- Enabled
Specifies whether the provider is enabled.
Required: Yes.
- Auth ID Key
Specifies the attribute the social identity provider uses to identify an authenticated individual. For example, id, sub, and user_id.
Required: Yes.
- Client ID
Specifies the client_id parameter as described in section 2.2 of The OAuth 2.0 Authorization Framework specification.
Required: Yes.
- Client Secret
Specifies the client_secret parameter as described in section 2.3 of The OAuth 2.0 Authorization Framework specification.
Required: No.
- Authentication Endpoint URL
Specifies the URL to the social provider's endpoint handling authentication as described in section 3.1 of The OAuth 2.0 Authorization Framework. For example, https://accounts.google.com/oauth2/v2/auth.
Required: Yes.
- Access Token Endpoint URL
Specifies the URL to the endpoint handling access tokens as described in section 3.2 of The OAuth 2.0 Authorization Framework specification. For example, https://www.googleapis.com/oauth2/v4/token.
Required: Yes.
- User Profile Service URL
Specifies the user profile URL that returns profile information. For example, https://www.googleapis.com/oauth2/v3/userinfo.
This URL should return JSON objects in its response.
Required: No.
- Token Introspection Endpoint URL
Specifies the URL to the endpoint handling access token validation, as described in the OAuth 2.0 Token Introspection specification. For example, https://oauth2.googleapis.com/tokeninfo.
Required: No.
- Redirect URL
Specifies the URL the identity provider will redirect the user to after authenticating, as described in Section 3.1.2 of The OAuth 2.0 Authorization Framework specification.
This URL is usually a page or path in AM; for example, https://platform.example.com:8443/am, and it is also registered in the identity provider's service.
You can also use a custom URI scheme as the redirect, if you are using an app built with the ForgeRock SDKs for Android or iOS. For example, com.example.sdkapp:redirect_uri_path or frauth://com.forgerock.ios.sdkapp.
Tip
When using the FORM_POST Response Mode, you must specify the form_post endpoint in the redirection URL. See Response Mode for more information.
Required: Yes.
- Redirect after form post URL
Specifies the URL of a custom login page or application. AM will send processed form post data related to social login authentication to that URL as the value of the form_post_entry query parameter.
To continue the authentication journey, the custom login page is responsible for making a call to the AM /json/authenticate endpoint with the authentication ID (authID) and the processed form data (form_post_entry).
Configure this property when the following is true:
The FORM_POST Response Mode is configured.
Your users log in to AM using custom login pages, such as apps using the ForgeRock SDKs, instead of the AM UI.
Required: No.
- Scope Delimiter
Specifies the delimiter used to separate scope values. For example, a blank space ( ), or a comma character (,).
Most providers use a blank space.
Required: Yes.
- OAuth Scopes
Specifies the list of scopes to request from the provider.
The scopes that the provider returns depends on the permissions that the resource owner, such as the end user, grants to the client application.
For example, Google exposes its supported scopes in their OAuth 2.0 Scopes for Google APIs documentation.
Required: Yes.
- Client Authentication Method
Specifies how the client should authenticate to the provider. Possible values are:
Some of the authentication methods require additional configuration:
Obtain a list of supported signing algorithms from the provider's .well-known endpoint, and decide which one you will use.
In the Private Key JWT Signing Algorithm field, enter the signing algorithm that AM will use to sign the JWT. For example, RSA256.
This field may already be configured if the client is sending request objects.
Create a signing secret, and map it to the am.services.oauth2.oidc.rp.jwt.authenticity.signing secret ID in an AM secret store.
The secret ID may already have secrets mapped to it if the client is sending signed request objects to the provider, or if another client in the realm is already using it.
For more information, see Configuring Secret Stores, and /oauth2/connect/rp/jwk_uri.
Provide a JWK with the public key to the identity provider. Refer to the their documentation for more information.
