Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiAuthenticator 6.4.5 Administration Guide
    6.4.5
    6.6.2
    6.6.1
    6.6.0
    6.5.5
    6.5.4
    6.5.3
    6.5.2
    6.5.1
    6.5.0
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.3.4
    6.3.3
    6.3.2
    6.3.1
    6.3.0
    6.2.2
    6.2.1
    6.2.0
    6.1.3
    6.1.2
    6.1.1
    6.1.0
    6.0.8
    6.0.7
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0
    5.5.0
    5.4.0
    5.3.0
    5.2.0
    5.1.0
    5.0.0
    4.3.0
    4.2.1
    4.2.0

    Relying Party

    Relying Party

    OAuth relying parties (RP), otherwise known as clients, can be managed from Authentication > OAuth Service > Relying Party. They correspond to the OAuth clients that have been issued credentials for requesting OAuth tokens from the FortiAuthenticator.

    OpenID Connect (OIDC) authentication can be enabled for the relying party by configuring an authorization code, policy, redirect URI, and claim(s).

    The OAuth service has a per-configured FortiOS Fabric OAuth application used for Fortinet Security Fabric integration. The FortiOS Fabric application settings should not be changed.

    To configure an OAuth application:
    1. From the OAuth application list, select Create New to add a new OAuth application.

      2. The Create New Application window opens.

    2. Enter the following information:
      NameEnter a name for the client.
      Client type

      Select the client type for the client:

      • Confidential: The relying party must provide a valid client ID, user credentials, and the client secret to obtain an OAuth token.
      • Public: The relying party must provide a valid client ID and user credential to obtain an OAuth token. Clients are not required to provide a client secret in requests to the OAuth application.

      Authorization grant types

      Select the authorization grant type:

      • Resource owner password-based: Authentication and authorization is API-based.
      • Authorization code: Authentication and authorization is initiated by the relying party, but the end-user provides their credentials through their browser on the FortiAuthenticator login portal. Selecting this setting allows for the configuration of OpenID Connect claims. This option is only available when the Client type is Confidential.
      Client ID

      Enter a client ID. A generated value is provided by default.

      Client secret

      Enter a client secret. A generated value is provided by default. You can configure the length of the automatically generated value under Authentication > OAuth Service > General.

      This field is only available when the Client type is Confidential.

      Access token expiryEnter a length of time for which OAuth access tokens issued by this application are valid. The default is set to 36000 seconds (10 hours). Access tokens will not expire if the value is set to 0.

      Policy

      Select a policy. OAuth policies are configured in Authentication > OAuth Service > Policies. See Policies.

      This field is only available when the Authorization grant type is Authorization code.

      Redirect URIs

      Enter the allowed uniform resource identifier (URI) that the OAuth service is authorized to redirect end-users to after authentication. Multiple entries can be separated by spaces. Redirecting to https URLs is strongly recommended.

      Claims

      Add claims for the relying party. See Claims.

      This field is only available when the Authorization grant type is Authorization code.

    3. Select OK to create the new OAuth application.

    Claims

    You can configure relying parties to return claims about the authenticated end-user. Claims can be configured for relying parties using OIDC where the Authorization grant type is Authorization code.

    To configure claims:
    1. Create or edit an Oauth relying party with Authorization grant types set to Authorization code.
    2. Under Claims, click Add Claim.
    3. Configure the claim:
      Scope

      Select the claim scope.

      In FortiAuthenticator 6.4.5, only the OpenID Connect (openid) claim type is supported.

      NameEnter the claim name.
      User attribute

      Select the user attribute from the following list:

      • Username
      • First name
      • Last name
      • Email
      • Group
    4. Click OK to save the relying party or click Add Claim to create another claim before saving your changes.
    Previous
    Next

    Relying Party

    Relying Party

    OAuth relying parties (RP), otherwise known as clients, can be managed from Authentication > OAuth Service > Relying Party. They correspond to the OAuth clients that have been issued credentials for requesting OAuth tokens from the FortiAuthenticator.

    OpenID Connect (OIDC) authentication can be enabled for the relying party by configuring an authorization code, policy, redirect URI, and claim(s).

    The OAuth service has a per-configured FortiOS Fabric OAuth application used for Fortinet Security Fabric integration. The FortiOS Fabric application settings should not be changed.

    To configure an OAuth application:
    1. From the OAuth application list, select Create New to add a new OAuth application.

      2. The Create New Application window opens.

    2. Enter the following information:
      NameEnter a name for the client.
      Client type

      Select the client type for the client:

      • Confidential: The relying party must provide a valid client ID, user credentials, and the client secret to obtain an OAuth token.
      • Public: The relying party must provide a valid client ID and user credential to obtain an OAuth token. Clients are not required to provide a client secret in requests to the OAuth application.

      Authorization grant types

      Select the authorization grant type:

      • Resource owner password-based: Authentication and authorization is API-based.
      • Authorization code: Authentication and authorization is initiated by the relying party, but the end-user provides their credentials through their browser on the FortiAuthenticator login portal. Selecting this setting allows for the configuration of OpenID Connect claims. This option is only available when the Client type is Confidential.
      Client ID

      Enter a client ID. A generated value is provided by default.

      Client secret

      Enter a client secret. A generated value is provided by default. You can configure the length of the automatically generated value under Authentication > OAuth Service > General.

      This field is only available when the Client type is Confidential.

      Access token expiryEnter a length of time for which OAuth access tokens issued by this application are valid. The default is set to 36000 seconds (10 hours). Access tokens will not expire if the value is set to 0.

      Policy

      Select a policy. OAuth policies are configured in Authentication > OAuth Service > Policies. See Policies.

      This field is only available when the Authorization grant type is Authorization code.

      Redirect URIs

      Enter the allowed uniform resource identifier (URI) that the OAuth service is authorized to redirect end-users to after authentication. Multiple entries can be separated by spaces. Redirecting to https URLs is strongly recommended.

      Claims

      Add claims for the relying party. See Claims.

      This field is only available when the Authorization grant type is Authorization code.

    3. Select OK to create the new OAuth application.

    Claims

    You can configure relying parties to return claims about the authenticated end-user. Claims can be configured for relying parties using OIDC where the Authorization grant type is Authorization code.

    To configure claims:
    1. Create or edit an Oauth relying party with Authorization grant types set to Authorization code.
    2. Under Claims, click Add Claim.
    3. Configure the claim:
      Scope

      Select the claim scope.

      In FortiAuthenticator 6.4.5, only the OpenID Connect (openid) claim type is supported.

      NameEnter the claim name.
      User attribute

      Select the user attribute from the following list:

      • Username
      • First name
      • Last name
      • Email
      • Group
    4. Click OK to save the relying party or click Add Claim to create another claim before saving your changes.
    Previous
    Next