Fortinet black logo

Administration Guide

Home FortiPortal 7.2.1 Administration Guide
7.2.1
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.8
7.0.7
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.0.15
6.0.14
6.0.13
6.0.12
6.0.11
6.0.10
6.0.9
6.0.8
6.0.7
6.0.6
6.0.5
6.0.4
6.0.3
6.0.2
6.0.1
6.0.0
5.3.8
5.3.7
5.3.6
5.3.5
5.3.4
5.3.3
5.3.2
5.3.0
5.2.0
4.1.0
4.0.3
4.0.2
4.0.1
4.0.0

Remote authentication: OAuth2

Remote authentication: OAuth2

OAuth2 can be used for user authentication in FortiPortal.

Configuring the OAuth2 server

On your OAuth2 server, set Authorized redirect URL to https://<FPC_address>/fpc/v1/api/account/oauth.

Configuring FortiPortal

When you configure Authentication Access as Remote in System > Settings > Authentication, the remote server is set to FortiAuthenticator by default, and the system displays additional settings to configure.

To configure FortiPortal:

  1. Go to System > Settings > Authentication.

  2. Configure the settings as follows:

    Field

    Required

    Description

    Authentication Access

    N

    Set to Remote.

    Enable Two-factor Authentication

    N

    Enable or disable two-factor authentication (2FA).

    FortiPortal only supports using the FortiToken Mobile application as the 2FA method. SMS and email are not supported.

    For 2FA, a FortiToken license needs to be applied and registered in the same account where the FortiPortal license is registered.

    Email information is mandatory for 2FA users.

    If the user name is the email and no Tenant Identification Attribute is set, the domain part of the email can be used for tenant identification.

    See Two-factor authentication in FortiPortal example.

    Remote Server

    Y

    Select OAuth2 as the remote server type.

    Client ID

    Y

    Enter the client ID of your FortiPortal as set in your OAuth2 server configuration.

    Client Secret

    Y

    Enter the client secret key.

    Discovery URL

    Y

    Enter the discovery url of the authentication server.

    Scopes

    Y

    Enter the scopes to be granted to remote OAuth2 users.

    User ID Attribute

    Y

    Enter the attribute in the response that contains the user ID.

    Site Attribute

    N

    Enter the attribute parameter name that specifies which sites the customer user can access.

    Note: If the Site Attribute is empty, the customer user is assigned all the sites owned by the organization.

    Role Attribute

    N

    Enter the attribute in the response that contains the user role.

    Tenant Identification Attribute

    N

    Enter the value as set in your IdP configuration.

    If set, this value is used to match the user with an organization.

    Domains

    N

    Select the domains to be used for administration access.

    View/Change OAuth Roles

    See OAuth2 roles.

  3. Click Save.

Previous
Next

Remote authentication: OAuth2

OAuth2 can be used for user authentication in FortiPortal.

Configuring the OAuth2 server

On your OAuth2 server, set Authorized redirect URL to https://<FPC_address>/fpc/v1/api/account/oauth.

Configuring FortiPortal

When you configure Authentication Access as Remote in System > Settings > Authentication, the remote server is set to FortiAuthenticator by default, and the system displays additional settings to configure.

To configure FortiPortal:

  1. Go to System > Settings > Authentication.

  2. Configure the settings as follows:

    Field

    Required

    Description

    Authentication Access

    N

    Set to Remote.

    Enable Two-factor Authentication

    N

    Enable or disable two-factor authentication (2FA).

    FortiPortal only supports using the FortiToken Mobile application as the 2FA method. SMS and email are not supported.

    For 2FA, a FortiToken license needs to be applied and registered in the same account where the FortiPortal license is registered.

    Email information is mandatory for 2FA users.

    If the user name is the email and no Tenant Identification Attribute is set, the domain part of the email can be used for tenant identification.

    See Two-factor authentication in FortiPortal example.

    Remote Server

    Y

    Select OAuth2 as the remote server type.

    Client ID

    Y

    Enter the client ID of your FortiPortal as set in your OAuth2 server configuration.

    Client Secret

    Y

    Enter the client secret key.

    Discovery URL

    Y

    Enter the discovery url of the authentication server.

    Scopes

    Y

    Enter the scopes to be granted to remote OAuth2 users.

    User ID Attribute

    Y

    Enter the attribute in the response that contains the user ID.

    Site Attribute

    N

    Enter the attribute parameter name that specifies which sites the customer user can access.

    Note: If the Site Attribute is empty, the customer user is assigned all the sites owned by the organization.

    Role Attribute

    N

    Enter the attribute in the response that contains the user role.

    Tenant Identification Attribute

    N

    Enter the value as set in your IdP configuration.

    If set, this value is used to match the user with an organization.

    Domains

    N

    Select the domains to be used for administration access.

    View/Change OAuth Roles

    See OAuth2 roles.

  3. Click Save.

Previous
Next