Fortinet SSL-VPN with Okta MFA using SAML

With the release of FortiOS 6.4 for FortiGate and FortiClient 6.4 it is now possible to create a seamless SSL-VPN solution that integrates to third party SAML SSO Identity Providers (IdP) and leverage their MFA capabilities. So VPN access can have same security level as configured in the Idp.

This links show how Fortinet explains this by using SAML to FortiAuthenticator but this could just as well be towards another SAML Identity Provider.

https://docs.fortinet.com/document/fortigate/6.4.2/administration-guide/219787/saml-sp-for-vpn-authentication

In this guide we are using Okta as Identity Provider.

Thanks to inspiration from what Matt Sherif did with Azure AD https://www.ultraviolet.network/post/fortigate-ssl-vpn-with-azure-mfa-using-saml

1. Prerequisite

• FortiGate with FortiOS 6.4.0 or higher. This guide is created using FortiOS 6.4.2.

• FortiClient or FortiClientVPN 6.4.0 or higher

• An Okta account

2. Setting up Okta SAML 2.0 Application

• Create New App.
  Use the guide presented here: https://docs.fortinet.com/document/fortiauthenticator/5.5.0/cookbook/332274/configuring-the-okta-developer-account-idp-application
  Note: It is not necessary to create a developer account.
  Pay attention to the SAML settings. Set Application username to Email and add the Attribute Statement as shown below:

Go to the Okta SAML Identity Provider settings settings

• Download the certificate and import on FortiGate

• copy the Idp SSO URL to the FortiGate config, see below

• copy the Idp issuer to the FortiGate config, see below

3. FortiGate Configuration

Now you have a SAMP Idp, Setup FortiGate as SAML Service Provider (SP). This is CLI only.

config user saml

edit "okta-sslvpn"

set cert "Fortinet_Factory"

set entity-id "http://<fqdn>:<port>/remote/saml/metadata/"

set single-sign-on-url "https://<fqdn>:<port>/remote/saml/login/"

set single-logout-url "https://<fqdn>:<port>/remote/saml/logout/"

set idp-entity-id "<Okta Identity Provider Issuer>"

set idp-single-sign-on-url "<Okta Identity Provider Single Sign-On URL>"

set idp-single-logout-url "https://<domain>.okta.com"

set idp-cert "REMOTE_Cert_2"

set user-name "username"

next

end

Add the SAML user to a user group.

config user group

edit "saml_okta"

set member "okta-sslvpn"

next

end

Create the SSL VPN settings either from CLI or GUI, here is the CLI.

config vpn ssl settings

set servercert "Fortinet_Factory"

set tunnel-ip-pools "ssl_vpn_user_pool"

set port 10443

set source-interface "wan" "inside"

set source-address "all"

set source-address6 "all"

set default-portal "full-access"

config authentication-rule

edit 2

set groups "saml_okta"

set portal "full-access"

next

end

end

Remember to create a firewall policy with the ssl interface as source an the SAML user-group as group.

config firewall policy

edit 1337

set name "SSL_VPN"

set srcintf "ssl.root"

set dstintf "virtual-wan-link" "inside"

set srcaddr "all"

set dstaddr "all"

set action accept

set schedule "always"

set service "ALL"

set ssl-ssh-profile "certificate-inspection"

set logtraffic all

set groups "saml_okta"

next

end

4. FortiClientVPN Configuration

FortiClientVPN 6.4.2 support SAML (tunnel-mode) tested on Windows and MacOS. Web-mode is working on multiple platforms, I have tested both IOS and MacOS.

In FortiClientVPN, create a new SSL-VPN profile, set remote gateway, customized port and set "Enable Single Sign On (SSO) for VPN Tunnel" and you are ready to go.

5. Troubleshooting

A few words of advice. Be extra careful when entering the URLs i.e. trailing "/", embedded "?" or http/https protocols.

If it does not work, here are some good troubleshooting commands that might be useful

Debug SAML flow

diagnose debug reset

#optional #diagnose debug application httpsd -1

diagnose debug application samld -1

diagnose debug console timestamp enable

diagnose debug enable

Debug SSL-VPN authentication.
This one is useful to see if the Idp returns a username that is understood by the SP

diagnose debug reset

diagnose debug console timestamp enable

diagnose debug application fnbamd -1

diagnose debug application authd -1

diagnose debug application sslvpn -1

diagnose debug enable

Another good source of debug is SAML extensions in your browser. I used these for Chrome:

SAML Chrome Panel: https://chrome.google.com/webstore/detail/saml-chrome-panel/paijfdbeoenhembfhkhllainmocckace

SAML Message Decoder: https://chrome.google.com/webstore/detail/saml-message-decoder/mpabchoaimgbdbbjjieoaeiibojelbhm