For example, you could copy the contents of the public JWK in a field in the provider's service configuration, or you could configure the realm's /oauth2/connect/rp/jwk_uri endpoint, which exposes the client's public keys.
(Optional) Change the value in the Private Key JWT Expiration Time (seconds) field, if needed. It has a sensible value preconfigured, but you may need to tune it for your provider.
Follow the steps in How Do I Configure JWT Authentication With Signed JWTs? to configure AM to sign authentication JWTs.
Now you are ready to configure AM to encrypted authentication JWTs.
Obtain a list of supported encryption algorithms and methods from the provider's .well-known endpoint, and decide which one you will use.
In the JWT Encryption Algorithm field, select the encryption algorithm.
If the required encryption algorithm does not appear in the drop-down, check the reference entry for the JWT Encryption Algorithm field for information on how to add it.
This field may already be configured if the client is encrypting request objects.
In the JWT Encryption Method field, select the encryption method.
This field may already be configured if the client is encrypting request objects.
In the JWKS URI Endpoint field, configure the URI containing the provider's public JWK set.
Obtain the URI from the provider's .well-known endpoint, or their documentation.
AM will use the JWK URI to fetch the provider's public encryption key.
(Optional) Perform one of the following steps depending on the encryption method you configured:
If you chose Direct AES Encryption method, select NONE in the JWT Signing Algorithm field. Signing is redundant with this encryption method.
If you chose an encryption method different from the Direct AES Encryption method, configure signing. For more information, see How Do I Configure JWT Authentication With Signed JWTs?.
Obtain a certificate for AM to use as a client. This certificate must be signed by a certificate authority (CA).
You can use the same certificate for different social identity provider client configurations, and you can only have one mTLS certificate by realm (either PKI-related, or self-signed).
Make the certificate available to AM configuring it in an AM secret store, and map its alias to the am.services.oauth2.mtls.client.authentication secret ID.
For example, you can create a PKCS12 keystore secret store.
For more information, see Configuring Secret Stores.
Even though the identity provider should trust the CA certificate automatically, the client certificate will appear in the /oauth2/connect/rp/jwk_uri endpoint.
Obtain a self-signed certificate that AM will use as a client.
You can use the same certificate for different social identity provider client configurations, and you can only have one mTLS certificate by realm (either PKI-related, or self-signed).
Make the certificate available to AM configuring it in an AM secret store, and map its alias to the am.services.oauth2.mtls.client.authentication secret ID.
For example, you can create a PKCS12 keystore secret store.
For more information, see Configuring Secret Stores.
To trust the self-signed certificate, the social identity provider must be able to access its public key and certificate. Social identity providers may have different ways of accessing public keys; for example, you may be able to configure the public JWK directly in the provider, or you may be able to provide AM's /oauth2/connect/rp/jwk_uri endpoint, which exposes it.
Refer to your social identity provider documentation for more information.
Required: Yes.
- PKCE Method
Specifies the PKCE transformation method AM uses when making requests to the provider's authorization endpoint, as specified in Section 4.2 of the Proof Key for Code Exchange by OAuth Public Clients specification.
Select NONE to disable PKCE transformations.
Required: No.
- Request Parameter JWT Option
(OpenID Connect providers only) Specifies whether AM should provide a request object JWT to the provider. Possible values are:
NONE. AM does not send a request object to the provider.
REFERENCE. The request object JWT is stored in AM's CTS token store, and AM exposes a unique identifier for it using the oauth2/request_uri endpoint for the realm. The URL to the endpoint and the JWT's unique identifier are passed to the provider in the request_uri parameter of the request.
Ensure that the provider can reach the endpoint.
An example of the URL is https://platform.example.com:8443/am/realms/root/realms/myRealm/oauth2/request_uri/requestobjectID
Note
When integrating with itsme, ensure that the base URL of AM contains the 443 port. For example, https://platform.example.com:443/am.
To do this, configure the reverse proxy or load balancer to expose the port, or the Base URL Source Service:
In the AM console, go to Realms > Realm Name > Services.
