WirFixenAlles/Boilerplates
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
d82cca4399df01a4290a70350fdf06e6072512b6
Boilerplates/IdentityProvider/proxmox.md

3.4 KiB
Raw Blame History

Proxmox

Base URLs:

IDP: fac.mydomain.com
SP for PVE: pve01.mydomain.local:8006 SP for PBS: pbs.mydomain.local:8007

FAC

#1 Authentication > OAuth Service > Portals

  1. Create New
  2. Name: Proxmox
  3. leave everything else default
  4. Save IDP

#2 Authentication > OAuth Service > Policies

  1. Create New
  2. Policy type: Name: Proxmox
  3. Identity sources: Realm: select your realm and Groups in den Filter that should have access
  4. Authentication factors: Change settings to your needs, f.e. Application name for FTM push notification: Proxmox IDP

#3 Authentication > OAuth Service > Scopes

  1. Create New (if not already there)
  2. Name: profile
  3. Name: email IDP

#4 Authentication > OAuth Service > Relying Party

  1. Name: Proxmox
  2. Client type: Confidential
  3. Authorization grant types: Authorization code
  4. Client ID: note this ID
  5. Client secret: note this secret
  6. Policy: choose Proxmox from Step 2
  7. Access token expiry: change to your needs or leave default (36000 seconds)
  8. Refresh token expiry: change to your needs or leave default (1 day)
  9. for PVE - Redirect URIs: https://pve01.mydomain.com:8006 (if you have multiple hosts just enter them same way with space in between)
    for PBS - Redirect URIs: https://pbs.mydomain.com:8007 (if you have multiple hosts just enter them same way with space in between)
  10. Add 3 Scopes with + Add Relying Party Scope
  11. Set the scopes to this:
    Scope Default
    openid x
    email x
    profile x
  12. Save
  13. Add 1 Claim with + Add Claim
  14. Set the Claims to this:
    Scope Name User Attribute
    openid preferred_username Email
  15. Save IDP

Proxmox VE

#1 Datacenter > Permissions > Realms

  1. Click on Add and choose OpenID Connect Server from dropdownlist
  2. Issuer URL: https://fac.mydomain.com/api/vl/oauth
  3. Realm: FortiAuthenticator (choose name whatever you want)
  4. Client ID: ID from FAC step #4-4
  5. Client Key: secret from FAC step #4-5
  6. Default: Check this if you want FAC to be your default IDP to login
  7. Autocreate Users: Check this if you want autocreation of users.
  8. Username Claim: username
  9. Scopes: Default (email profile)
  10. Prompt: Auth-Provider Default
  11. Add SP

#2 Datacenter > Permissions

  1. Click on Add to create a new Group Permission SP
  2. Now you can change to Group on autocreated users to the groups you have just created to give new users permissions.

Proxmox PBS

#1 Configuration > Access Control > Realms

  1. Click on Add and choose OpenID Connect Server from dropdownlist
  2. Issuer URL: https://fac.mydomain.com/api/vl/oauth
  3. Realm: FortiAuthenticator (choose name whatever you want)
  4. Client ID: ID from FAC step #4-4
  5. Client Key: secret from FAC step #4-5
  6. Autocreate Users: Check this if you want autocreation of users.
  7. Username Claim: username
  8. Scopes: Default (email profile)
  9. Prompt: Auth-Provider Default
  10. Add SP

#2 Configuration > Access Control > Permissions

  1. Click on Add to create a new User Permission
Reference in New Issue View Git Blame Copy Permalink