You can configure a social authentication contract to allow users to log in using their social login information.
Perform the following steps to create a social authentication contract:
Perform the following steps to create a social authentication class:
Log in to Administration Console of Access Manager.
Click Devices > Identity Servers > Edit > Local > Classes. Select New to add a new class.
Specify a name for the class.
Select Social Auth Class from the Java Class list and click Next.
Select the Identify User Locally, Auto Provision User Using and SSPR options to automatically provision a social user to a local user using Self Service Password Reset.
Select the following Social Attributes and their equivalent Local Attributes:
|
Social Attribute |
Local Attribute |
|---|---|
|
|
Ldap Attribute:mail [Ldap Attribute Profile] |
|
FirstNamePlusLastName |
Ldap Attribute:cn[Ldap Attribute Profile] In case of Active Directory, select LdapAttribute:sAMAccountName [LdapAttribute Profile] |
|
UniqueId |
Ldap Attribute:carLicense [Ldap Attribute Profile] |
IMPORTANT:Select only those social attributes that are provided by social providers. In addition, the social attribute must be mapped with correct type of local attribute. For example, provisioning will not occur in the following scenarios:
If you use Facebook or Google+ as your authentication provider and select DisplayName as Social User Attribute because these providers do not have the DisplayName attribute.
If you use Twitter as your authentication provider and select Email as Social User Attribute because Twitter does not provide email.
If there are more than one social authentication providers configured and the Local Attribute is a single-valued attribute. Here, the Local User LDAP attribute must be multi-valued attribute to store the social attributes corresponding to each social provider.
Select the User Identifier option adjacent to the mapping that will be used to identify the user.
For more information about how to create and configure a social authentication class, see Section 5.4.3, Configuring the Social Authentication Class
Create a method in Identity Server. When you configure this method, select the social authentication class created in previous step from the Class list.
For more information about how to create and configure a method, see Section 5.1.3, Configuring Authentication Methods.
Create a contract in Identity Server. When you configure this contract, add the method created in previous step from Available methods to Methods. Also, make sure that you select the Satisfiable by a contract of equal or higher level option so that this contract is satisfied by the device registration contract that you will create in Section 10.9, Configuring Device Registration Contract.
For more information about how to create and configure a contract, see Section 5.1.4, Configuring Authentication Contracts.
If the user store is eDirectory, configure a passwordFetch method pointing to that directory and add the passwordFetch method to this contract.
IMPORTANT:If the user store is eDirectory, configure the passwordFetch class in each social contract to enable SSO for users to the following pages:
The Profile page in Self Service Password Reset
The Enrollment page in Advanced Authentication
If the user store is not eDirectory, users cannot view these pages.