Authentication in FortiConnect with GSuite

Facebooktwittergoogle_pluslinkedinFacebooktwittergoogle_pluslinkedin

FortiConnect can be configured to authenticate GSuite users that access the network. This document focuses on the configuration required to enable the integration of FortiConnect and GSuite.

NOTE: This document is based on FortiConnect 16.9.5 release.

To add the GSuite authentication server navigate to Network Access PolicyAuthentication Policy from the FortiConnect Administrative Console and configure the connection settings for GSuite authentication. The parameters highlighted in this image require configuration on the Google Developer Console and the GSuite Administrative Console.

 Configuring GSuite

Configure the parameters described in this section prior to configuring the GSuite Authentication policy in the FortiConnect Administrative Console.

Creating a project

    1. Login into the Google API dashboard (https://console.developers.google.com)
      Click on your domain name to create a new project.
    2. Enter a unique Project Name and browse to your domain as the Location.
    3. In the dashboard, select Enable APIs and Services and search for Google+ API and Admin SDK and enable them.

Creating a web application account

Creating a web application account generates the Google API Client ID and Google API Client Secret to be configured in the FortiConnect Administrative Console.

  1. In the Google API dashboard, select Credentials > Create Credentials > OAuth client ID; select the Application type as Web application.
  2. Enter a unique Name for the web application and the Authorized redirect URIs, in the format https://<fqdn-fct>/portal/?command=googleAuth; for example, https://example.fortinet.com/portal/?command=googleAuth. You can configure multiple redirect URLs.
  3. Click Create.

 

 

 

 

 

 

 

 

 

Once the web application is created, the Client ID and Client secret are generated; populate these in the Google API Client ID and Google API Client Secret fields respectively on the FortiConnect Administrative Console.

Creating a service account

Creating a service account generates the Google Service Account JSON key to be configured in the FortiConnect Administrative Console.

In the Google API dashboard, select Credentials > Create Credentials > Service account key; select the New Service Account.

  1. Enter a unique Service account name and select an access based Role.
  2. Select JSON as the Key type.
  3. Click Create. The private key (JSON file) is downloaded to your computer.

 

 

 

 

 

 

 

 

 

Open the JSON file and copy its contents in the Google Service Account JSON Key field in the FortiConnect Administrative Console.

 

 

 

 

 

 

 

Once created ensure that the service account is enabled for G Suite Domain-wide Delegation (IAM & Admin > Service Accounts > Actions > Edit).

 

 

 

 

Select the OAuth consent screen update the required fields to populate the consent screen to be displayed to the users requesting access to their private data.

API client access

Login into the Google GSuite Administrative console (https://admin.google.com) to register the web application and other API clients with Google; this enables access to data in Google services.

  1. Select Security > Advanced Settings > AuthenticationManage API client access.
  2. Enter the Client Name and the API scope (access permissions) from the listed ones. You can specify multiple comma-separated API scopes.
    • View group subscriptions on your domain
      https://www.googleapis.com/auth/admin.directory.group.member.readonly
    • View groups on your domain
      https://www.googleapis.com/auth/admin.directory.group.readonly 
    • View users on your domain
      https://www.googleapis.com/auth/admin.directory.user.readonly

     

     

     

     

  3. Click Authorize.

Configuring FortiConnect

After configuring GSuite, update the FortiConnect Administrative Console to complete authenticating the GSuite server with FortiConnect.

Note: google.com root certificate and Intermediate PKI certificates (certificates used by the Google server) must be added to the FortiConnect console (SSL settings > Trusted CA Certificates).

 

 

 

 

 

 

 

  • Google API Client ID and Google API Client Secret – See section Create Web Application Account.
  • Google Service Account JSON key – See section Create Service Account.
  • GSuite Admin username – The GSuite login user name (with admin rights).
  • Realm – The GSuite domain, for example, fctqa.com.
  • Attribute Mappings – The rules/attribute mappings required for the server.
  • Certificate Authorities (optional) – Select a previously configured certificate authority to provision certificates for GSuite users.
Facebooktwittergoogle_pluslinkedinFacebooktwittergoogle_pluslinkedin