|
|
Select the authentication provider from the list. For example, Facebook. Select to specify your own providers. Only the predefined providers have been verified for compatibility with Access Manager. |
|
|
This field is applicable only for Itsme.
The server domain ID and the port number are populated based on the default value. For example, idp.prd.itsme.services:443. This value states that the server is the production environment of Itsme. |
|
|
This field is applicable only for Itsme.
Specify the Authorization endpoint URL of Itsme. The default value is /v2/authorization. |
|
|
This field is applicable only for Itsme.
Specify the Token endpoint URL of Itsme. The default value is /v2/token. |
|
|
This field is applicable only for Itsme.
Specify the User Info endpoint URL of Itsme. The default value is /v2/userinfo. |
|
|
If you have selected in , specify the provider name. This name is case-sensitive. The social auth class does not work if this value is not identical to the name specified in the social authentication library.
For example, the provider name for GitHub is api.github.com in the social authentication library. So, for GitHub must be api.github.com. |
|
|
(Optional) If you have selected in , specify a back-end class to authenticate with this provider if this provider is not supported. |
|
|
Specify the API key that you received when you registered Access Manager with the social authentication provider.
If you have selected Itsme in Auth Provider, specify the Project Code of Itsme. |
|
|
Specify the secret that you received when you registered Access Manager with the social authentication provider.
If you have selected Itsme in Auth Provider, specify the Service Provider Code of Itsme. |
|
|
This field is applicable only for Itsme. Specify the URL that contains the public JWK keys of Itsme. The default value is /v2/jwkSet. |
5.7.3 Configuring the Social Authentication Class
Click Devices > Identity Servers > Edit > Local > Classes.
Select New and specify a name for the class. For example, Social authenticator.
Select Social Auth Class in the Java class list.
Click Next.
Click Add under Social Auth Providers to specify the authentication provider details.
Field
Description
Auth Provider
Select the authentication provider from the list. For example, Facebook. Select Other to specify your own providers. Only the predefined providers have been verified for compatibility with Access Manager.
Server Domain
This field is applicable only for Itsme.
The server domain ID and the port number are populated based on the default value. For example, idp.prd.itsme.services:443. This value states that the server is the production environment of Itsme.
Grant EndPoint
This field is applicable only for Itsme.
Specify the Authorization endpoint URL of Itsme. The default value is /v2/authorization.
Token EndPoint
This field is applicable only for Itsme.
Specify the Token endpoint URL of Itsme. The default value is /v2/token.
User Info EndPoint
This field is applicable only for Itsme.
Specify the User Info endpoint URL of Itsme. The default value is /v2/userinfo.
Provider Name
If you have selected Other in Auth Provider, specify the provider name. This name is case-sensitive. The social auth class does not work if this value is not identical to the name specified in the social authentication library.
For example, the provider name for GitHub is api.github.com in the social authentication library. So, Provider Name for GitHub must be api.github.com.
Implementation Class
(Optional) If you have selected Other in Auth Provider, specify a back-end class to authenticate with this provider if this provider is not supported.
Consumer Key
Specify the API key that you received when you registered Access Manager with the social authentication provider.
If you have selected Itsme in Auth Provider, specify the Project Code of Itsme.
Consumer Secret
Specify the secret that you received when you registered Access Manager with the social authentication provider.
If you have selected Itsme in Auth Provider, specify the Service Provider Code of Itsme.
Public JWK URL
This field is applicable only for Itsme. Specify the URL that contains the public JWK keys of Itsme. The default value is /v2/jwkSet.
(Optional) After adding a Social Auth Provider, you can edit its details by selecting the Provider Name. This capability is available for all Social Auth Providers except for any provider configured using Other Auth Provider.
(Optional) Configure the User Identification settings if you need to perform actions on the logged-in user. By default, user authentication is done without mapping the social provider user to a local user.
Identify User Locally: Select this option to map the incoming user to an existing user in your user store. You can apply an authorization policy for these incoming users to provide access control. Configure the following parameters:
Field
Description
Social Attribute
Select an attribute that provides a unique user identity. For example, Email. The user email ID provided in a social website is mapped to the user’s local LDAP attribute in Local Attribute.
User mapping is done if the value of Local Attribute is equal to the value of Social Attribute.
Provisioning does not occur in the following scenarios:
If Facebook or Google+ is the service provider and you select DisplayName in Social User Attribute. These providers do not have the DisplayName attribute.
If Twitter is the service provider and you select Email in Social User Attribute.
Custom Attribute
Select Other in Social Attribute to enable the option. This options allows you to add any of the Itsme provided attribute. For more information about the attributes, see Itsme OIDC Documentation.
NOTE:This field is applicable only for Itsme.
Local Attribute
Select an attribute. For example, LDAP Attribute:mail [LDAP Attribute Profile]. The incoming configured attribute from the social website is mapped to the user’s local LDAP attribute.
IMPORTANT:When you configure more than one social authentication providers, the Local User LDAP attribute must be a multi-valued attribute. This is required to store the social attributes corresponding to each social provider.
User Identifier
Select this option adjacent to Local Attribute that you want to use in identifying users during social authentication. For example, if you select LDAP Attribute:mail [LDAP Attribute Profile], the incoming configured social attribute from the social website is mapped to a user’s local LDAP Attribute:mail [LDAP Attribute Profile] when the user logs in for the first time. The user identifier is used to identify the user for all subsequent logins.
IMPORTANT:If you select a Local User Attribute as User Identifier and if its respective Social Attribute is not provided by the social provider, the user will not be authenticated. For example, Twitter does not provide email, so you should not select email as User Identifier.
Auto Provision User: Select this option to map an incoming user-specified attribute to an existing user in the local user store. A user is provisioned when the incoming attribute matches with the local attribute. If attributes do not match, the user needs to perform the local user authentication. After authentication, the user attribute is mapped and stored. The following are two ways to auto provision a user:
Field
Description
SSPR
Select this option to provision users by using details from Self Service Password Reset. This option is available after you enable Self Service Password Reset. See Configuring Self Service Password Reset Server Details in Identity Server.
User Input
Select this option to prompt a user to provide the information for provisioning.
NOTE:Auto Provision User is supported for Itsme in Access Manager 5.0 Service Pack 3 and later releases.
Click + (Add Mapping) to add other social attributes.
Click OK > Finish.
Continue with creating a contract and a method for this class.
For configuration information, see Section 5.1.3, Configuring Authentication Methods and Section 5.1.4, Configuring Authentication Contracts.
IMPORTANT:
With the latest Facebook API, the user's email address is no longer shared by default. For social authentication with Facebook in Access Manager, configure the following properties in the social authentication method:
graph.facebook.com.custom_permissions = email
When you configure a Facebook application for integrating Access Manager with Facebook, ensure that you deselect the Require App Secret advanced setting. For more information about integrating Access Manager with Facebook, see Integrating Access Manager with Facebook.
For Itsme, the supported attributes are:
UniqueID
FamilyName
FullName
Email
EmailVerified
PhoneNumber
PhoneNumberVerified