diff --git a/IdentityProvider/FortiAuthenticator.md b/IdentityProvider/FortiAuthenticator.md index beb875f..7c468d8 100644 --- a/IdentityProvider/FortiAuthenticator.md +++ b/IdentityProvider/FortiAuthenticator.md @@ -1,10 +1,52 @@ -The FortiAuthenticator ist called FAC here, as this is the shortname used by Fortinet themself. +The FortiAuthenticator ist called `FAC` here, as this is the shortname used by Fortinet themself. +In this repo we use `fac.mydomain.com` as our base URL for the FAC. # OIDC / OAuth ## Engomo -**On the FAC** -### Authentication > OAuth Service > Relying Party +### FAC - part + +**#1 Authentication > OAuth Service > Portals** +1) Create New +2) Name: `Engomo` +3) leave everything else default +4) Save + +**#2 Authentication > OAuth Service > Policies** +1) Create New +2) Policy type: Name: `Engomo` +3) Identity sources: `Realm: select your realm and Groups in den Filter that should have access` +4) Authentication factors: Change settings to your needs, f.e. `Application name for FTM push notification: Engomo` + +**#3 Authentication > OAuth Service > Scopes** +1) Create New +2) Name: `profile` +3) Name: `email` + +**#4 Authentication > OAuth Service > Relying Party** +1) Name: `Engomo` +2) Client type: `Confidential` +3) Authorization grant types: `Authorization code` +4) Client ID: `note this ID` +5) Client secret: `note this secret` +6) Policy: `choose "Engomo" from Step 2` +7) Access token expiry: `change to your needs or leave default (36000 seconds)` +8) Refresh token expiry: `change to your needs or leave default (1 day)` +9) Redirect URIs: `https://fac.mydomain.com/auth` +10) Add 3 Scopes with `+ Add Relying Party Scope` +11) Set the scopes to this: +| Scope | Default | +| :--- | :----: | +| openid | x | +| email | x | +| profile | x | +12) Save +13) Add 1 Claim with `+ Add Claim` +14) Set the Claims to this: +| Scope | Name | User Attribute | +| :--- | :----: | :----: | +| openid | preferred_username | Email | + ![RelyingParty](screenshots/FAC-engomo01.png) \ No newline at end of file