Add files via upload

MobileID-Strong-Authentication · Feb 22, 2023 · 80f7a44 · 80f7a44
1 parent 24ecdfa
commit 80f7a44
Showing 1 changed file with 40 additions and 45 deletions.
diff --git a/samples/production-v1.2-noRedis.env.sample b/samples/production-v1.2-noRedis.env.sample
@@ -269,48 +269,43 @@ CustomerConfigs__0__FortigateBehaviour__FailAuthIfGroupUnknown=false
 # CustomerConfigs__2__*
 # etc.
 
-********************************************************************************************
-OPTIONAL: FortigateBehaviour
-********************************************************************************************
-
-... 
-"FortigateBehaviour": {
-  "VendorSpecificAttributeTriggerValue": "root",
-  "UserGroupSearchFilter": "(&(objectClass=groupOfNames)({0}))",
-  "FortinetLdapUserGroupMap": [
-    {
-      "ForitnetGroupName": "gu-rad_msrl_sslvpn1",
-      "LdapGroupDn": "ldap-group-dn-admin"
-    },
-    {
-      "ForitnetGroupName": "gu-rad_msrl_sslvpn2",
-      "LdapGroupDn": "ldap-group-dn-user"
-    }
-  ],
-  "FortinetAccessProfile": "none",
-  "DefaultFortinetGroupName": "no-group-found",
-  "FailAuthIfGroupUnknown": false
-}
-...
-
-The FortigateBehaviour's JSON section in the above example is OPTIONAL.
-- Enabling/disabling the feature: The described behaviour is implicitly activated if the attribute "Fortinet-Vdom-Name = root" (via Vendor-Specific Attributes) is set in the Access-Request Packet
-- Procedure with activated Fortigate behaviour:
-  - After reading out the user from LDAP, additionally read out all user groups by means of "UserGroupSearchFilter" (Config)
-  - Match the user groups against "FortinetLdapUserGroupMap" (Config) and read out the mapped Fortigate group. The FIRST matching group is taken!
-  - The following cases are then distinguished in the radius response:
-    - Fortigate group found: Enrich Access-Accept with the following (Vendor-Specific) attributes:
-      => Fortinet-Vdom-Name = "root" (taken from Access-Request)
-      => Fortinet-Group-Name = {{ matching Fortigate group }}
-      => Fortinet-Access-Profile = {{ "FortinetAccessProfile" (Config) }} 
-    - Fortigate group not found:
-      -> If "FailAuthIfGroupUnknown = true": Access-Reject with corresponding error
-      -> If "FailAuthIfGroupUnknown = false": Enrich Access-Accept with the following attributes:
-         => Fortinet-Vdom-Name = "root" (taken from Access-Request)
-         => Fortinet-Group-Name = {{ "DefaultFortinetGroupName" (Config) }}"
-         => Fortinet Access Profile = {{ "FortinetAccessProfile" (Config) }}" 
-
-Additional Infos:
-- https://www.rfc-editor.org/rfc/rfc2865#section-5.26
-- Possible query to get all user groups: (&(objectCategory=group){0})
-- https://www.fortinetguru.com/2016/06/authentication-servers/4/
+############################################################################################
+# OPTIONAL: FortigateBehaviour
+############################################################################################
+# 
+# ... 
+# "FortigateBehaviour": {
+#   "VendorSpecificAttributeTriggerValue": "root",
+#   "UserGroupSearchFilter": "(&(objectClass=groupOfNames)({0}))",
+#   "FortinetLdapUserGroupMap": [
+#     {
+#       "ForitnetGroupName": "gu-rad_msrl_sslvpn1",
+#       "LdapGroupDn": "ldap-group-dn-admin"
+#     },
+#     {
+#       "ForitnetGroupName": "gu-rad_msrl_sslvpn2",
+#       "LdapGroupDn": "ldap-group-dn-user"
+#     }
+#   ],
+#   "FortinetAccessProfile": "none",
+#   "DefaultFortinetGroupName": "no-group-found",
+#   "FailAuthIfGroupUnknown": false
+# }
+# ...
+
+# The FortigateBehaviour's JSON section in the above example is OPTIONAL.
+# - Enabling/disabling the feature: The described behaviour is implicitly activated if the attribute "Fortinet-Vdom-Name = root" (via Vendor-Specific Attributes) is set in the Access-Request Packet
+# - Procedure with activated Fortigate behaviour:
+#   - After reading out the user from LDAP, additionally read out all user groups by means of "UserGroupSearchFilter" (Config)
+#   - Match the user groups against "FortinetLdapUserGroupMap" (Config) and read out the mapped Fortigate group. The FIRST matching group is taken!
+#   - The following cases are then distinguished in the radius response:
+#     - Fortigate group found: Enrich Access-Accept with the following (Vendor-Specific) attributes:
+#       => Fortinet-Vdom-Name = "root" (taken from Access-Request)
+#       => Fortinet-Group-Name = {{ matching Fortigate group }}
+#       => Fortinet-Access-Profile = {{ "FortinetAccessProfile" (Config) }} 
+#     - Fortigate group not found:
+#       -> If "FailAuthIfGroupUnknown = true": Access-Reject with corresponding error
+#       -> If "FailAuthIfGroupUnknown = false": Enrich Access-Accept with the following attributes:
+#          => Fortinet-Vdom-Name = "root" (taken from Access-Request)
+#          => Fortinet-Group-Name = {{ "DefaultFortinetGroupName" (Config) }}"
+#          => Fortinet Access Profile = {{ "FortinetAccessProfile" (Config) }}"