Add a Base URL Source service if one is not already configured, or select it to change its properties:
VALUE. AM appends the JWT as the value of the request parameter of the request.
In the Request Parameter JWT Option field, select either VALUE or REFERENCE.
Refer to your identity provider's documentation for more information.
Obtain a list of supported signing algorithms from the provider's .well-known endpoint, and decide which one you will use.
In the JWT Signing Algorithm field, select the signing algorithm that AM will use to sign the request object. For example, RS256.
This field may already be configured if the client is using JWT client authentication.
Create a signing secret that uses the algorithm you selected previously, and map it to theam.services.oauth2.oidc.rp.jwt.authenticity.signing secret ID in an AM secret store.
The secret ID may already have secrets mapped to it if the client is using JWT client authentication, or if another client in the realm is already using it.
For more information, see Configuring Secret Stores, and /oauth2/connect/rp/jwk_uri.
Provide a JWK with the public key to the identity provider. Refer to the their documentation for more information.
For example, you could copy the contents of the public JWK in a field in the provider's service configuration, or you could configure the realm's /oauth2/connect/rp/jwk_uri endpoint, which exposes the client's public keys.
Follow the steps in How Do I Configure the Client to Send Signed Request Objects? to configure AM to send signed request objects.
Now you are ready to configure AM to send encrypted request objects.
Enable Encrypt Request Parameter JWT.
Obtain a list of supported encryption algorithms and methods from the provider's .well-known endpoint, and decide which one you will use.
In the JWT Encryption Algorithm field, select the encryption algorithm.
If the required encryption algorithm does not appear in the drop-down, check the reference entry for the JWT Encryption Algorithm field for information on how to add it.
This field may already be configured if the client is encrypting authentication JTWs.
In the JWT Encryption Method field, select the encryption method.
This field may already be configured if the client is encrypting authentication JWTs.
In the JWKS URI Endpoint field, configure the URI containing the provider's public JWK set.
Obtain the URI from the provider's .well-known endpoint.
AM will use the JWK URI to fetch the provider's public encryption key.
(Optional) Perform one of the following steps depending on the encryption method you configured:
If you chose Direct AES Encryption method, select NONE in the JWT Signing Algorithm field. Signing is redundant with this encryption method.
If you chose an encryption method different from the Direct AES Encryption method, configure signing. For more information, see How Do I Configure the Client to Send Signed Request Objects?.
- Encrypt Request Parameter JWT
Specifies whether the request parameter must be encrypted when Request Parameter JWT Option is set to REFERENCE or VALUE.
- ACR Values
(OpenID Connect providers only) Specifies a space-separated list, in order of preference, of the client's acr values.
Required: No.
- Well Known Endpoint
(OpenID Connect providers only) Specifies the URL for retrieving information about the provider, such as endpoints, and public keys. For example, https://accounts.google.com/.well-known/openid-configuration.
Required: Yes.
- Request Object Audience
(OpenID Connect providers only) Specifies the intended audience (aud) of the request object when the Request Parameter JWT Option field is set to VALUE or REFERENCE.
When not configured, the value of the Issuer field will be used as the audience of the request object.
- OP Encrypts ID Tokens
(OpenID Connect providers only) Specifies whether the provider encrypts ID Tokens.
Obtain a list of supported ID token encryption algorithms from the provider's .well-known endpoint, and decide which one the client will use.
Create a suitable secret for the algorithm that you chose, and map it to the am.services.oauth2.oidc.rp.idtoken.encryption secret ID in an AM secret store.
The secret ID may already have secrets mapped if another client in the realm is already using it.
For more information, see Configuring Secret Stores, and /oauth2/connect/rp/jwk_uri.
Provide a JWK with the public key to the identity provider. Refer to the their documentation for more information.
For example, you could copy the contents of the public JWK in a field in the provider's service configuration, or you could configure the realm's /oauth2/connect/rp/jwk_uri endpoint, which exposes the client's public keys.
