Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Administration Guide

Relying Party

OAuth relying parties (RP), otherwise known as clients, can be managed from Authentication > OAuth Service > Relying Party. They correspond to the OAuth clients that have been issued credentials for requesting OAuth tokens from the FortiAuthenticator.

OpenID Connect (OIDC) authentication can be enabled for the relying party by configuring an authorization code, policy, redirect URI, and claim(s).

The OAuth service has a per-configured FortiOS Fabric OAuth application used for Fortinet Security Fabric integration. The FortiOS Fabric application settings should not be changed.

To configure an OAuth application:
  1. From the OAuth application list, select Create New to add a new OAuth application.
  2. The Create New Application window opens.

  3. Enter the following information:
    Name Enter a name for the client.
    Client type

    Select the client type for the client:

    • Confidential: The relying party must provide a valid client ID, user credentials, and the client secret to obtain an OAuth token.
    • Public: The relying party must provide a valid client ID and user credential to obtain an OAuth token. Clients are not required to provide a client secret in requests to the OAuth application.

    Authorization grant types

    Select the authorization grant type:

    • Resource owner password-based: Authentication and authorization is API-based.
    • Authorization code: Authentication and authorization is initiated by the relying party, but the end-user provides their credentials through their browser on the FortiAuthenticator login portal. Selecting this setting allows for the configuration of OpenID Connect claims. This option is only available when the Client type is Confidential.
    Client ID

    Enter a client ID. A generated value is provided by default.

    Client secret

    Enter a client secret. A generated value is provided by default. You can configure the length of the automatically generated value under Authentication > OAuth Service > General.

    This field is only available when the Client type is Confidential.

    Access token expiry Enter a length of time for which OAuth access tokens issued by this application are valid. The default is set to 36000 seconds (10 hours). Access tokens will not expire if the value is set to 0.

    Policy

    Select a policy. OAuth policies are configured in Authentication > OAuth Service > Policies. See Policies.

    This field is only available when the Authorization grant type is Authorization code.

    Redirect URIs

    Enter the allowed uniform resource identifier (URI) that the OAuth service is authorized to redirect end-users to after authentication. Multiple entries can be separated by spaces. Redirecting to https URLs is strongly recommended.

    Claims

    Add claims for the relying party. See Claims.

    This field is only available when the Authorization grant type is Authorization code.

  4. Select OK to create the new OAuth application.

 

Claims

You can configure relying parties to return claims about the authenticated end-user. Claims can be configured for relying parties using OIDC where the Authorization grant type is Authorization code.

To configure claims:
  1. Create or edit an Oauth relying party with Authorization grant types set to Authorization code.
  2. Under Claims, click Add Claim.
  3. Configure the claim:
    Scope

    Select the claim scope.

    In FortiAuthenticator 6.4.3, only the OpenID Connect (openid) claim type is supported.

    Name Enter the claim name.
    User attribute

    Select the user attribute from the following list:

    • Username
    • First name
    • Last name
    • Email
    • Group
  4. Click OK to save the relying party or click Add Claim to create another claim before saving your changes.

Relying Party

OAuth relying parties (RP), otherwise known as clients, can be managed from Authentication > OAuth Service > Relying Party. They correspond to the OAuth clients that have been issued credentials for requesting OAuth tokens from the FortiAuthenticator.

OpenID Connect (OIDC) authentication can be enabled for the relying party by configuring an authorization code, policy, redirect URI, and claim(s).

The OAuth service has a per-configured FortiOS Fabric OAuth application used for Fortinet Security Fabric integration. The FortiOS Fabric application settings should not be changed.

To configure an OAuth application:
  1. From the OAuth application list, select Create New to add a new OAuth application.
  2. The Create New Application window opens.

  3. Enter the following information:
    Name Enter a name for the client.
    Client type

    Select the client type for the client:

    • Confidential: The relying party must provide a valid client ID, user credentials, and the client secret to obtain an OAuth token.
    • Public: The relying party must provide a valid client ID and user credential to obtain an OAuth token. Clients are not required to provide a client secret in requests to the OAuth application.

    Authorization grant types

    Select the authorization grant type:

    • Resource owner password-based: Authentication and authorization is API-based.
    • Authorization code: Authentication and authorization is initiated by the relying party, but the end-user provides their credentials through their browser on the FortiAuthenticator login portal. Selecting this setting allows for the configuration of OpenID Connect claims. This option is only available when the Client type is Confidential.
    Client ID

    Enter a client ID. A generated value is provided by default.

    Client secret

    Enter a client secret. A generated value is provided by default. You can configure the length of the automatically generated value under Authentication > OAuth Service > General.

    This field is only available when the Client type is Confidential.

    Access token expiry Enter a length of time for which OAuth access tokens issued by this application are valid. The default is set to 36000 seconds (10 hours). Access tokens will not expire if the value is set to 0.

    Policy

    Select a policy. OAuth policies are configured in Authentication > OAuth Service > Policies. See Policies.

    This field is only available when the Authorization grant type is Authorization code.

    Redirect URIs

    Enter the allowed uniform resource identifier (URI) that the OAuth service is authorized to redirect end-users to after authentication. Multiple entries can be separated by spaces. Redirecting to https URLs is strongly recommended.

    Claims

    Add claims for the relying party. See Claims.

    This field is only available when the Authorization grant type is Authorization code.

  4. Select OK to create the new OAuth application.

 

Claims

You can configure relying parties to return claims about the authenticated end-user. Claims can be configured for relying parties using OIDC where the Authorization grant type is Authorization code.

To configure claims:
  1. Create or edit an Oauth relying party with Authorization grant types set to Authorization code.
  2. Under Claims, click Add Claim.
  3. Configure the claim:
    Scope

    Select the claim scope.

    In FortiAuthenticator 6.4.3, only the OpenID Connect (openid) claim type is supported.

    Name Enter the claim name.
    User attribute

    Select the user attribute from the following list:

    • Username
    • First name
    • Last name
    • Email
    • Group
  4. Click OK to save the relying party or click Add Claim to create another claim before saving your changes.