Fortinet black logo

Administration Guide

Home FortiAuthenticator 6.6.0 Administration Guide
6.6.0
6.6.1
6.6.0
6.5.4
6.5.3
6.5.2
6.5.1
6.5.0
6.4.9
6.4.8
6.4.7
6.4.6
6.4.5
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0
6.3.4
6.3.3
6.3.2
6.3.1
6.3.0
6.2.2
6.2.1
6.2.0
6.1.3
6.1.2
6.1.1
6.1.0
6.0.8
6.0.7
6.0.6
6.0.5
6.0.4
6.0.3
6.0.2
6.0.1
6.0.0
5.5.0
5.4.0
5.3.0
5.2.0
5.1.0
5.0.0
4.3.0
4.2.1
4.2.0

Relying Party

Relying Party

OAuth relying parties (RP), otherwise known as clients, can be managed from Authentication > OAuth Service > Relying Party. They correspond to the OAuth clients that have been issued credentials for requesting OAuth tokens from the FortiAuthenticator.

OpenID Connect (OIDC) authentication can be enabled for the relying party by configuring an authorization code, policy, redirect URI, and claim(s).

The OAuth service has a per-configured FortiOS Fabric OAuth application used for Fortinet Security Fabric integration. The FortiOS Fabric application settings should not be changed.

To configure an OAuth application:
  1. From the OAuth relying party list, select Create New to add a new relying party.

    2. The Create New Relying Party window opens.

  2. Enter the following information:
    NameEnter a name for the client.
    Client type

    Select the client type for the client:

    • Confidential: The relying party must provide a valid client ID, user credentials, and the client secret to obtain an OAuth token.
    • Public: The relying party must provide a valid client ID and user credential to obtain an OAuth token. Clients are not required to provide a client secret in requests to the OAuth application.

    Authorization grant types

    Select the authorization grant type:

    • Password-based: Authentication and authorization is API-based.
    • Authorization code: Authentication and authorization is initiated by the relying party, but the end-user provides their credentials through their browser on the FortiAuthenticator login portal. Selecting this setting allows for the configuration of OpenID Connect claims. This option is only available when the Client type is Confidential.

    • Authorization code with PKCE: When this grant type is selected, FortiAuthenticator applies the following modifications to the standard Authorization code grant type:

      • The client_secret field is ignored in requests to the /oauth/authorize/ endpoint.

      • New code_challenge_method and code_challenge fields are required in requests to the /oauth/authorize/ endpoint.

      • A new code_verifier field is required in the requests to the /oauth/token/ endpoint.

      • FortiAuthenticator rejects requests to the /oauth/token/ endpoint if the SHA256 digest for code_verifier does not match the code_challenge provided when the code was issued by the /oauth/authorize/endpoint.

      The option is only available when the Client type is Public.

    Client ID

    Enter a client ID. A generated value is provided by default.

    Client secret

    Enter a client secret. A generated value is provided by default. You can configure the length of the automatically generated value under Authentication > OAuth Service > General.

    This field is only available when the Client type is Confidential.

    Policy

    Select a policy. OAuth policies are configured in Authentication > OAuth Service > Policies. See Policies.

    Access token expiryEnter a length of time for which OAuth access tokens issued by this application are valid. The default is set to 36000 seconds (10 hours). Access tokens will not expire if the value is set to 0.

    Redirect URIs

    Enter the allowed uniform resource identifier (URI) that the OAuth service is authorized to redirect end-users to after authentication. Multiple entries can be separated by spaces. Redirecting to https URLs is strongly recommended.

    This field is only available when the Authorization grant type is Authorization code or Authorization code with PKCE.

    Refresh token expiry

    The amount of time in days/weeks/months the refresh token issued is valid upon authorization (default = 1 day).

    Note: The refresh token never expires if the expiry period is configured as 0.

    Note: FortiAuthenticator does not issue a new OAuth token using an expired refresh token.

    Relying Party Scopes

    Add scopes for the relying party. See Scopes.

    Claims

    Add claims for the relying party. See Claims.

    This field is only available when the Authorization grant type is Authorization code or Authorization code with PKCE.

  3. Select Save to create the new relying party.

Claims

You can configure relying parties to return claims about the authenticated end-user. Claims can be configured for relying parties using OIDC where the Authorization grant type is Authorization code.

To configure claims:
  1. Create or edit an Oauth relying party with Authorization grant types set to Authorization code.
  2. Under Claims, click Add Claim.
  3. Configure the claim:
    Scope

    Select the claim scope.