Required: No.
- Issuer
(OpenID Connect providers only) Specifies the issuer of ID Tokens. Must exactly match the value returned in the ID token.
Obtain the issuer value from the provider's .well-known endpoint.
Required: Yes.
- Enable Native Nonce
(OpenID Connect providers only) When enabled, the provider native SDK must include a nonce claim in the ID token. The value of the claim must be the value of the nonce claim sent in the Authentication Request.
Required: No.
- User Info Response Format
(OpenID Connect providers only) Specifies the format in which the provider's userinfo endpoint returns data. Possible values are:
JSON. The provider's userinfo endpoint returns a JSON.
SIGNED_JWT. The provider's userinfo endpoint returns a signed JWT.
SIGNED_THEN_ENCRYPTED_JWT. The provider's userinfo endpoint returns a signed, then encrypted JWT.
Some of the options require additional configuration:
In the JWKS URI Endpoint field, configure the URL containing the provider's public JWK set. Obtain it from the provider's .well-known endpoint, or their documentation.
AM will use this URL to fetch the provider's public signing key.
Follow the steps in How Do I Configure the Client to Receive Signed userinfo JWTs? to configure AM to receive signed JWTs.
Now you are ready to configure AM to receive encrypted JWTs.
Obtain a list of supported ID token encryption algorithms from the provider's .well-known endpoint, and decide which one the client will use.
Create a suitable secret for the algorithm that you chose, and map it to the am.services.oauth2.oidc.rp.idtoken.encryption secret ID in an AM secret store.
The secret ID may already have secrets mapped if another client in the realm is already using it, or if the provider encrypts ID tokens.
For more information, see Configuring Secret Stores, and /oauth2/connect/rp/jwk_uri.
Provide a JWK with the public key to the identity provider. Refer to the their documentation for more information.
For example, you could copy the contents of the public JWK in a field in the provider's service configuration, or you could configure the realm's /oauth2/connect/rp/jwk_uri endpoint, which exposes the client's public keys.
- JWKS URI Endpoint
Specifies the URI that contains the public keys of the identity provider. AM will use these keys to verify signatures, or to encrypt objects.
Configure this field when:
Client Authentication Method is set to ENCRYPTED_PRIVATE_KEY_JWT.
Encrypt Request Parameter JWT is enabled.
User Info Response Format is set to SIGNED_JWT or SIGNED_THEN_ENCRYPTED_JWT.
Required: No.
- JWT Signing Algorithm
Specifies the signing algorithm supported by the provider that AM use to sign the following:
Obtain a list of the supported algorithms from the provider's .well-known endpoint.
Select NONE if the client will encrypt the JWT with the Direct AES Encryption method, because the signature will be redundant.
Required: No.
- JWT Encryption Algorithm
Specifies the encryption algorithm supported by the provider that AM should use to encrypt the following:
If set to NONE, AM will not encrypt the JWTs.
Obtain a list of the supported algorithms from the provider's .well-known endpoint.
Configure the algorithms exposed in this field using the AM advanced server property, openam.private.key.jwt.encryption.algorithm.whitelist.
To configure advanced server properties in the AM Admin UI for all AM instances, go to Configure > Server Defaults > Advanced.
To configure advanced server properties for a particular instance, go to Deployment > Servers > Server Name > Advanced.
If the property you want to add or edit is not already configured, add it with its value, then click on the plus () button.
If the property you want to add or edit is already configured, click on the pencil () button to edit it. When you are finished, click on the tick () button.
Save your changes.
Required: No.
- JWT Encryption Method
Specifies the encryption algorithm supported by the provider that AM should use to encrypt the following:
Use in conjunction with JWT Encryption Algorithm.
Obtain a list of the supported methods from the provider's .well-known endpoint.
Required: No.
- Private Key JWT Expiration Time (seconds)
Specifies the amount of time, in seconds, that AM will cache the client authentication JWT before creating a new one.
