97 lines
3.5 KiB
Markdown
97 lines
3.5 KiB
Markdown
# Proxmox
|
|
|
|
## Base URLs:
|
|
IDP: `fac.mydomain.com`
|
|
SP for PVE: `pve01.mydomain.local:8006`
|
|
SP for PBS: `pbs.mydomain.local:8007`
|
|
|
|
> [!TIP]
|
|
> If you want different `Application name for FTM push notification` then create 2nd policy for PBS and ofc a 2nd Relying Party for the PBS.
|
|
|
|
## FAC
|
|
|
|
**#1 Authentication > OAuth Service > Portals**
|
|
1) Create New
|
|
2) Name: `Proxmox`
|
|
3) leave everything else default
|
|
4) Save
|
|
|
|
|
|
**#2 Authentication > OAuth Service > Policies**
|
|
1) Create New
|
|
2) Policy type: Name: `Proxmox`
|
|
3) Identity sources: `Realm: select your realm and Groups in den Filter that should have access`
|
|
4) Authentication factors: Change settings to your needs, f.e. `Application name for FTM push notification: Proxmox`
|
|
|
|
|
|
**#3 Authentication > OAuth Service > Scopes**
|
|
1) Create New (if not already there)
|
|
2) Name: `profile`
|
|
3) Name: `email`
|
|
|
|
|
|
**#4 Authentication > OAuth Service > Relying Party**
|
|
1) Name: `Proxmox`
|
|
2) Client type: `Confidential`
|
|
3) Authorization grant types: `Authorization code`
|
|
4) Client ID: `note this ID`
|
|
5) Client secret: `note this secret`
|
|
6) Policy: `choose Proxmox from Step 2`
|
|
7) Access token expiry: `change to your needs or leave default (36000 seconds)`
|
|
8) Refresh token expiry: `change to your needs or leave default (1 day)`
|
|
9) for **PVE** - Redirect URIs: `https://pve01.mydomain.local:8006` (if you have multiple hosts just enter them same way with space in between)
|
|
for **PBS** - Redirect URIs: `https://pbs.mydomain.local:8007` (if you have multiple hosts just enter them same way with space in between)
|
|
10) Add 3 Scopes with `+ Add Relying Party Scope`
|
|
11) Set the scopes to this:
|
|
| Scope | Default |
|
|
| :--- | :----: |
|
|
| openid | x |
|
|
| email | x |
|
|
| profile | x |
|
|
12) Save
|
|
13) Add 1 Claim with `+ Add Claim`
|
|
14) Set the Claims to this:
|
|
| Scope | Name | User Attribute |
|
|
| :--- | :----: | :----: |
|
|
| openid | preferred_username | Email |
|
|
15) Save
|
|
|
|
|
|
## Proxmox VE
|
|
|
|
**#1 Datacenter > Permissions > Realms**
|
|
1) Click on `Add` and choose `OpenID Connect Server` from dropdownlist
|
|
2) Issuer URL: `https://fac.mydomain.com/api/vl/oauth`
|
|
3) Realm: `FortiAuthenticator` (choose name whatever you want)
|
|
4) Client ID: `ID from FAC step #4-4`
|
|
5) Client Key: `secret from FAC step #4-5`
|
|
6) Default: Check this if you want FAC to be your default IDP to login
|
|
7) Autocreate Users: Check this if you want autocreation of users.
|
|
8) Username Claim: `username`
|
|
9) Scopes: `Default (email profile)`
|
|
10) Prompt: `Auth-Provider Default`
|
|
11) Add
|
|
|
|
|
|
**#2 Datacenter > Permissions**
|
|
1) Click on `Add` to create a new Group Permission
|
|
|
|
2) Now you can change to Group on autocreated users to the groups you have just created to give new users permissions.
|
|
|
|
## Proxmox PBS
|
|
|
|
**#1 Configuration > Access Control > Realms**
|
|
1) Click on `Add` and choose `OpenID Connect Server` from dropdownlist
|
|
2) Issuer URL: `https://fac.mydomain.com/api/vl/oauth`
|
|
3) Realm: `FortiAuthenticator` (choose name whatever you want)
|
|
4) Client ID: `ID from FAC step #4-4`
|
|
5) Client Key: `secret from FAC step #4-5`
|
|
6) Autocreate Users: Check this if you want autocreation of users.
|
|
7) Username Claim: `username`
|
|
8) Scopes: `Default (email profile)`
|
|
9) Prompt: `Auth-Provider Default`
|
|
10) Add
|
|
|
|
|
|
**#2 Configuration > Access Control > Permissions**
|
|
1) Click on `Add` to create a new User Permission |