Access Manager supports authentication through external OAuth providers such as Facebook, Google+, Twitter, LinkedIn, and so on.
Social authentication simplifies the login experience for users and does not require maintaining large user stores. Businesses, universities, and government entities can leverage social identity providers to share the selected identity information for authentication via OAuth tokens. Login using social identities provides a convenient way for users to improve customer satisfaction and increases registration levels.
You can configure this authentication through the SocialAuthClass. Access Manager supports the following social providers:
|
|
Google+ |
|
|
Yahoo |
Hotmail |
Salesforce |
|
AOL |
Foursquare |
Myspace |
|
Mendeley |
Yammer |
GitHub |
|
Itsme |
|
|
|
|
|
|
For information about configuring supported social authentication providers for API Keys and API Secrets, see Configuring Supported Social Authentication Providers for API Keys and API Secrets.
You can consider authentication through external OAuth providers in the following scenarios:
Allow external users to access secure resource
For example, you may want your customers and partners to access https://forums.novell.com. Creating and managing external users is a hassle for you and the user.
Users will be allowed to sign in with their Facebook or Yahoo ID. Social authentication providers give Access Manager a set of logged-in user’s attributes. Therefore, you will get the users’ data without maintaining it. Access Manager can use this user data and perform the required actions based on that.
Apply policies to restrict users to access a protected resource
When you select the Identify User Locally option, the users’ social details are mapped to the local user. You can apply authorization policies based on the users’ attributes.
For example, if Joe is a Facebook user, you can match the attributes of Joe in the local user store based on a rule and apply an authorization policy to access a protected resource. You want to apply policies on an incoming user. For example, your enterprise user 'Bob' has logged into https://forums.novell.com/ with a social identity. You may want to identify that 'Bob' is your local user and provide him with forum moderator privileges. The Identify User Locally option lets you map a social user to your local user and apply appropriate policies.
Simplify user login
You may want to keep the user in your user stores and make the registration process easy for the users. Social authentication saves the user from remembering another identity. Users can login with their social identity and Auto Provision User will map the incoming user specified attribute with an existing user in the local user store. If the attribute matches, the user is provisioned, else the user will be prompted for local user authentication.
Personalized web content in business to consumer scenarios
Organizations want to provide personalized services and information to individuals. The common approach of creating individual identities for users is costly for the organization and inconvenient for the user. Social authentication allows users to login with their preferred form of identities. This simplifies the login experience for customers, increases the registration levels, and lowers IT costs.
Step up authentication
You want to prompt an additional authentication when users try to access the sensitive information. Access Manager provides options to configure multiple contracts for protected resources. When users access these resources, Access Manager prompts them to authenticate with a second factor method, such as their corporate identity or an OTP.
Access Manager is configured with the social authentication providers.
API keys and API secrets are available for establishing federation between Access Manager and the social provider.
For completing social authentication, Identity Server maps the social attribute value in token to the local user attribute value. The local attribute must be set in the following format:
<socialprovidername>:<social attribute value>
For example, consider that the social authentication class properties are set as follows:
Identify User Locally: Selected
Local User LDAP attribute: Ldap Attribute:mail
Social User Attribute: Email
Auto Provision User: Selected
Social Auth Provider: Facebook
As the Auto Provision User setting is enabled, after authentication in Facebook, the user is asked for a one-time local login. During this process, this user's mail attribute is updated with the social attribute value as facebook:<social-email-address>. Subsequent logins from the same user will be seamless and user will be identified automatically.
If Auto Provision User setting is disabled, Access Manager will verify if the local user LDAP attribute mail value is facebook:<social-email-address> for the authentication to succeed.
IMPORTANT:The attribute value is set with the provider's name.
Click Devices > Identity Servers > Shared Settings > Authentication Card Images > New.
Specify the following details:
|
Field |
Action |
|---|---|
|
Name |
Specify a name for the image. |
|
Description |
Specify the purpose of the image. |
|
File |
Click Browse, locate the image file, and click Open. |
|
Locale |
Select the language for the card or select All Locales if the card can be used with all languages. |
Click OK.