Caching the JWT avoids creating a new one for every client authentication. However, it may also become invalid if the provider changes it configuration.
Required: No.
- Response Mode
(OpenID Connect providers only) Specify the way the provider will return ID tokens to AM. Possible values are:
DEFAULT. The provider returns the ID token as query parameters, as explained in the OpenID Connect Core 1.0 incorporating errata set 1 specification.
Most preconfigured providers use the DEFAULT response mode.
FORM_POST. The provider returns the ID token by submitting an HTML form using the HTTP POST method, as explained in the OAuth 2.0 Form Post Response Mode specification.
When using this response mode, add the /oauth2/client/form_post/ClientConfigName URI to the Redirect URL, where ClientConfigName is the name of the social identity provider client that you are configuring. For example, https://platform.example.com:8443/am/oauth2/client/form_post/myAppleClient.
By default, the form_post endpoint processes the post data, encrypts it, and redirects with it back to the authentication tree to resume authentication.
However, environments using custom login pages need to configure the Redirect after form post URL property to redirect back to the custom login pages.
Important
The /oauth2/client/form_post does not require authentication. Protect it from denial of service (DoS) attacks by limiting the rate at which it can take connections in your load balancer or proxy.
Moreover, if you configured AM with AES Key Wrap encryption, ensure that you configure the org.forgerock.openam.encryption.useextractandexpand property.
For more information, see Preparing AES Key Wrap Encryption.
Required: Yes.
- UI Config Properties
Specifies a map of properties defined and consumed in the UI. The map affects how the identity provider's logo will show on the login page.
buttonImage: A relative path to an image in the End User UI.
buttonCustomStyle: Any custom CSS you wish to apply to the button outside of normal End User UI styling.
buttonClass: Adds the specified class to the identity provider button, for any additional styling you want to apply.
buttonCustomStyleHover: Adds custom styling when the cursor is hovering over the button.
buttonDisplayName: The name of the identity provider, which will be included either on the button or in the button's alt attribute, depending on styling.
iconFontColor: Specifies the color of the icon. You can use methods supported in CSS (such as white, or #ffffff).
iconClass: Adds the specified class to the identity provider icon, for any additional styling you want to apply.
iconBackground: The color for the background of the icon. You can use methods supported in CSS (such as white, or #ffffff).
Required: Yes.
- Transform Script
Specifies a script to convert the provider's raw profile object into a normalized object. An authentication tree will later convert the object again into attributes the AM can use.
AM provides scripts for the preconfigured identity providers; they are ready to use, and suitable for most use cases.
To write a script in Groovy or Javascript for an identity provider, go to Realms > Realm Name > Scripts, and use the provided scripts as a reference.
The following is the default Groovy transformation script for Google:
import static org.forgerock.json.JsonValue.field
import static org.forgerock.json.JsonValue.json
import static org.forgerock.json.JsonValue.object
return json(object(
field("id", rawProfile.sub),
field("displayName", rawProfile.name),
field("givenName", rawProfile.given_name),
field("familyName", rawProfile.family_name),
field("photoUrl", rawProfile.picture),
field("email", rawProfile.email),
field("username", rawProfile.email),
field("locale", rawProfile.locale))) The script returns a JSON object with all the mapped objects.
Each field is a map with the following format: ("platformAttributeName", rawProfile.providerAttributeName).
For example, id) is the platform attribute name, while rawProfile.sub is the field received from the provider.
Note that some field names are the same (email and rawProfile.email, for example). These fields still need to be mapped, so they are included in the returned JSON object.
Important
The social authentication nodes expect every attribute to have a value. In other words, the attributes returned by the identity provider cannot be empty, or null. If any of the attributes is empty or null, the social authentication tree journey will end with an error.
For example, if a user tries to log in using Google as the identity provider, but they did not configure a surname in their account, Google will return null as the value of the familyName for the identity, and social authentication will fail.
