Boilerplates/IdentityProvider/FortiAuthenticator.md

The FortiAuthenticator ist called FAC here, as this is the shortname used by Fortinet themself. In this repo we use fac.mydomain.com as our base URL for the FAC.

OIDC / OAuth

Engomo

FAC - part

#1 Authentication > OAuth Service > Portals

1. Create New
2. Name: Engomo
3. leave everything else default
4. Save

#2 Authentication > OAuth Service > Policies

1. Create New
2. Policy type: Name: Engomo
3. Identity sources: Realm: select your realm and Groups in den Filter that should have access
4. Authentication factors: Change settings to your needs, f.e. Application name for FTM push notification: Engomo

#3 Authentication > OAuth Service > Scopes

1. Create New
2. Name: profile
3. Name: email

#4 Authentication > OAuth Service > Relying Party

1. Name: Engomo
2. Client type: Confidential
3. Authorization grant types: Authorization code
4. Client ID: note this ID
5. Client secret: note this secret
6. Policy: choose "Engomo" from Step 2
7. Access token expiry: change to your needs or leave default (36000 seconds)
8. Refresh token expiry: change to your needs or leave default (1 day)
9. Redirect URIs: https://fac.mydomain.com/auth
10. Add 3 Scopes with + Add Relying Party Scope
11. Set the scopes to this:

    Scope	Default
    openid	x
    email	x
    profile	x

12. Save
13. Add 1 Claim with + Add Claim
14. Set the Claims to this:

    Scope	Name	User Attribute
    openid	preferred_username	Email