Access Manager can be configured to support authentication through external OAuth providers like Facebook, Google+, Twitter, LinkedIn, and so on. Social authentication simplifies login for end users and does not require maintaining large user stores. This authentication can be configured using the SocialAuthClass. Login using social identities provide a convenient way for users, improving customer satisfaction and increased registration levels. For more information on how to configure the supported social authentication providers for API Keys and API Secrets, see Section 5.4.6, Configuring Supported Social Authentication Providers for API Keys and API Secrets.
Social login allows business, universities and government entities to leverage social identity providers to share select identity information for authentication via OAuth tokens. This information can then be used to provide protected online services ranging from customer-focused applications, university sites to state and local services and more.
Authentication through external OAuth providers can be useful in the following two scenarios:
Allow external users to access secure resource
For example, you may want your customers and partners to access https://forums.novell.com. Creating and managing these external users is a hassle for you and the user. Social Authentication helps in this scenario.
Users will be allowed to sign in with their Facebook or Yahoo ID. Social authentication provider will give Access Manager a set of logged-in user’s attributes. Hence, you will get user data without maintaining it. Access Manager can use this user data and perform actions based on that if required.
Apply policies to restrict users to access a protected resource
If the Identify User Locally option is selected, the social provider user will be mapped to the local user and you can execute authorization policies based on the user attributes. For example, if Joe is a Facebook user, you can match the attributes of Joe in the local user store based on a rule and execute an authorization policy to access a protected resource. You want to apply policies on an incoming user. For example, your enterprise user 'Bob' has logged into https://forums.novell.com/with a social identity. You may want to identify that 'Bob' is your local user and provide him with forum moderator privileges. The Identify User Locally option lets you map a social user to your local user and apply appropriate policies.
Simplify user login: You may want to keep the user in your user stores but still make the registration process easy for the users. Social authentication saves the user from remembering another identity. User can login with their social identity while the Auto Provision User option will map the incoming user specified attribute with an existing user in the local user store. If the attribute matches, user will be provisioned, else user will be prompted for local user authentication.
Personalized web content in B2C scenarios: Organizations want to make services and information available in a manner that is personalized to individual. The common approach of creating individual identities for users is costly for the organization and inconvenient for the user. Social login allow users to login with their preferred form of identities. This simplifies the login experience for customers while increasing the registration levels and lowering IT costs.
Step up authentication: While you as an administrator want to improve the user registration through social identities, you would also want to ensure that a second factor authentication is employed when users access sensitive information. Access Manager provides options to configure multiple contracts for protected resources and as users access these resources, they can be prompted to login with a second factor such as their corporate identity or an OTP.
You must have registered Access Manager with the social authentication providers and must have the API keys and API secrets for establishing federation between Access Manager and the provider for example, Facebook.
You can add images for social authentication providers such as Facebook, LinkedIn, Twitter, Google+ and so on. For more information about adding images, see Section 3.5.5, Adding Authentication Card Images.
Click Devices > Identity Servers > Shared Settings > Authentication Card Images.
Click New.
Fill in the following fields.
Name: Specify a name for the image.
Description: Describe the image and its purpose.
File: Click Browse, locate the image file, then click Open.
Locale: From the drop-down menu, select the language for the card or select All Locales if the card can be used with all languages.
Click OK.
If you did not specify All Locales for the Locale, continue with Section 3.5.6, Creating an Image Set.
Add all the required images and click Close.
After configuring Identity Server with the required social authentication provider images, the login page will display those images on the login page. You can select an image and access the social providers you have added when you access Identity Server URL.
The following procedure allows you to change the default icons of social authentication providers.
Go to socialauth_icons.jsp file located at /opt/novell/nids/lib/webapp/jsp/. You can see all the supported providers and their corresponding public URL locations.
To change the icon of a particular provider, go to the icon variable name of that provider and replace the existing URL location with required URL location.
You can similarly change for other icons defined in the jsp file.
Restart Identity Server after changing the jsp file.
Access Manager requires API Keys and API Secrets from the supported social authentication providers to integrate with these providers. Follow the steps to configure the supported applications and to get keys from the social authentication providers. You can integrate with Facebook, LinkedIn, Twitter, and Google+. For other providers, see Configuring SocialAuthClass.