Ensure that all the users have their social profiles configured correctly, or modify the transformation scripts so that they not collect attributes that may be empty.
Required: Yes.
Social Authentication
AM supports delegated authentication through third-party identity providers, such as Facebook and Google. This lets users log in to AM using their social provider credentials.
AM 7 introduced a new social authentication implementation to work with ForgeRock Identity Platform, which is now supported for standalone AM deployments since 7.1.
This new implementation is recommended and documented in this page, and older implementations are deprecated.
To configure the deprecated social authentication implementations, see Social Authentication in the ForgeRock Access Management 7.0 Authentication and Single Sign-On Guide.
Tip
This page shows you how to configure social authentication in a standalone AM deployment. To configure social authentication in the ForgeRock Identity Platform, see the ForgeRock Identity Platform Self-Service Guide.
The high-level steps to configure social authentication are:
"Configure Social Identity Providers"
"Configure a Basic Social Registration Tree"
Configure Social Identity Providers
AM supports social identity providers that are OAuth 2.0 or OpenID Connect 1.0-compliant, and comes preconfigured with support for a number of social providers:
[a] To integrate with itsme, you must obtain an Organization Validation (OV) certificate and configure it in the container where AM runs, or in the reverse proxy offloading SSL.
If you need support for a social identity provider that is not preconfigured, you can manually add new providers, as long as they have a solution implemented using either OAuth 2.0, or OpenID Connect.
Register a service in the identity provider, and keep their documentation within reach. You will use it through this procedure.
Registering in a provider comprises creating a client ID and adding the redirection URL to AM at the very least.
The redirection URL is a path in AM that the identity provider will redirect the user to after a successful authentication. For example,
https://platform.example.com:8443/am.Depending on the social identity provider and on your environment, you may need to make changes to the redirection URI later.
Configure the same redirection URL in the identity provider service and in the AM client.
Some providers require that you enable a specific API in their service:
Enable the
GMail APIin the Google Cloud Platform.You must have access to the Apple Development Program (Enterprise program is not eligible), and you must enable
Sign In With Applein Apple Developer.In the AM console, go to Realms > Realm Name > Services.
Check if the
Social Identity Provider Serviceappears in the list of services configured for the realm.If it does not, add it: Click on Add a Service, and select
Social Identity Provider Servicefrom the drop-down list.The service's Configuration page appears.
Ensure that the Enabled switch is on.
Go to the Secondary Configurations tab.
AM includes scripts and configurations for several common identity providers.
In the Add a Secondary Configuration drop-down list, select the required identity provider.
If you do not see the required provider, select one of the following to add a custom identity provider client:
Client Configuration for providers that implement the OAuth2 specification
Client Configuration for providers that implement the OpenID Connect specification
The new identity provider configuration page appears.
Provide the client's required configuration details, such as the Client ID, Client Secret (for confidential clients), the Scope Delimiter (usually an empty space), and the Redirect URL
The redirection URL is a path in AM that the identity provider will redirect the user to after a successful authentication. For example,
https://platform.example.com:8443/am.Depending on the social identity provider and on your environment, you may need to make changes to the redirection URI later.
Configure the same redirection URL in the identity provider service and in the AM client.
Do not worry if you are missing some of the details; you will be able to edit the configuration later, after saving the client profile for the first time.
Save your changes to access all the configuration fields for the client.
Provide the client's advanced configuration details, and edit any required configuration details if needed.
Refer to the provider's documentation.
Providers must specify their integration needs in their documentation, as well as their API endpoints.
For example, providers usually have different scopes that you can configure depending on your service's needs.
Financial-grade providers usually also require additional security-related configuration, such as
acrvalues, PKCE-related settings, and more.Keep their documentation close while configuring the client profile.
