fmgd_authentication_scheme – Configure Authentication Schemes.

Added in version 1.1.0.

Synopsis

  • This module is able to configure a FortiManager device.

  • Examples include all parameters and values need to be adjusted to data sources before usage.

  • Tested with FortiManager v7.x.

Requirements

The below requirements are needed on the host that executes this module.

  • ansible-core>=2.16.0

FortiManager Version Compatibility

Supported Version Ranges: v7.4.8 -> v7.4.10, v7.6.4 -> latest

Parameters

  • access_token -The token to access FortiManager without using username and password. type: str required: false
  • bypass_validation - Only set to True when module schema diffs with FortiManager API structure, module continues to execute without validating parameters. type: bool required: false default: False
  • enable_log - Enable/Disable logging for task. type: bool required: false default: False
  • forticloud_access_token - Access token of forticloud managed API users, this option is available with FortiManager later than 6.4.0. type: str required: false
  • proposed_method - The overridden method for the underlying Json RPC request. type: str required: false choices: set, update, add
  • rc_succeeded - The rc codes list with which the conditions to succeed will be overriden. type: list required: false
  • rc_failed - The rc codes list with which the conditions to fail will be overriden. type: list required: false
  • state - The directive to create, update or delete an object type: str required: true choices: present, absent
  • workspace_locking_adom - Acquire the workspace lock if FortiManager is running in workspace mode. type: str required: false choices: global, custom adom including root
  • workspace_locking_timeout - The maximum time in seconds to wait for other users to release workspace lock. type: integer required: false default: 300
  • device - The parameter in requested url type: str required: true
  • vdom - The parameter in requested url type: str required: true
  • authentication_scheme - Configure Authentication Schemes. type: dict
    • domain_controller (Alias name: domain-controller) Domain controller setting. type: list more...
    • fsso_agent_for_ntlm (Alias name: fsso-agent-for-ntlm) Fsso agent to use for ntlm authentication. type: list more...
    • fsso_guest (Alias name: fsso-guest) Enable/disable user fsso-guest authentication (default = disable). type: str choices: [disable, enable] more...
    • kerberos_keytab (Alias name: kerberos-keytab) Kerberos keytab setting. type: list more...
    • method Authentication methods (default = basic). type: list choices: [ntlm, basic, digest, form, negotiate, fsso, rsso, ssh-publickey, saml, cert, x-auth-user, saml-sp, ztna-relay, oidc, entra-sso] more...
    • name Authentication scheme name. type: str more...
    • negotiate_ntlm (Alias name: negotiate-ntlm) Enable/disable negotiate authentication for ntlm (default = disable). type: str choices: [disable, enable] more...
    • require_tfa (Alias name: require-tfa) Enable/disable two-factor authentication (default = disable). type: str choices: [disable, enable] more...
    • saml_server (Alias name: saml-server) Saml configuration. type: list more...
    • saml_timeout (Alias name: saml-timeout) Saml authentication timeout in seconds. type: int more...
    • search_all_ldap_databases (Alias name: search-all-ldap-databases) Search all ldap databases. type: str choices: [disable, enable] more...
    • ssh_ca (Alias name: ssh-ca) Ssh ca name. type: list more...
    • user_cert (Alias name: user-cert) Enable/disable authentication with user certificate (default = disable). type: str choices: [disable, enable] more...
    • user_database (Alias name: user-database) Authentication server to contain user information; local (default) or 123 (for ldap). type: list more...
    • ems_device_owner (Alias name: ems-device-owner) Ems device owner. type: str choices: [disable, enable] more...
    • saml_idp_portal (Alias name: saml-idp-portal) External saml-idp authentication portal url. type: str more...
    • digest_algo (Alias name: digest-algo) Digest authentication algorithms. type: list choices: [md5, sha-256] more...
    • oidc_server (Alias name: oidc-server) Oidc server. type: list more...
    • oidc_timeout (Alias name: oidc-timeout) Oidc timeout. type: int more...
    • group_attr_type (Alias name: group-attr-type) Group attribute type used to match scim groups (default = display-name). type: str choices: [display-name, external-id] more...
    • digest_rfc2069 (Alias name: digest-rfc2069) Enable/disable support for the deprecated rfc2069 digest client (no cnonce field, default = disable). type: str choices: [disable, enable] more...
    • external_idp (Alias name: external-idp) External identity provider configuration. type: list more...
    • auth_user_header (Alias name: auth-user-header) Auth user header. type: str more...
    • captcha Captcha. type: str choices: [disable, enable] more...
    • captcha_secret_key (Alias name: captcha-secret-key) Captcha secret key. type: str more...
    • captcha_site_key (Alias name: captcha-site-key) Captcha site key. type: str more...
    • captcha_vendor (Alias name: captcha-vendor) Captcha vendor. type: str choices: [google-recaptcha-v2-checkbox, google-recaptcha-v2-invisible, google-recaptcha-v3, cloudflare-turnstile] more...
    • cert_http_header (Alias name: cert-http-header) Enable/disable authentication with user certificate in client-cert http header (default = disable). type: str choices: [disable, enable] more...