If you did not select All Locales, continue with Creating an Image Set.
Add all the required images and click Close.
After configuring Identity Server with required social authentication provider images, the login page displays these images. You can select an image and access the social providers you have added when you access the Identity Server URL.
For information about adding images, see Adding Authentication Card Images.
Open the socialauth_icons.jsp file. This file lists all supported providers and their corresponding public URL locations.
For information about how to open and modify a file, see Modifying Configurations.
To change the icon of a particular provider, go to the icon variable name of that provider and replace the existing URL location with required URL location.
You can similarly change for other icons defined in the JSP file.
Access Manager requires API Keys and API Secrets from the supported social authentication providers to integrate with these providers. Follow the steps to configure the supported applications and to get keys from the social authentication providers. You can integrate with Facebook, LinkedIn, Twitter, and Google+. For other providers, see Configuring the Social Authentication Class.
IMPORTANT:The information in the following sections may get changed and may not match the Social Networking Providers’ interface when you create an application. The following information is only for reference purpose and can vary based on the provider configuration page.
Perform the following steps to generate the API Key and API Secret with Facebook:
Create a Facebook application for community.
Log in to Facebook and access the Application page.
Click Add a New App.
Select the platform website.
Click Skip and Create App ID.
Specify the following details on the Create a New App ID screen:
Display Name: Specify a name for the web application.
Contact Email: Specify the email address.
Category: Select a category from the list.
Click Create App ID.
Solve the Captcha and click Submit.
Click Facebook Login > Get Started.
Valid OAuth redirect URIs: Specify the identity provider redirect URI. For example: https://<IDP URL>:<Port Number>/nidp/jsp/socialauth_return.jsp.
Deauthorise Callback URL: Specify the identity provider URI. For example: https://<IDP URL>:<Port Number>/nidp/app.
Click Save Changes.
Navigate to the Dashboard page.
Click Show to display App Secret.
Copy the values of App ID and App Secret. You will need these values when you configure Facebook with Access Manager.
Click Settings. In the Basic tab, review the details.
Click Advanced and review the details.
NOTE:Ensure that Require App Secret is not selected.
Click App Review, enable Make DemoApp public, then select Confirm to create this application and all its live features available. By default, NO is selected.
Navigate to the Dashboard page.
The application status changes to Green and is online.
Configure Facebook application Configuration Setting in Access Manager. Use App ID and App Secret to configure Facebook as social authentication provider.
IMPORTANT:The information in the following sections may get changed and may not match the Social Networking Providers’ interface when you create an application. The following information is only for reference purpose and can vary based on the provider configuration page.
Perform the following steps to generate the API Key and API Secret for LinkedIn:
Create a LinkedIn application.
Log in to LinkedIn and access the Application page.
Click Create Application.
Select the existing Company Name from the list or create a new Company Name.
Specify the following details on the Create a New Application screen:
Company Name: Specify the name of the company.
Name: Specify the name of the application.
Description: Specify a description of the application.
Application Logo: Upload an image for the application.
Application Use: Select a category from the list.
Website URL: Specify a URL or identity provider URL.
Business Email: Specify your business email address.
Business Phone: Specify your business phone number.
Accept the agreement, then click Submit.
Copy the value of Client ID and Client Secret. These values will be required when you configure LinkedIn providers with Access Manager.
Configure LinkedIn application configuration setting in Access Manager. App ID and App Secret will be used by Access Manager to configure LinkedIn.
IMPORTANT:The information in the following sections may get changed and may not match the Social Networking Providers’ interface when you create an application. The following information is only for reference purpose and can vary based on the provider configuration page.
Perform the following steps to generate the API Key and API Secret for Twitter.
Create a Twitter application.
Log in to Twitter and access the Application page.
Click Create New App.
Specify the following details on the Create an Application page:
Name : Specify a name for the web application.
Description: Specify a description for the web application.
Website: Specify the application URL.
