Remote authentication: OAuth2
OAuth2 can be used for user authentication in FortiPortal.
Configuring the OAuth2 server
On your OAuth2 server, set Authorized redirect URL to https://<FPC_address>/fpc/v1/api/account/oauth
.
Configuring FortiPortal
When you configure Authentication Access as Remote in System > Settings > Authentication, the remote server is set to FortiAuthenticator by default, and the system displays additional settings to configure.
To configure FortiPortal:
-
Go to System > Settings > Authentication.
-
Configure the settings as follows:
Field
Required
Description
Authentication Access
N
Set to Remote.
N
Enable or disable two-factor authentication (2FA).
FortiPortal only supports using the FortiToken Mobile application as the 2FA method. SMS and email are not supported.
For 2FA, a FortiToken license needs to be applied and registered in the same account where the FortiPortal license is registered.
Email information is mandatory for 2FA users.
If the user name is the email and no Tenant Identification Attribute is set, the domain part of the email can be used for tenant identification.
Remote Server
Y
Select OAuth2 as the remote server type.
Client ID
Y
Enter the client ID of your FortiPortal as set in your OAuth2 server configuration.
Client Secret
Y
Enter the client secret key.
Discovery URL
Y
Enter the discovery url of the authentication server.
Scopes
Y
Enter the scopes to be granted to remote OAuth2 users.
User ID Attribute
Y
Enter the attribute in the response that contains the user ID.
Site Attribute
N
Enter the attribute parameter name that specifies which sites the customer user can access.
Note: If the Site Attribute is empty, the customer user is assigned all the sites owned by the organization.
Role Attribute
N
Enter the attribute in the response that contains the user role.
Tenant ID Attribute
N
Enter the value as set in your IdP configuration.
If set, this value is used to match the user with an organization.
SSL Certificate Check
N
Enable to validate the OAuth2 server SSL certificate.
OAuth2 Logout URL
N
Enter the logout URL for the OAuth2 server.
Domains
N
Select the domains to be used for administration access.
View/Change OAuth Roles
See OAuth2 roles.
-
Click Save.