Notes

Note

  • Running in workspace locking mode is supported in this FortiManager module, the top level parameters workspace_locking_adom and workspace_locking_timeout help do the work.

  • To create or update an object, use state: present directive.

  • To delete an object, use state: absent directive

  • Normally, running one module can fail when a non-zero rc is returned. you can also override the conditions to fail or succeed with parameters rc_failed and rc_succeeded

Examples

- name: Example playbook (generated based on argument schema)
  hosts: fortimanagers
  connection: httpapi
  gather_facts: false
  vars:
    ansible_httpapi_use_ssl: true
    ansible_httpapi_validate_certs: false
    ansible_httpapi_port: 443
  tasks:
    - name: Configure Authentication Schemes.
      fortinet.fmgdevice.fmgd_authentication_scheme:
        # bypass_validation: false
        # workspace_locking_adom: <global or your adom name>
        # workspace_locking_timeout: 300
        # rc_succeeded: [0, -2, -3, ...]
        # rc_failed: [-2, -3, ...]
        device: <your own value>
        vdom: <your own value>
        state: present # <value in [present, absent]>
        authentication_scheme:
          name: "your value" # Required variable, string
          # domain_controller: <list or string>
          # fsso_agent_for_ntlm: <list or string>
          # fsso_guest: <value in [disable, enable]>
          # kerberos_keytab: <list or string>
          # method:
          #   - "ntlm"
          #   - "basic"
          #   - "digest"
          #   - "form"
          #   - "negotiate"
          #   - "fsso"
          #   - "rsso"
          #   - "ssh-publickey"
          #   - "saml"
          #   - "cert"
          #   - "x-auth-user"
          #   - "saml-sp"
          #   - "ztna-relay"
          #   - "oidc"
          #   - "entra-sso"
          # negotiate_ntlm: <value in [disable, enable]>
          # require_tfa: <value in [disable, enable]>
          # saml_server: <list or string>
          # saml_timeout: <integer>
          # search_all_ldap_databases: <value in [disable, enable]>
          # ssh_ca: <list or string>
          # user_cert: <value in [disable, enable]>
          # user_database: <list or string>
          # ems_device_owner: <value in [disable, enable]>
          # saml_idp_portal: <string>
          # digest_algo:
          #   - "md5"
          #   - "sha-256"
          # oidc_server: <list or string>
          # oidc_timeout: <integer>
          # group_attr_type: <value in [display-name, external-id]>
          # digest_rfc2069: <value in [disable, enable]>
          # external_idp: <list or string>
          # auth_user_header: <string>
          # captcha: <value in [disable, enable]>
          # captcha_secret_key: <string>
          # captcha_site_key: <string>
          # captcha_vendor: <value in [google-recaptcha-v2-checkbox, google-recaptcha-v2-invisible, google-recaptcha-v3, ...]>
          # cert_http_header: <value in [disable, enable]>

Return Values

Common return values are documented: https://docs.ansible.com/ansible/latest/reference_appendices/common_return_values.html#common-return-values, the following are the fields unique to this module:

  • meta - The result of the request.returned: always type: dict
    • request_url - The full url requested. returned: always type: str sample: /sys/login/user
    • response_code - The status of api request. returned: always type: int sample: 0
    • response_data - The data body of the api response. returned: optional type: list or dict
    • response_message - The descriptive message of the api response. returned: always type: str sample: OK
    • system_information - The information of the target system. returned: always type: dict
  • rc - The status the request. returned: always type: int sample: 0
  • version_check_warning - Warning if the parameters used in the playbook are not supported by the current FortiManager version. returned: if at least one parameter not supported by the current FortiManager version type: list

Status

  • This module is not guaranteed to have a backwards compatible interface.

Authors

  • Xinwei Du (@dux-fortinet)

  • Xing Li (@lix-fortinet)

  • Jie Xue (@JieX19)

  • Link Zheng (@chillancezen)

  • Frank Shen (@fshen01)

  • Hongbin Lu (@fgtdev-hblu)