Fortigate and Okta authentication integration

MHRNetwork · ‎01-03-2024

Hi all,

Previously I have implemented Fortigate integrate with Okta authen. but now we still having some issues which is I am not really sure about it.

Here is the config that I implemented in Fortigate

config user saml
    edit "okta-idp"
        set cert "Fortinet_Factory"
        set entity-id "https://xxx.xxxx.xxx.xx:10443/remote/saml/metadata/"
        set single-sign-on-url "https://xxx.xxxx.xxx.xx:10443/remote/saml/login/"
        set single-logout-url "https://xxx.xxxx.xxx.xx:10443/remote/saml/logout/"
        set idp-entity-id "http://www.okta.com/exxxxxxxxxxxxxxxxxxxxx"
        set idp-single-sign-on-url "https://xxxxx-url.apac.xxxx.com/app/apac-xxxxx/xxxxxxxxxxxxxxxxx/sso/saml"
        set idp-cert "REMOTE_Cert_1"
        set user-name "username"
        set digest-method sha256
    next
end


xxxxxfw01 (corporate-saml) # show
config user group
    edit "corporate-saml"
        set member "okta-idp"
        config match
            edit 1
                set server-name "okta-idp"
                set group-name "corporate-saml"
            next
        end
    next
end

Firewall policy:

Debug output:

samld_send_common_reply [122]:     Attr: 17, 27, magic=178af1777bb9xxxx
[336:vdom_xxxx:c117]fsv_saml_login_response:510 No group info in SAML response.
[336:vdom_xxxx:c117]fsv_saml_login_response:514 No user name info in SAML response. Please check saml configuration.
[336:vdom_xxxx:c117]fsv_saml_login_resp_cb:163 SAML response error: 3.
[336:vdom_xxxx:c117]req: /remote/saml/login/(null)
[336:vdom_xxxx:c117]def: (nil) /remote/saml/login/(null)
[336:vdom_xxxx:c117]sslvpn_read_request_common,686, ret=-1 error=-1, sconn=0x7f0cf2a0af00.
[336:vdom_xxxx:c117]Destroy sconn 0x7f0cf2a0af00, connSize=0. (vdom_xxxx)

Please let me know how to troubleshoot on this issue.

Thanks,

hbac · ‎01-04-2024

@MHRNetwork,

Because the debug output saying 'No group info in SAML response.' which could be caused by attribute mismatch. That's why we need to verify the attribute.

[336:vdom_xxxx:c117]fsv_saml_login_response:510 No group info in SAML response.
[336:vdom_xxxx:c117]fsv_saml_login_response:514 No user name info in SAML response. Please check saml configuration.

Regards,

View solution in original post

funkylicious · ‎01-03-2024

Hi,

As the logs say, the username that you are trying to use is not part of corporate-saml group in Okta, that you have defined in your settings.

You can try and follow this link as a guide to configure SSLVPN with Okta : https://sites.google.com/frellsen.se/kimfrellsen/fortinet-ssl-vpn-with-okta-mfa-using-saml

geek

hbac · ‎01-03-2024

Hi @MHRNetwork,

Please verify the group attribute on both sides. Please refer to https://community.fortinet.com/t5/Support-Forum/Fortigate-and-Okta-authentication-integration/td-p/2...

Regards,

MHRNetwork · ‎01-03-2024

Hi hbac,

is that link correct? seems it redirect to this post.

thanks,

hbac · ‎01-03-2024

Hi @MHRNetwork,

Sorry, it was a wrong link. Please refer to https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-SAML-SSO-login-for-SSL-VPN-web...

Regards,

MHRNetwork · ‎01-03-2024

Hi hbac,

from saml tracer, I can see that the attribute "username" is correct and we didn't configure attribute for group. but actually we are not sure whether need to configure group attribute or not. is it necessary? no right? because our okta team said it will be more complicated to maintain.

        </saml2:AuthnStatement>
        <saml2:AttributeStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
            <saml2:Attribute Name="username"
                             NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
                             >
                <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                                      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                      xsi:type="xs:string"
                                      />
            </saml2:Attribute>
        </saml2:AttributeStatement>
    </saml2:Assertion>
</saml2p:Response>

hbac · ‎01-04-2024

@MHRNetwork,

Because the debug output saying 'No group info in SAML response.' which could be caused by attribute mismatch. That's why we need to verify the attribute.

[336:vdom_xxxx:c117]fsv_saml_login_response:510 No group info in SAML response.
[336:vdom_xxxx:c117]fsv_saml_login_response:514 No user name info in SAML response. Please check saml configuration.

Regards,

MHRNetwork · ‎01-18-2024

Hi hbac,

Appreciated your help for this issue.

we have concluded that the config from my side (firewall) was all good, seems IAM engineer side made some changes with the Okta attribute. after that we tested again and all was successful!

Now SSL-VPN can be establish using Okta SSO.

Here is the debug commands that I used.

diagnose debug application sslvpn -1
diagnose debug application samld -1
diagnose debug enable

Hope this can help everyone that need to troubleshoot SAML integration.