XCP-ng
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Guide : XOA OIDC authentication with Fortiauthenticator

    Scheduled Pinned Locked Moved Xen Orchestra
    1 Posts 1 Posters 489 Views 1 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D Offline
      dsmteam
      last edited by dsmteam

      If you have an issue authenticating with Fortiauthenticator and OIDC, follow this steps.
      First of all : you need a real certificate signed by a legitimate authority on the fortiauthenticator. Self signed will not work ! No ifs or but (beside fumbling in the code to allow self signed I suppose)
      You might have to import the certificate as a bundle with it's direct signee (not the full chain)

      After that just log into your FAC and go to : Authentication/Oauth Service/Portals
      Create a new portal with your specific configuration if needed (default should be fine for a test)

      go to : Authentication/Oauth Service/Policies

      Create a new policy and select the Portal you created in the previous step

      go to : Authenticator/Oauth Service/ Relying Party

      Create a new Relying party
      Select Confidential and Authorization
      Select the policy you created before

      Select Relying Scope and add "openid"
      Select Add Claims and add a openid claim named "preferred_username" and user attribute "username" (if you select another user attribute like email, you will need to adjust the configuration in XOA)
      Take note of the Client ID and Client Secret

      Now in XOA, go to Settings/plugins/Auth-oidc plugin

      Input the autodiscovery of your FAC
      https://your-fac-FQDN/api/v1/oauth/.well-known/openid-configuration/

      Input the client ID and client secret from your Relying Party in the FAC

      Enable the plugin and you should be set

      1 Reply Last reply Reply Quote 0

      Hello! It looks like you're interested in this conversation, but you don't have an account yet.

      Getting fed up of having to scroll through the same posts each visit? When you register for an account, you'll always come back to exactly where you were before, and choose to be notified of new replies (either via email, or push notification). You'll also be able to save bookmarks and upvote posts to show your appreciation to other community members.

      With your input, this post could be even better 💗

      Register Login
      • First post
        Last post