Visit the provider's
.well-knownendpoint.OAuth 2.0/OpenID Connect-compliant providers will display much of the information you need to configure the identity provider client in their
.well-knownendpoint. For example, the endpoint should expose their endpoint URLs, and the signing and encryption algorithms they support.AM is preconfigured for your convenience, but you must make sure the settings for the provider have not changed. Some of the most important preconfigured fields are:
The provider's URLs. For example, Authentication Endpoint URL, Access Token Endpoint URL, and User Profile Service URL.
The OAuth Scopes field.
The configuration in the UI Config Properties section.
The script selected in the Transform Script drop-down list.
Scripts named after identity providers are suitable for most use cases. However, if you need to view or edit the scripts, go to Realms > Realm Name > Scripts.
Note
Some features require choosing algorithms from those supported by the provider, as well as creating secrets. Consider the following points before configuring the client:
Several capabilities in the identity provider client share the same secret IDs. For example, signing request objects and signing client authentication JWTs.
Every identity provider client in a realm shares the same secrets.
Therefore, ensure that you configure features requiring secrets in a way that they are compatible across clients in the same realm.
For more information, see the page about the "/oauth2/connect/rp/jwk_uri" endpoint.
Expand the following link for tips on how to configure the client:
Specifies whether the provider is enabled.
Required: Yes.
Specifies the attribute the social identity provider uses to identify an authenticated individual. For example,
id,sub, anduser_id.Required: Yes.
Specifies the
client_idparameter as described in section 2.2 of The OAuth 2.0 Authorization Framework specification.Required: Yes.
Specifies the
client_secretparameter as described in section 2.3 of The OAuth 2.0 Authorization Framework specification.Required: No.
Specifies the URL to the social provider's endpoint handling authentication as described in section 3.1 of The OAuth 2.0 Authorization Framework. For example,
https://accounts.google.com/oauth2/v2/auth.Required: Yes.
Specifies the URL to the endpoint handling access tokens as described in section 3.2 of The OAuth 2.0 Authorization Framework specification. For example,
https://www.googleapis.com/oauth2/v4/token.Required: Yes.
Specifies the user profile URL that returns profile information. For example,
https://www.googleapis.com/oauth2/v3/userinfo.This URL should return JSON objects in its response.
Required: No.
Specifies the URL to the endpoint handling access token validation, as described in the OAuth 2.0 Token Introspection specification. For example,
https://oauth2.googleapis.com/tokeninfo.Required: No.
Specifies the URL the identity provider will redirect the user to after authenticating, as described in Section 3.1.2 of The OAuth 2.0 Authorization Framework specification.
This URL is usually a page or path in AM; for example,
https://platform.example.com:8443/am, and it is also registered in the identity provider's service.You can also use a custom URI scheme as the redirect, if you are using an app built with the ForgeRock SDKs for Android or iOS. For example,
com.example.sdkapp:redirect_uri_pathorfrauth://com.forgerock.ios.sdkapp.Tip
When using the
FORM_POSTResponse Mode, you must specify theform_postendpoint in the redirection URL. See Response Mode for more information.Required: Yes.
Specifies the URL of a custom login page or application. AM will send processed form post data related to social login authentication to that URL as the value of the
form_post_entryquery parameter.To continue the authentication journey, the custom login page is responsible for making a call to the AM
/json/authenticateendpoint with the authentication ID (authID) and the processed form data (form_post_entry).Configure this property when the following is true:
The
FORM_POSTResponse Mode is configured.Your users log in to AM using custom login pages, such as apps using the ForgeRock SDKs, instead of the AM UI.
Required: No.
Specifies the delimiter used to separate scope values. For example, a blank space ( ), or a comma character (,).
Most providers use a blank space.
Required: Yes.
Specifies the list of scopes to request from the provider.
The scopes that the provider returns depends on the permissions that the resource owner, such as the end user, grants to the client application.
For example, Google exposes its supported scopes in their OAuth 2.0 Scopes for Google APIs documentation.
Required: Yes.
