Boilerplates/IdentityProvider/proxmox.md

Proxmox

Base URLs:

IDP: fac.mydomain.com
SP for PVE: pve01.mydomain.local:8006 SP for PBS: pbs.mydomain.local:8007

FAC

#1 Authentication > OAuth Service > Portals

1. Create New
2. Name: Proxmox
3. leave everything else default
4. Save

#2 Authentication > OAuth Service > Policies

1. Create New
2. Policy type: Name: Proxmox
3. Identity sources: Realm: select your realm and Groups in den Filter that should have access
4. Authentication factors: Change settings to your needs, f.e. Application name for FTM push notification: Proxmox

#3 Authentication > OAuth Service > Scopes

1. Create New (if not already there)
2. Name: profile
3. Name: email

#4 Authentication > OAuth Service > Relying Party

1. Name: Proxmox
2. Client type: Confidential
3. Authorization grant types: Authorization code
4. Client ID: note this ID
5. Client secret: note this secret
6. Policy: choose Proxmox from Step 2
7. Access token expiry: change to your needs or leave default (36000 seconds)
8. Refresh token expiry: change to your needs or leave default (1 day)
9. for PVE - Redirect URIs: https://pve01.mydomain.local:8006 (if you have multiple hosts just enter them same way with space in between)
   for PBS - Redirect URIs: https://pbs.mydomain.local:8007 (if you have multiple hosts just enter them same way with space in between)
10. Add 3 Scopes with + Add Relying Party Scope
11. Set the scopes to this:

    Scope	Default
    openid	x
    email	x
    profile	x

12. Save
13. Add 1 Claim with + Add Claim
14. Set the Claims to this:

    Scope	Name	User Attribute
    openid	preferred_username	Email

15. Save

Proxmox VE

#1 Datacenter > Permissions > Realms

1. Click on Add and choose OpenID Connect Server from dropdownlist
2. Issuer URL: https://fac.mydomain.com/api/vl/oauth
3. Realm: FortiAuthenticator (choose name whatever you want)
4. Client ID: ID from FAC step #4-4
5. Client Key: secret from FAC step #4-5
6. Default: Check this if you want FAC to be your default IDP to login
7. Autocreate Users: Check this if you want autocreation of users.
8. Username Claim: username
9. Scopes: Default (email profile)
10. Prompt: Auth-Provider Default
11. Add

#2 Datacenter > Permissions

1. Click on Add to create a new Group Permission
2. Now you can change to Group on autocreated users to the groups you have just created to give new users permissions.

Proxmox PBS

#1 Configuration > Access Control > Realms

1. Click on Add and choose OpenID Connect Server from dropdownlist
2. Issuer URL: https://fac.mydomain.com/api/vl/oauth
3. Realm: FortiAuthenticator (choose name whatever you want)
4. Client ID: ID from FAC step #4-4
5. Client Key: secret from FAC step #4-5
6. Autocreate Users: Check this if you want autocreation of users.
7. Username Claim: username
8. Scopes: Default (email profile)
9. Prompt: Auth-Provider Default
10. Add
    

#2 Configuration > Access Control > Permissions

1. Click on Add to create a new User Permission