2.3 KiB
2.3 KiB
The FortiAuthenticator ist called FAC here, as this is the shortname used by Fortinet themself.
In this repo we use fac.mydomain.com as our base URL for the FAC.
OIDC / OAuth
Engomo
For this serviceprovider we use this URL engomo.mydomain.com
FAC
#1 Authentication > OAuth Service > Portals
- Create New
- Name:
Engomo - leave everything else default
- Save
#2 Authentication > OAuth Service > Policies
- Create New
- Policy type: Name:
Engomo - Identity sources:
Realm: select your realm and Groups in den Filter that should have access - Authentication factors: Change settings to your needs, f.e.
Application name for FTM push notification: Engomo
#3 Authentication > OAuth Service > Scopes
- Create New
- Name:
profile - Name:
email
#4 Authentication > OAuth Service > Relying Party
- Name:
Engomo - Client type:
Confidential - Authorization grant types:
Authorization code - Client ID:
note this ID - Client secret:
note this secret - Policy:
choose "Engomo" from Step 2 - Access token expiry:
change to your needs or leave default (36000 seconds) - Refresh token expiry:
change to your needs or leave default (1 day) - Redirect URIs:
https://engomo.mydomain.com/auth - Add 3 Scopes with
+ Add Relying Party Scope - Set the scopes to this:
Scope Default openid x email x profile x - Save
- Add 1 Claim with
+ Add Claim - Set the Claims to this:
Scope Name User Attribute openid preferred_username Email
#5 Screenshots for IDP
Engomo
#1 Server > Authentication
- Hit the
+icon to add a new IDP - Name:
FortiAuthenticator(choose name whatever you want)
- Type: OpenID Connect
- Issuer: https://fac.mydomain.com/api/vl/oauth
- Client ID:
ID from FAC step #4-4 - Client secret:
secret from FAC step #4-5 - Config Mode:
Auto-Configuration - Access token pass-through:
Prohibited - Save
#2 Users & Devices > Users
- Create a new user (
+icon) or use an existing one - Authenticator: Choose
FortiAuthenticatorfrom step #2
#3 Screenshots for IDP