Callback URL: Specify the identity provider redirect URI. For example, https://<IDP URL>:<Port Number>/nidp/jsp/socialauth_return.jsp
Accept license and click Create your Twitter Application.
The App name, description, consumer key, and the callback URL are displayed.
Go to the Keys and Access Tokens tab and make a note of the Consumer Key and Consumer Secret.
You will need these values when you configure Twitter as a service provider with Access Manager.
Click Create my access token to authorize the application to access accounts.
Configure Twitter application Configuration Setting in Access Manager. Access Manager uses App ID and APP secret to configure Twitter.
IMPORTANT:The information in the following sections may get changed and may not match the Social Networking Providers’ interface when you create an application. The following information is only for reference purpose and can vary based on the provider configuration page.
Perform the following steps to generate the API Key and API Secret for Twitter.
Create a Google+ application.
Log in to Google and access the Application page.
Click Credentials and create a project.
In APIs Credentials, click Create credentials, and select OAuth client ID.
Click Configure consent screen to set a product name on the consent screen.
Specify a product name and click save.
The remaining fields are optional. The Email address is auto-populated.
In Create client ID page, specify the following:
|
Field |
Description |
|---|---|
|
Application Type |
Select Web application. |
|
Name |
Specify a name for the web application. |
|
Authorized JavaScript origins |
This is an optional field. |
|
Authorized redirect URIs |
Specify the identity provider redirect URI. For example, https://<IDP URL>:<Port Number>/nidp/jsp/socialauth_return.jsp |
Copy Oauth client ID and secret. These values are required when you configure Google+ with Access Manager.
Configure Google+ application Configuration Setting in Access Manager. Access Manager uses App ID and App secret to configure Google+.
(Available in Access Manager 5.0 Service Pack 2 and later.)
IMPORTANT:The information in the following sections may get changed and may not match the Social Networking Providers’ interface when you create an application. The following information is only for reference purpose and can vary based on the provider configuration page.
To integrate Access Manager with Itsme, contact Itsme providers and register Access Manager as a client in Itsme. For more information on the process, refer Itsme OIDC Documentation.
You must provide the following details to Itsme to complete the registration:
JWKS URL of Access Manager
https://<idp server >:<port>/nidp/rest/v1/jwks
Redirect URI
https://<idp server >:<port>/nidp/jsp/socialauth_return.jsp
You will get the Project Code and the Service Code from Itsme. These values are used while configuring Access Manager. For more information about integrating Access Manager with Itsme, see Section 5.7.3, Configuring the Social Authentication Class.
Integrating Access Manager with Itsme
5.7.3 Configuring the Social Authentication Class
Click Devices > Identity Servers > Edit > Local > Classes.
Select New and specify a name for the class. For example, Social authenticator.
Select Social Auth Class in the Java class list.
Click Next.
Click Add under Social Auth Providers to specify the authentication provider details.
Field
Description
Auth Provider
Select the authentication provider from the list. For example, Facebook. Select Other to specify your own providers. Only the predefined providers have been verified for compatibility with Access Manager.
Server Domain
This field is applicable only for Itsme.
The server domain ID and the port number are populated based on the default value. For example, idp.prd.itsme.services:443. This value states that the server is the production environment of Itsme.
Grant EndPoint
This field is applicable only for Itsme.
Specify the Authorization endpoint URL of Itsme. The default value is /v2/authorization.
Token EndPoint
This field is applicable only for Itsme.
Specify the Token endpoint URL of Itsme. The default value is /v2/token.
User Info EndPoint
This field is applicable only for Itsme.
Specify the User Info endpoint URL of Itsme. The default value is /v2/userinfo.
Provider Name
If you have selected Other in Auth Provider, specify the provider name. This name is case-sensitive. The social auth class does not work if this value is not identical to the name specified in the social authentication library.
For example, the provider name for GitHub is api.github.com in the social authentication library. So, Provider Name for GitHub must be api.github.com.
Implementation Class
(Optional) If you have selected Other in Auth Provider, specify a back-end class to authenticate with this provider if this provider is not supported.
Consumer Key
Specify the API key that you received when you registered Access Manager with the social authentication provider.
