openfortivpn-saml allows the use of SAML authentication when using Fortinet/FortiGate SSLVPN with Okta as IdP.
- openfortivpn-saml requires
openfortivpn
to be installed.- If the
--cookie
option is not known, your openfortivpn version is too old. - Mac
brew install openfortivpn
- Linux
- Recommended to build yourself from https://github.com/adrienverge/openfortivpn
- If the
- openfortivpn requires root privileges to set up the tunnel.
In order to run it with sudo non-interactively, run this command:
echo "${USER} ALL = (root) NOPASSWD: $(which openfortivpn)" | sudo tee /etc/sudoers.d/openfortivpn
- Get the correct release at
Deployments > Releases
or compile yourself if it isn't precompiled. - Move the binary to e.g.:
/usr/local/bin
- Run the binary (see
Running
section below) and go through the setup wizard, which happens when running it for the first time.- It will prompt for a master password. This is used to encrypt your credentials.
- The master password is not stored anywhere and is only known by you, just like with a password manager.
- It will ask if you intend to use Okta FastPass, TOTP (MFA), Okta Verify, Webauthn (YubiKey) or none of the above.
- Note: Okta FastPass is highly recommended as it requires no typing or remembering whatsoever.
- Note: TouchID won't work with webauthn, YubiKey will.
- Answering yes to any of these questions will not show a browser, keeping openfortivpn-saml strictly CLI.
- Answering no will show a browser, allowing the use of other authentication methods or manual actions.
- It will prompt for a master password. This is used to encrypt your credentials.
- If your Okta credentials have changed or you forgot your master password, remove the config file and start the application again to reinitialize.
- The config file location is shown when running the application.
openfortivpn-saml can run both with or without a browser.
- If you change your mind later, you can edit the config file directly, the path of which is printed upon starting
openfortivpn-saml
. - If you want to force browser usage regardless of authentication choices, add
headless: false
to the config file.
Depending on how you currently use openfortivpn, your run command may vary:
sudo openfortivpn -c /etc/openfortivpn/config --cookie="$(openfortivpn-saml)"
As openfortivpn-saml is not written by a licensed Mac/iOS developer, it is not officially signed.
This means you need to allow openfortivpn-saml after the first run via
System Preferences > Security & Privacy > Gatekeeper
On some systems, it can be found under:
System Preferences > Security & Privacy > General
- Due to the nature of SAML, we need to emulate a browser.
- When starting openfortivpn-saml for the first time, it will download dependencies such as Chromium and Playwright.
This does not happen in subsequent runs and should not take too long.