Fortinet black logo

Cookbook

Configuring FSSO on FortiGate

Copy Link
Copy Doc ID 23809264-eafe-11eb-97f7-00505692583a:637920
Download PDF

Configuring FSSO on FortiGate

To configure FSSO on FortiGate:
  1. On FortiGate, go to Security Fabric > Fabric Connectors.
    Create a new FSSO agent connector to the FortiAuthenticator.
  2. Select Apply & Refresh. The SAML user groups name has been successfully pushed to FortiGate from FortiAuthenticator, appearing when you select View.

    Select View and make sure that the FSSO group has been pushed to FortiGate.

  3. Go to User & Device > User Groups and create a new user group.
    Enter a name, set Type to Fortinet Single Sign-On (FSSO), and add the FSSO group as a Member.

Configure automatic redirect

To configure automatic redirect on FortiGate:

In order to automatically redirect the user to the initial website after authentication, erase the existing HTML code and replace it with the following HTML code on the FortiGate in System > Replacement Messages > Authentication > Login Page.

Replace <FortiAuthenticator-FQDN> with the DNS name of the FortiAuthenticator.

<html>
  
  <head>
    
    <meta charset="UTF-8">
    
    <meta http-equiv="refresh" content="1;url=https://<FortiAuthenticator-FQDN>/saml-sp/Okta/login/?user_continue_url=%%PROTURI%%&userip=%%USER_IP%%">        
    
    <script type="text/javascript">
      window.location.href="https://<FortiAuthenticator-FQDN>/saml-sp/Okta/login/?user_continue_url=%%PROTURI%%&userip=%%USER_IP%%" 
    </script>
    
    <title>
      Page Redirection 
      <title>
        
        <head>
          
          <body>
            If you are not redirected automatically, 
            <a href="https://<FortiAuthenticator-FQDN>/saml-sp/Okta/login/?user_continue_url=%%PROTURI%%&userip=%%USER_IP%%">
              login 
            </a>
            
            <body>
              
              <html>

Configure address objects and policies

To configure addresses objects and policies on FortiGate:
  1. Go to Policy & Objects > Addresses and add the FortiAuthenticator as an address object.
  2. Create the FQDN objects below.
    • *.okta.com

    • *.mtls.okta.com

    • *.oktapreview.com

    • *.mtls.oktapreview.com

    • *.oktacdn.com

    • *.okta-emea.com

    • *.mtls.okta-emea.com

    • *.kerberos.okta.com

    • *.kerberos.okta-emea.com

    • *.kerberos.oktapreview.com

    As these are FQDNs, make sure to set Type to FQDN.

  3. Create an Address group and name it Okta Bypass and add the FQDNs you created above into the Okta Bypass address group.
  4. Go to Policy & Objects > IPv4 Policy and create all policies shown in the examples below: a policy for DNS, for access to the FortiAuthenticator, for Okta bypass, and for FSSO including the SAML user group.
    Allow access to the FortiAuthenticator on the DMZ from the LAN:

    Add the following three policies in order:


    In the SSO_Internet_Access policy, add the Firewall Guest-group and the Okta FSSO group that is received from FortiAuthenticator. The Guest-group redirects the initial Internet access request from the browser to Okta. Once the user is authenticated the browser will automatically redirect to the website from the initial HTTP/HTTPS request matching the Okta SSO group.

Configuring FSSO on FortiGate

To configure FSSO on FortiGate:
  1. On FortiGate, go to Security Fabric > Fabric Connectors.
    Create a new FSSO agent connector to the FortiAuthenticator.
  2. Select Apply & Refresh. The SAML user groups name has been successfully pushed to FortiGate from FortiAuthenticator, appearing when you select View.

    Select View and make sure that the FSSO group has been pushed to FortiGate.

  3. Go to User & Device > User Groups and create a new user group.
    Enter a name, set Type to Fortinet Single Sign-On (FSSO), and add the FSSO group as a Member.

Configure automatic redirect

To configure automatic redirect on FortiGate:

In order to automatically redirect the user to the initial website after authentication, erase the existing HTML code and replace it with the following HTML code on the FortiGate in System > Replacement Messages > Authentication > Login Page.

Replace <FortiAuthenticator-FQDN> with the DNS name of the FortiAuthenticator.

<html>
  
  <head>
    
    <meta charset="UTF-8">
    
    <meta http-equiv="refresh" content="1;url=https://<FortiAuthenticator-FQDN>/saml-sp/Okta/login/?user_continue_url=%%PROTURI%%&userip=%%USER_IP%%">        
    
    <script type="text/javascript">
      window.location.href="https://<FortiAuthenticator-FQDN>/saml-sp/Okta/login/?user_continue_url=%%PROTURI%%&userip=%%USER_IP%%" 
    </script>
    
    <title>
      Page Redirection 
      <title>
        
        <head>
          
          <body>
            If you are not redirected automatically, 
            <a href="https://<FortiAuthenticator-FQDN>/saml-sp/Okta/login/?user_continue_url=%%PROTURI%%&userip=%%USER_IP%%">
              login 
            </a>
            
            <body>
              
              <html>

Configure address objects and policies

To configure addresses objects and policies on FortiGate:
  1. Go to Policy & Objects > Addresses and add the FortiAuthenticator as an address object.
  2. Create the FQDN objects below.
    • *.okta.com

    • *.mtls.okta.com

    • *.oktapreview.com

    • *.mtls.oktapreview.com

    • *.oktacdn.com

    • *.okta-emea.com

    • *.mtls.okta-emea.com

    • *.kerberos.okta.com

    • *.kerberos.okta-emea.com

    • *.kerberos.oktapreview.com

    As these are FQDNs, make sure to set Type to FQDN.

  3. Create an Address group and name it Okta Bypass and add the FQDNs you created above into the Okta Bypass address group.
  4. Go to Policy & Objects > IPv4 Policy and create all policies shown in the examples below: a policy for DNS, for access to the FortiAuthenticator, for Okta bypass, and for FSSO including the SAML user group.
    Allow access to the FortiAuthenticator on the DMZ from the LAN:

    Add the following three policies in order:


    In the SSO_Internet_Access policy, add the Firewall Guest-group and the Okta FSSO group that is received from FortiAuthenticator. The Guest-group redirects the initial Internet access request from the browser to Okta. Once the user is authenticated the browser will automatically redirect to the website from the initial HTTP/HTTPS request matching the Okta SSO group.