NOTE:The procedures documented below may not match the Social Networking Providers’ interface when you create an application. If there are any changes, follow the wizard accordingly. The procedure below is for reference purpose and can vary based on provider configuration page.
The following procedure enables you to generate API Key and API Secret with Facebook.
Create a Facebook application for community.
Log in to Facebook to access the Application page.
From the top right corner, click Add a New App.
Select the platform Website.
Click Skip and Create App ID.
Fill in the following fields in the Create a New App ID screen:
Display Name: Specify a name for web application.
Contact Email: Specify the Email Address.
Category: Select a category from the drop-down list.
Click Create App ID.
In the Security Check page key in the displayed Captcha text in the Text in the box field, then click Submit.
The product setup page appears.
Click Facebook Login > Get Started.
Valid OAuth redirect URIs: Specify the IDP redirect URI. For example: https://<IDP URL>:<Port Number>/nidp/jsp/socialauth_return.jsp.
Deauthorise Callback URL: Specify the IDP URI. For example: https://<IDP URL>:<Port Number>/nidp/app.
Click Save Changes.
Navigate to the Dashboard page.
The Dashboard page displays App Name, App ID and App Secret (hidden).
Click Show to display the App Secret.
Copy the values of App ID and App Secret parameters. You will need these values when you configure Facebook with Access Manager.
Click Settings on the left. In the Basic tab, review the details.
Click Advanced tab and review the details.
Click App Review, enable Make DemoApp public, then select Confirm to make this application and all its live features available. By default, it is selected as No.
Navigate to the Dashboard page
The application status changes to Green and is online.
Configure Facebook application Configuration Setting in Access Manager. The App ID and App Secret is used by Access Manager to configure Facebook.
The following procedure enables you to generate API Key and API Secret with LinkedIn.
Create a LinkedIn application.
Log in to LinkedIn to access the application page: Linkedin.
Click Create Application.
Select the existing Company Name from drop-down or create a new Company Name.
Fill in the following fields in the Create a New Application screen:
Company Name: Specify the name of the company.
Name: Specify the name of the application.
Description: Specify a description of the application.
Application Logo: Upload an image for the application.
Application Use: Select a category from the drop-down list.
Website URL: Specify a URL or nidp URL.
Business Email: Specify your business email address.
Business Phone: Specify your business phone number.
Accept the agreement, then click Submit.
Copy the value of Client ID and Client Secret parameters. These values will be required when you configure LinkedIn providers with Access Manager.
Configure LinkedIn application Configuration Setting in Access Manager. The App ID and App Secret will be used by Access Manager to configure Linkedin.
The following procedure enables you to generate API Key and API Secret with Twitter.
Create a Twitter application.
Log in to Twitter to access the Application page.
From the drop-down box on the right, click Create New App.
Fill in the following fields in the Create an Application page:
Name : Specify a name for web application.
Description: Specify a description for web application.
Website: Specify the application url.
Callback URL: Specify IDP redirect URI. For example: https://<IDP URL>:<Port Number>/nidp/jsp/socialauth_return.jsp
Accept licence and click Create your Twitter Application.
The App name, description, consumer key, and the callback url are displayed.
Go to Keys and Access Tokens tab and make a note of the Consumer Key and Consumer Secret.
You will need these values when you configure Twitter with Access Manager.
Click Create my access token to authorize application to access account.
Configure Twitter application Configuration Setting in Access Manager. Access Manager uses the App ID and APP secret to configure Twitter.
The following procedure enables you to generate API Key and API Secret with Twitter.
Create a Google+ application.
Log in to Google to access the Application.
Click Credentials on left, then create a project with a Project name.
In the APIs Credentials popup, click Create credentials, then select OAuth client ID.
Click Configure consent screen to set a product name on the consent screen.
Specify a product name and click save.
The remaining fields are optional. The Email address is auto-populated.
In Create client ID page, specify the following:
Application type: Select Web application as the Application type.
Name: Specify a name for web application.
Authorized JavaScript origins: This is an Optional field.
Authorized redirect URIs: Specify IDP redirect URI. For example: https://<IDP URL>:<Port Number>/nidp/jsp/socialauth_return.jsp.
Copy Oauth client ID and secret.
These values are required when you configure Google+ with Access Manager.