If you have selected Itsme in Auth Provider, specify the Project Code of Itsme.
Consumer Secret
Specify the secret that you received when you registered Access Manager with the social authentication provider.
If you have selected Itsme in Auth Provider, specify the Service Provider Code of Itsme.
Public JWK URL
This field is applicable only for Itsme. Specify the URL that contains the public JWK keys of Itsme. The default value is /v2/jwkSet.
(Optional) After adding a Social Auth Provider, you can edit its details by selecting the Provider Name. This capability is available for all Social Auth Providers except for any provider configured using Other Auth Provider.
(Optional) Configure the User Identification settings if you need to perform actions on the logged-in user. By default, user authentication is done without mapping the social provider user to a local user.
Identify User Locally: Select this option to map the incoming user to an existing user in your user store. You can apply an authorization policy for these incoming users to provide access control. Configure the following parameters:
Field
Description
Social Attribute
Select an attribute that provides a unique user identity. For example, Email. The user email ID provided in a social website is mapped to the user’s local LDAP attribute in Local Attribute.
User mapping is done if the value of Local Attribute is equal to the value of Social Attribute.
Provisioning does not occur in the following scenarios:
If Facebook or Google+ is the service provider and you select DisplayName in Social User Attribute. These providers do not have the DisplayName attribute.
If Twitter is the service provider and you select Email in Social User Attribute.
Custom Attribute
Select Other in Social Attribute to enable the option. This options allows you to add any of the Itsme provided attribute. For more information about the attributes, see Itsme OIDC Documentation.
NOTE:This field is applicable only for Itsme.
Local Attribute
Select an attribute. For example, LDAP Attribute:mail [LDAP Attribute Profile]. The incoming configured attribute from the social website is mapped to the user’s local LDAP attribute.
IMPORTANT:When you configure more than one social authentication providers, the Local User LDAP attribute must be a multi-valued attribute. This is required to store the social attributes corresponding to each social provider.
User Identifier
Select this option adjacent to Local Attribute that you want to use in identifying users during social authentication. For example, if you select LDAP Attribute:mail [LDAP Attribute Profile], the incoming configured social attribute from the social website is mapped to a user’s local LDAP Attribute:mail [LDAP Attribute Profile] when the user logs in for the first time. The user identifier is used to identify the user for all subsequent logins.
IMPORTANT:If you select a Local User Attribute as User Identifier and if its respective Social Attribute is not provided by the social provider, the user will not be authenticated. For example, Twitter does not provide email, so you should not select email as User Identifier.
Auto Provision User: Select this option to map an incoming user-specified attribute to an existing user in the local user store. A user is provisioned when the incoming attribute matches with the local attribute. If attributes do not match, the user needs to perform the local user authentication. After authentication, the user attribute is mapped and stored. The following are two ways to auto provision a user:
Field
Description
SSPR
Select this option to provision users by using details from Self Service Password Reset. This option is available after you enable Self Service Password Reset. See Configuring Self Service Password Reset Server Details in Identity Server.
User Input
Select this option to prompt a user to provide the information for provisioning.
NOTE:Auto Provision User is supported for Itsme in Access Manager 5.0 Service Pack 3 and later releases.
Click + (Add Mapping) to add other social attributes.
Click OK > Finish.
Continue with creating a contract and a method for this class.
For configuration information, see Section 5.1.3, Configuring Authentication Methods and Section 5.1.4, Configuring Authentication Contracts.
IMPORTANT:
With the latest Facebook API, the user's email address is no longer shared by default. For social authentication with Facebook in Access Manager, configure the following properties in the social authentication method:
graph.facebook.com.custom_permissions = email
When you configure a Facebook application for integrating Access Manager with Facebook, ensure that you deselect the Require App Secret advanced setting. For more information about integrating Access Manager with Facebook, see Integrating Access Manager with Facebook.
For Itsme, the supported attributes are:
UniqueID
FamilyName
FullName
Email
EmailVerified
PhoneNumber
PhoneNumberVerified