAuthenticator as the service provider (SP) and Okta, a cloud-based user directory, as the identity provider (IdP).

Okta is a secure authentication and identity-access management service that offer secure SSO solutions. Okta can be implemented with a variety of technologies and services including Office 365, G Suite, Dropbox, AWS, and more.

A user will start by attempting to make an unauthenticated web request. The FortiGate’s captive portal will offload the authentication request to the FortiAuthenticator’s SAML SP portal, which in turn redirects that client/browser to the SAML IdP login page. Assuming the user successfully logs into the portal, a positive SAML assertion will be sent back to the FortiAuthenticator, converting the user’s credentials into those of an FSSO user.

In this example configuration, the FortiGate has a DMZ IP address of 192.168.50.1, and the FortiAuthenticator has the Port1 IP address of 192.168.50.100. Note that, for testing purposes, the FortiAuthenticator’s IP and FQDN have been added to the host’s file of trusted host names; this is not necessary for a typical network.

This configuration assumes that you have already created an Okta developer account.