    NameEnter the claim name.
    User attribute

    Select the user attribute from the following list:

    • Username
    • First name
    • Last name
    • Email
    • Group
    • IAM account name
    • IAM account alias
    • IAM username

    Custom fields configured in Authentication > User Account Policies > Custom User Fields are available here.

  4. Click Save to save the relying party or click Add Claim to create another claim before saving your changes.
Previous
Next

Relying Party

OAuth relying parties (RP), otherwise known as clients, can be managed from Authentication > OAuth Service > Relying Party. They correspond to the OAuth clients that have been issued credentials for requesting OAuth tokens from the FortiAuthenticator.

OpenID Connect (OIDC) authentication can be enabled for the relying party by configuring an authorization code, policy, redirect URI, and claim(s).

The OAuth service has a per-configured FortiOS Fabric OAuth application used for Fortinet Security Fabric integration. The FortiOS Fabric application settings should not be changed.

To configure an OAuth application:
  1. From the OAuth relying party list, select Create New to add a new relying party.

    2. The Create New Relying Party window opens.

  2. Enter the following information:
    NameEnter a name for the client.
    Client type

    Select the client type for the client:

    • Confidential: The relying party must provide a valid client ID, user credentials, and the client secret to obtain an OAuth token.
    • Public: The relying party must provide a valid client ID and user credential to obtain an OAuth token. Clients are not required to provide a client secret in requests to the OAuth application.

    Authorization grant types

    Select the authorization grant type:

    • Password-based: Authentication and authorization is API-based.
    • Authorization code: Authentication and authorization is initiated by the relying party, but the end-user provides their credentials through their browser on the FortiAuthenticator login portal. Selecting this setting allows for the configuration of OpenID Connect claims. This option is only available when the Client type is Confidential.

    • Authorization code with PKCE: When this grant type is selected, FortiAuthenticator applies the following modifications to the standard Authorization code grant type:

      • The client_secret field is ignored in requests to the /oauth/authorize/ endpoint.

      • New code_challenge_method and code_challenge fields are required in requests to the /oauth/authorize/ endpoint.

      • A new code_verifier field is required in the requests to the /oauth/token/ endpoint.

      • FortiAuthenticator rejects requests to the /oauth/token/ endpoint if the SHA256 digest for code_verifier does not match the code_challenge provided when the code was issued by the /oauth/authorize/endpoint.

      The option is only available when the Client type is Public.

    Client ID

    Enter a client ID. A generated value is provided by default.

    Client secret

    Enter a client secret. A generated value is provided by default. You can configure the length of the automatically generated value under Authentication > OAuth Service > General.

    This field is only available when the Client type is Confidential.

    Policy

    Select a policy. OAuth policies are configured in Authentication > OAuth Service > Policies. See Policies.

    Access token expiryEnter a length of time for which OAuth access tokens issued by this application are valid. The default is set to 36000 seconds (10 hours). Access tokens will not expire if the value is set to 0.

    Redirect URIs

    Enter the allowed uniform resource identifier (URI) that the OAuth service is authorized to redirect end-users to after authentication. Multiple entries can be separated by spaces. Redirecting to https URLs is strongly recommended.

    This field is only available when the Authorization grant type is Authorization code or Authorization code with PKCE.

    Refresh token expiry

    The amount of time in days/weeks/months the refresh token issued is valid upon authorization (default = 1 day).

    Note: The refresh token never expires if the expiry period is configured as 0.

    Note: FortiAuthenticator does not issue a new OAuth token using an expired refresh token.

    Relying Party Scopes

    Add scopes for the relying party. See Scopes.

    Claims

    Add claims for the relying party. See Claims.

    This field is only available when the Authorization grant type is Authorization code or Authorization code with PKCE.

  3. Select Save to create the new relying party.

Claims

You can configure relying parties to return claims about the authenticated end-user. Claims can be configured for relying parties using OIDC where the Authorization grant type is Authorization code.

To configure claims:
  1. Create or edit an Oauth relying party with Authorization grant types set to Authorization code.
  2. Under Claims, click Add Claim.
  3. Configure the claim:
    Scope

    Select the claim scope.

    NameEnter the claim name.
    User attribute

    Select the user attribute from the following list:

    • Username
    • First name
    • Last name
    • Email
    • Group
    • IAM account name
    • IAM account alias
    • IAM username

    Custom fields configured in Authentication > User Account Policies > Custom User Fields are available here.

  4. Click Save to save the relying party or click Add Claim to create another claim before saving your changes.
Previous
Next