Guide : XOA OIDC authentication with Fortiauthenticator
-
If you have an issue authenticating with Fortiauthenticator and OIDC, follow this steps.
First of all : you need a real certificate signed by a legitimate authority on the fortiauthenticator. Self signed will not work ! No ifs or but (beside fumbling in the code to allow self signed I suppose)
You might have to import the certificate as a bundle with it's direct signee (not the full chain)After that just log into your FAC and go to : Authentication/Oauth Service/Portals
Create a new portal with your specific configuration if needed (default should be fine for a test)go to : Authentication/Oauth Service/Policies
Create a new policy and select the Portal you created in the previous step
go to : Authenticator/Oauth Service/ Relying Party
Create a new Relying party
Select Confidential and Authorization
Select the policy you created beforeSelect Relying Scope and add "openid"
Select Add Claims and add a openid claim named "preferred_username" and user attribute "username" (if you select another user attribute like email, you will need to adjust the configuration in XOA)
Take note of the Client ID and Client SecretNow in XOA, go to Settings/plugins/Auth-oidc plugin
Input the autodiscovery of your FAC
https://your-fac-FQDN/api/v1/oauth/.well-known/openid-configuration/Input the client ID and client secret from your Relying Party in the FAC
Enable the plugin and you should be set