5.6.3 Configuring the Social Authentication Class

  1. Click Devices > Identity Servers > Edit > Local > Classes.

  2. Select New and specify a name for the class. For example, Social authenticator.

  3. Select Social Auth Class in the Java class list.

  4. Click Next.

  5. Click Add under Social Auth Providers to specify the authentication provider details.

    Field

    Description

    Auth Provider

    Select the authentication provider from the list. For example, Facebook. Select Other to specify your own providers. Only the predefined providers have been verified for compatibility with Access Manager.

    Server Domain

    This field is applicable only for Itsme.

    The server domain ID and the port number are populated based on the default value. For example, idp.prd.itsme.services:443. This value states that the server is the production environment of Itsme.

    Grant EndPoint

    This field is applicable only for Itsme.

    Specify the Authorization endpoint URL of Itsme. The default value is /v2/authorization.

    Token EndPoint

    This field is applicable only for Itsme.

    Specify the Token endpoint URL of Itsme. The default value is /v2/token.

    User Info EndPoint

    This field is applicable only for Itsme.

    Specify the User Info endpoint URL of Itsme. The default value is /v2/userinfo.

    Provider Name

    If you have selected Other in Auth Provider, specify the provider name. This name is case-sensitive. The social auth class does not work if this value is not identical to the name specified in the social authentication library.

    For example, the provider name for GitHub is api.github.com in the social authentication library. So, Provider Name for GitHub must be api.github.com.

    Implementation Class

    (Optional) If you have selected Other in Auth Provider, specify a back-end class to authenticate with this provider if this provider is not supported.

    Consumer Key

    Specify the API key that you received when you registered Access Manager with the social authentication provider.

    If you have selected Itsme in Auth Provider, specify the Project Code of Itsme.

    Consumer Secret

    Specify the secret that you received when you registered Access Manager with the social authentication provider.

    If you have selected Itsme in Auth Provider, specify the Service Provider Code of Itsme.

    Public JWK URL

    This field is applicable only for Itsme. Specify the URL that contains the public JWK keys of Itsme. The default value is /v2/jwkSet.

    (Optional) After adding a Social Auth Provider, you can edit its details by selecting the Provider Name. This capability is available for all Social Auth Providers except for any provider configured using Other Auth Provider.

  6. (Optional) Configure the User Identification settings if you need to perform actions on the logged-in user. By default, user authentication is done without mapping the social provider user to a local user.

    • Identify User Locally: Select this option to map the incoming user to an existing user in your user store. You can apply an authorization policy for these incoming users to provide access control. Configure the following parameters:

      Field

      Description

      Social Attribute

      Select an attribute that provides a unique user identity. For example, Email. The user email ID provided in a social website is mapped to the user’s local LDAP attribute in Local Attribute.

      User mapping is done if the value of Local Attribute is equal to the value of Social Attribute.

      Provisioning does not occur in the following scenarios:

      • If Facebook or Google+ is the service provider and you select DisplayName in Social User Attribute. These providers do not have the DisplayName attribute.

      • If Twitter is the service provider and you select Email in Social User Attribute.

      Local Attribute

      Select an attribute. For example, LDAP Attribute:mail [LDAP Attribute Profile]. The incoming configured attribute from the social website is mapped to the user’s local LDAP attribute.

      IMPORTANT:When you configure more than one social authentication providers, the Local User LDAP attribute must be a multi-valued attribute. This is required to store the social attributes corresponding to each social provider.

      User Identifier

      Select this option adjacent to Local Attribute that you want to use in identifying users during social authentication. For example, if you select LDAP Attribute:mail [LDAP Attribute Profile], the incoming configured social attribute from the social website is mapped to a user’s local LDAP Attribute:mail [LDAP Attribute Profile] when the user logs in for the first time. The user identifier is used to identify the user for all subsequent logins.

      IMPORTANT:If you select a Local User Attribute as User Identifier and if its respective Social Attribute is not provided by the social provider, the user will not be authenticated. For example, Twitter does not provide email, so you should not select email as User Identifier.

      NOTE:When configuring Itsme as the social auth provider, consider the following points:

      • The user must be added to the LDAP repository if Identify User Locally is selected.

      • The Email or PhoneNumber attribute must be added and it must be the same as provided to Itsme.

    • Auto Provision User Using: Select this option to map an incoming user-specified attribute to an existing user in the local user store. A user is provisioned when the incoming attribute matches with the local attribute. If attributes do not match, the user needs to perform the local user authentication. After authentication, the user attribute is mapped and stored. The following are two ways to auto provision a user:

      Field

      Description

      SSPR

      Select this option to provision users by using details from Self Service Password Reset. This option is available after you enable Self Service Password Reset. See Configuring Self Service Password Reset Server Details in Identity Server.

      User Input

      Select this option to prompt a user to provide the information for provisioning.

      NOTE:Auto Provision User is not supported for Itsme.

  7. Click + (Add Mapping) to add other social attributes.

  8. Click OK > Finish.

  9. Continue with creating a contract and a method for this class.

    For configuration information, see Section 5.1.3, Configuring Authentication Methods and Section 5.1.4, Configuring Authentication Contracts.

IMPORTANT:

  • With the latest Facebook API, the user's email address is no longer shared by default. For social authentication with Facebook in Access Manager, configure the following properties in the social authentication method:

    graph.facebook.com.custom_permissions = email

  • When you configure a Facebook application for integrating Access Manager with Facebook, ensure that you deselect the Require App Secret advanced setting. For more information about integrating Access Manager with Facebook, see Integrating Access Manager with Facebook.