# Proxmox

## Base URLs:
IDP: `fac.mydomain.com`  
SP: `pve01.mydomain.local`

## FAC

**#1 Authentication > OAuth Service > Portals**
1) Create New
2) Name: `Proxmox`
3) leave everything else default
4) Save
![IDP](images/proxmox_idp_01.png)

**#2 Authentication > OAuth Service > Policies**
1) Create New
2) Policy type: Name: `Proxmox`
3) Identity sources: `Realm: select your realm and Groups in den Filter that should have access`
4) Authentication factors: Change settings to your needs, f.e. `Application name for FTM push notification: Proxmox`
![IDP](images/proxmox_idp_02.png)

**#3 Authentication > OAuth Service > Scopes**
1) Create New (if not already there)
2) Name: `profile`
3) Name: `email`
![IDP](images/extra_scopes.png)

**#4 Authentication > OAuth Service > Relying Party**
1) Name: `Proxmox`
2) Client type: `Confidential`
3) Authorization grant types: `Authorization code`
4) Client ID: `note this ID`
5) Client secret: `note this secret`
6) Policy: `choose Proxmox from Step 2`
7) Access token expiry: `change to your needs or leave default (36000 seconds)`
8) Refresh token expiry: `change to your needs or leave default (1 day)`
9) Redirect URIs: `https://pve01.mydomain.com:8006` (if you have multiple hosts just enter them same way with space in between)
10) Add 3 Scopes with `+ Add Relying Party Scope`
11) Set the scopes to this:
| Scope      | Default |
| :---        |    :----:   |
| openid      | x       |
| email      | x       |
| profile      | x       |
12) Save
13) Add 1 Claim with `+ Add Claim`
14) Set the Claims to this:
| Scope      | Name | User Attribute |
| :---        |    :----:   |    :----:   |
| openid      | preferred_username | Email |
15) Save
![IDP](images/proxmox_idp_03.png)

## Proxmox VE

**#1 Datacenter > Permissions > Realms**
1) Click on `Add` and choose `OpenID Connect Server` from dropdownlist
2) Issuer URL: `https://fac.mydomain.com/api/vl/oauth`
3) Realm: `FortiAuthenticator` (choose name whatever you want)
4) Client ID: `ID from FAC step #4-4`
5) Client Key: `secret from FAC step #4-5`
6) Default: Check this if you want FAC to be your default IDP to login
7) Autocreate Users: Check this if you want autocreation of users.
8) Username Claim: `username`
9) Scopes: `Default (email profile)`
10) Prompt: `Auth-Provider Default`
11) Add
![SP](images/proxmox_sp_01.png)

**#2 Datacenter > Permissions**
1) Click on `Add` to create a new Group Permission
![SP](images/proxmox_sp_02.png)
2) Now you can change to Group on autocreated users to the groups you have just created to give new users permissions.