OAUTH
FortiAuthenticator can be configured to connect to remote OAuth servers to dynamically look up group memberships from third-party SAML identify providers, such as G Suite and Azure, for SAML SP FSSO.
To add a remote OAuth Server:
- Go to Authentication > Remote Auth. Servers > OAUTH and select Create New.
- Enter the following information:
Name Enter the name for the remote OAuth server on FortiAuthenticator. OAuth source Select Facebook, Google, LinkedIn, Twitter, WeChat, Azure Directory, or G Suite Directory as the OAuth source.
For Facebook, Google, LinkedIn, Twitter, and WeChat enter the Key and Secret for the selected OAuth source.
For Azure Directory:
Enter the Client ID and Client Key for the Azure Directory.
Enable Include for FSSO and enter the Azure AD tenant ID.
For G Suite Directory, enter the G-suite admin and select and upload the Service account key file (.json) for the G Suite Directory.
Key
Enter the OAuth application key for the selected OAuth source. This option is only available when Facebook, Google, LinkedIn, Twitter, or WeChat is selected as an OAuth source.
Secret
Enter the OAuth application secret for the selected OAuth source .This option is only available when Facebook, Google, LinkedIn, Twitter, or WeChat is selected as an OAuth source.
Client ID
Enter the application ID for the Azure Directory application, obtained from the Azure portal. This option is only available when Azure Directory is selected as an OAuth source.
Client Key
Enter the key for the Azure Directory application, obtained from the Azure portal. This option is only available when Azure Directory is selected as an OAuth source.
Include for SSO
Enable to include the OAuth server for SSO.
This option is only available when Azure Directory is selected as the OAuth source.
Note: The option is disabled by default.
For information on configuring SSOMA with AD, see Configuring SSOMA with AD in the latest EMS Administration Guide.
Azure AD tenant ID
Enter the Azure AD tenant ID.
Note: The option is only available when Include for SSO is enabled.
G-suite admin
Enter the G Suite admin username for the G Suite Directory application. This option is only available when G Suite Directory is selected as an OAuth source.
Service account key file (.json)
Select and upload the service account key file for the G Suite Directory application, obtained from the Google developers portal. This option is only available when G Suite Directory is selected as an OAuth source.
- Select Save to add the remote OAuth server.
The Create New Remote OAuth Server window appears.