Fortinet black logo

Administration Guide

Policies

Policies

OAuth policy configuration is available under Authentication > OAuth > Policies.

You can configure policies to be used in OAuth and OpenID Connect authentication to relying parties when the authorization grant type is Authorization code. See Relying Party.

To configure an OAuth policy:
  1. Go to Authentication > OAuth Service > Policies, and click Create New.
    The OAuth Service wizard opens.
  2. Configure the OAuth policy:
  3. Policy type Select the name and login portal.
    Name Enter a name for the policy.
    Description Optionally, provide a description of the policy.
    URL

    The URL for the OAuth authorization. Authorization URLs use the following default format.

    https://[FAC IP/FQDN]/api/v1/oauth/authorize/

    Portal

    Select the portal to use with the policy. See Portals.

    Identity sources Select the identity sources.

    Username format

    Select one of the following three username input formats:

    • username@realm
    • realm\username
    • realm/username

    Use default realm when user-provided realm is different from all configured realms

    When enabled, FortiAuthenticator selects the default realm for authentication when the user-specified realm is different from all configured realms.

    Realms

    Add realms to which the client will be associated.

    • Select a realm from the dropdown menu in the Realm column.
    • Select whether or not to allow local users to override remote users for the selected realm.
    • Edit the group filter as needed to filter users based on the groups they are in.
    • If necessary, add more realms to the list.
    • Select the realm that will be the default realm for this client.

    Authentication Factors

    Select the authentication factors.

    Authentication type

    Select one of the following:

    • Mandatory password and OTP: Two-factor authentication is required for every user.
    • Every configured password and OTP factors: Two-factor authentication is required if it is enabled on the user's account, otherwise, allow one-factor authentication.
    • Password-only: Authenticate users through password verification only. User accounts for which password authentication is disabled cannot be authenticated.
    • OTP-only: Authenticate users through token verification only. User accounts for which token authentication is disabled cannot be authenticated.

    Adaptive Authentication

    Enable this option if you would like to have certain users bypass the OTP validation, so long as they belong to a trusted subnet.

    Select All trusted subnets to add all the available trusted subnets.

    You can specify the trusted subnets by selecting Specify trusted subnets. This opens a window where you can choose from a list of available trusted subnets.

    Adaptive Authentication is available only for the following authentication types:

    • Mandatory password and OTP

    • Every configured password and OTP factors

    FIDO authentication (effective once a token has been registered)

    Enable FIDO authentication.

    When the FIDO authentication toggle is enabled, you can choose to use either FIDO token only or Password and FIDO token for authentication.

    Advanced options

    Click to view a list of advanced options available when configuring authentication factors including:

    • Allow FortiToken Mobile push notifications.
    • Resolve user geolocation from their IP address.
    • Reject usernames containing uppercase letters.
  4. Select Save and exit to create the new policy.

Policies

OAuth policy configuration is available under Authentication > OAuth > Policies.

You can configure policies to be used in OAuth and OpenID Connect authentication to relying parties when the authorization grant type is Authorization code. See Relying Party.

To configure an OAuth policy:
  1. Go to Authentication > OAuth Service > Policies, and click Create New.
    The OAuth Service wizard opens.
  2. Configure the OAuth policy:
  3. Policy type Select the name and login portal.
    Name Enter a name for the policy.
    Description Optionally, provide a description of the policy.
    URL

    The URL for the OAuth authorization. Authorization URLs use the following default format.

    https://[FAC IP/FQDN]/api/v1/oauth/authorize/

    Portal

    Select the portal to use with the policy. See Portals.

    Identity sources Select the identity sources.

    Username format

    Select one of the following three username input formats:

    • username@realm
    • realm\username
    • realm/username

    Use default realm when user-provided realm is different from all configured realms

    When enabled, FortiAuthenticator selects the default realm for authentication when the user-specified realm is different from all configured realms.

    Realms

    Add realms to which the client will be associated.

    • Select a realm from the dropdown menu in the Realm column.
    • Select whether or not to allow local users to override remote users for the selected realm.
    • Edit the group filter as needed to filter users based on the groups they are in.
    • If necessary, add more realms to the list.
    • Select the realm that will be the default realm for this client.

    Authentication Factors

    Select the authentication factors.

    Authentication type

    Select one of the following:

    • Mandatory password and OTP: Two-factor authentication is required for every user.
    • Every configured password and OTP factors: Two-factor authentication is required if it is enabled on the user's account, otherwise, allow one-factor authentication.
    • Password-only: Authenticate users through password verification only. User accounts for which password authentication is disabled cannot be authenticated.
    • OTP-only: Authenticate users through token verification only. User accounts for which token authentication is disabled cannot be authenticated.

    Adaptive Authentication

    Enable this option if you would like to have certain users bypass the OTP validation, so long as they belong to a trusted subnet.

    Select All trusted subnets to add all the available trusted subnets.

    You can specify the trusted subnets by selecting Specify trusted subnets. This opens a window where you can choose from a list of available trusted subnets.

    Adaptive Authentication is available only for the following authentication types:

    • Mandatory password and OTP

    • Every configured password and OTP factors

    FIDO authentication (effective once a token has been registered)

    Enable FIDO authentication.

    When the FIDO authentication toggle is enabled, you can choose to use either FIDO token only or Password and FIDO token for authentication.

    Advanced options

    Click to view a list of advanced options available when configuring authentication factors including:

    • Allow FortiToken Mobile push notifications.
    • Resolve user geolocation from their IP address.
    • Reject usernames containing uppercase letters.
  4. Select Save and exit to create the new policy.