WirFixenAlles/Boilerplates
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
39041a74b6318b8f6d559284d80d802d9272b393
Boilerplates/IdentityProvider/proxmox.md

2.5 KiB
Raw Blame History

Proxmox

Base URLs:

IDP: fac.mydomain.com
SP: pve01.mydomain.local

FAC

#1 Authentication > OAuth Service > Portals

  1. Create New
  2. Name: Proxmox
  3. leave everything else default
  4. Save IDP

#2 Authentication > OAuth Service > Policies

  1. Create New
  2. Policy type: Name: Proxmox
  3. Identity sources: Realm: select your realm and Groups in den Filter that should have access
  4. Authentication factors: Change settings to your needs, f.e. Application name for FTM push notification: Proxmox IDP

#3 Authentication > OAuth Service > Scopes

  1. Create New (if not already there)
  2. Name: profile
  3. Name: email IDP

#4 Authentication > OAuth Service > Relying Party

  1. Name: Proxmox
  2. Client type: Confidential
  3. Authorization grant types: Authorization code
  4. Client ID: note this ID
  5. Client secret: note this secret
  6. Policy: choose Proxmox from Step 2
  7. Access token expiry: change to your needs or leave default (36000 seconds)
  8. Refresh token expiry: change to your needs or leave default (1 day)
  9. Redirect URIs: https://pve01.mydomain.com:8006 (if you have multiple hosts just enter them same way with space in between)
  10. Add 3 Scopes with + Add Relying Party Scope
  11. Set the scopes to this:
    Scope Default
    openid x
    email x
    profile x
  12. Save
  13. Add 1 Claim with + Add Claim
  14. Set the Claims to this:
    Scope Name User Attribute
    openid preferred_username Email
  15. Save IDP

Proxmox VE

#1 Datacenter > Permissions > Realms

  1. Click on Add and choose OpenID Connect Server from dropdownlist
  2. Issuer URL: https://fac.mydomain.com/api/vl/oauth
  3. Realm: FortiAuthenticator (choose name whatever you want)
  4. Client ID: ID from FAC step #4-4
  5. Client Key: secret from FAC step #4-5
  6. Default: Check this if you want FAC to be your default IDP to login
  7. Autocreate Users: Check this if you want autocreation of users.
  8. Username Claim: username
  9. Scopes: Default (email profile)
  10. Prompt: Auth-Provider Default
  11. Add SP

#2 Datacenter > Permissions

  1. Click on Add to create a new Group Permission SP
  2. Now you can change to Group on autocreated users to the groups you have just created to give new users permissions.
Reference in New Issue View Git Blame Copy Permalink