This has been tested with the following versions:

• FortiTrust Identity 6.6.1.
• Nextcloud Hub 8 (29.0.3).
• OpenID Connect user backend v5.0.3.

FortiAuthenticator:

See this section of the documentation for info about OIDC limitations with FortiAuthenticator.

1. Create/import users, and add them to some group.
2. Define a realm with the user base.
3. Define a portal with the realm.
4. Define a policy with the portal.
5. Define scopes and claims.
6. Start defining a relying party, copy Redirect URIs from step 8, and Save.
   
   https://<NEXTCLOUDFQDN>/apps/user_oidc/code

Nextcloud:

7. Install OpenID and connect to the user backend.
   
   

8. Register a new provider:

9. Copy Client ID and Client secret from step 6.
10. Set the discovery endpoint to: https://<FACFQDN>/api/v1/oauth/.well-known/oauth-authorization-server/ 

See the documentation.

11. Authentication and Access control Settings, disable Use unique user id, Enable Use group provisioning.
    
    
12. Match the scopes and claims from step 5, Submit. Logout and test oidc login.

13. Select the OIDC login button at the bottom of the page.
    
    

14. Input credentials on the FortiAuthenticator login dialog box and select Authorize.

15. The account was provisioned on Nextcloud, along with the groups the user is a member of, and logged in.
    
    

16. FortiAuthenticator login event:

Log Record Detail
ID 7129
Timestamp Mon Jul 22 16:14:31 2024
Level information
Action
Status
Source IP
Message Successful OAuth login
User testuser
Log Type
Type Id 20000
Name Authentication OK
Sub Category Authentication
Category Event
Description Authentication successful (general)