Configure Google+ application Configuration Setting in Access Manager. Access Manager uses the App ID and App secret to configure Google+.
5.4.3 Configuring SocialAuthClass
Use Administration Console to define a new Social Authenticator class, method and contract for Identity Server cluster. Social authenticator providers such as Facebook, Google+, LinkedIn, and Twitter are supported.
Log in to Administration Console.
Click Devices > Identity Servers > Edit > Local > Classes. Select New to add a new class.
Specify a name to identify the class. For example, Social authenticator.
Select SocialAuthClass from the Java Class drop-down list. Click Next.
Configure the User Identification settings if you need to perform actions on the logged in user. This is optional. By default, user authentication is done without mapping the social provider user to a local user.
Identify User Locally: Select this option to map the incoming user to an existing user in your user store. You can apply an authorization policy for these incoming users to provide access control. The following two parameters specify how to perform the user mapping:
Local User LDAP Attribute: Select an attribute from the drop-down list, for example LDAP Attribute:mail [LDAP Attribute Profile]. The incoming configured attribute from the social website is mapped to local user’s LDAP attribute.
NOTE:If there are more than one social authentication providers configured, the Local User LDAP attribute must be a multi-valued attribute. This is required to store the social attributes corresponding to each social provider.
Social User Attribute: Select an attribute which provides a unique user identity for example Email. The user email provided in a social website will be mapped to the specified local user’s LDAP attribute.
User mapping is done if the value of Local User Attribute is equal to the value of Social User Attribute.
NOTE:Provisioning will not occur in the following scenarios:
If you are going to use Facebook or Google+ as your authentication provider, do not select DisplayName as Social User Attribute as these providers do not have the DisplayName attribute.
If Social User Attribute is email attribute in Twitter.
Auto Provision User: If you enable this option, incoming user specified attribute will be mapped with an existing user in the local user store. If the attribute matches, user will be provisioned, else user will be prompted for local user authentication. After authentication, user attribute will be mapped and stored.
Click Add under Social Auth Providers to provide the authentication provider details.
Auth Provider: Select the authentication provider from the drop-down list for example, Facebook. You can select from one of the predefined providers or select Other to specify your own providers. Note that only the predefined providers have been verified for compatibility with Access Manger. If you select Other, you must provide two additional information:
Provider Name: Specify the name of the provider. Other provider names can be specified under Others option. Other provider name can be Yahoo, Hotmail, SalesForce, AOL, FourSquare, MySpace, Instagram, Mendeley or Yammer. Name of social authentication provider is case-sensitive and must match as listed. Else, social authentication class will not work.
(Optional) Implementation Class: Specify a back end class that can authenticate with these providers if the other providers are not supported. This is needed only for a custom provider that is not in the list provided above.
Consumer Key: Specify the API key that you received when you registered Access Manager with the Social authentication provider.
Consumer Secret: Specify the secret that you received when you registered Access Manager with the Social authentication provider.
Click OK and Finish.
Continue with creating a contract and method for this class.
NOTE:With the latest Facebook API, the user's email address is no longer shared by default. For social authentication with Facebook in Access Manager, configure the following properties in the Social Auth method:
graph.facebook.com.custom_permissions = email
For configuration information, see Section 5.1.3, Configuring Authentication Methods and Section 5.1.4, Configuring Authentication Contracts.
How Social Authentication Works With Access Manager
For completing social authentication, Identity Server maps the social attribute value in token to the local user attribute value. The local attribute must be set in the following format for the matching to succeed.
<socialprovidername>:<social attribute value>
For example, consider that the social authentication class properties are set as follows:
Identify User Locally: Enabled
Local User LDAP attribute: Ldap Attribute:mail
Social User Attribute: Email
Auto Provision User: Enabled
Social Auth Provider: Facebook
As the Auto Provision User setting is enabled, after authentication in Facebook, user is asked for a one-time local login. During this process, this user's mail attribute is updated with the social attribute value as facebook:<social-email-address>. Subsequent logins from the same user will be seamless and user will be identified automatically.
If Auto Provision User setting is disabled, for the authentication to succeed, Access Manager will check if local user LDAP attribute mail value is facebook:<social-email-address>.
NOTE:The attribute value is set with the provider's name.