Specifies how the client should authenticate to the provider. Possible values are:
CLIENT_SECRET_POST.The client sends the client ID and the secret in theclient_IDand theclient_secretparameters in the body of the request.CLIENT_SECRET_BASIC. The client sends the client ID and the secret in a basic authorization header with the base64-encoded value of client_id:client_secret.PRIVATE_KEY_JWT. The client sends its credentials to the provider in a signed JWT as specified in the JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants.ENCRYPTED_PRIVATE_KEY_JWT.The client sends its credentials to the provider in a signed, then encrypted JWT as specified in the JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants.TLS_CLIENT_AUTH. The client presents a X.509 certificate that uses public key infrastructure (PKI), as specified in version 12 of the OAuth 2.0 Mutual TLS (mTLS) Client Authentication and Certificate Bound Access Tokens draft.SELF_SIGNED_TLS_CLIENT_AUTH. The client presents a X.509 self-signed certificate, as specified in version 12 of the OAuth 2.0 Mutual TLS (mTLS) Client Authentication and Certificate Bound Access Tokens draft.Some of the authentication methods require additional configuration:
Obtain a list of supported signing algorithms from the provider's
.well-knownendpoint, and decide which one you will use.In the Private Key JWT Signing Algorithm field, enter the signing algorithm that AM will use to sign the JWT. For example,
RSA256.This field may already be configured if the client is sending request objects.
Create a signing secret, and map it to the
am.services.oauth2.oidc.rp.jwt.authenticity.signingsecret ID in an AM secret store.The secret ID may already have secrets mapped to it if the client is sending signed request objects to the provider, or if another client in the realm is already using it.
For more information, see Configuring Secret Stores, and /oauth2/connect/rp/jwk_uri.
Provide a JWK with the public key to the identity provider. Refer to the their documentation for more information.
For example, you could copy the contents of the public JWK in a field in the provider's service configuration, or you could configure the realm's
/oauth2/connect/rp/jwk_uriendpoint, which exposes the client's public keys.(Optional) Change the value in the Private Key JWT Expiration Time (seconds) field, if needed. It has a sensible value preconfigured, but you may need to tune it for your provider.
Follow the steps in How Do I Configure JWT Authentication With Signed JWTs? to configure AM to sign authentication JWTs.
Now you are ready to configure AM to encrypted authentication JWTs.
Obtain a list of supported encryption algorithms and methods from the provider's
.well-knownendpoint, and decide which one you will use.In the JWT Encryption Algorithm field, select the encryption algorithm.
If the required encryption algorithm does not appear in the drop-down, check the reference entry for the JWT Encryption Algorithm field for information on how to add it.
This field may already be configured if the client is encrypting request objects.
In the JWT Encryption Method field, select the encryption method.
This field may already be configured if the client is encrypting request objects.
In the JWKS URI Endpoint field, configure the URI containing the provider's public JWK set.
Obtain the URI from the provider's
.well-knownendpoint, or their documentation.AM will use the JWK URI to fetch the provider's public encryption key.
(Optional) Perform one of the following steps depending on the encryption method you configured:
If you chose Direct AES Encryption method, select
NONEin the JWT Signing Algorithm field. Signing is redundant with this encryption method.If you chose an encryption method different from the Direct AES Encryption method, configure signing. For more information, see How Do I Configure JWT Authentication With Signed JWTs?.
Obtain a certificate for AM to use as a client. This certificate must be signed by a certificate authority (CA).
You can use the same certificate for different social identity provider client configurations, and you can only have one mTLS certificate by realm (either PKI-related, or self-signed).
Make the certificate available to AM configuring it in an AM secret store, and map its alias to the
am.services.oauth2.mtls.client.authenticationsecret ID.For example, you can create a
PKCS12keystore secret store.For more information, see Configuring Secret Stores.
Even though the identity provider should trust the CA certificate automatically, the client certificate will appear in the /oauth2/connect/rp/jwk_uri endpoint.
Obtain a self-signed certificate that AM will use as a client.
You can use the same certificate for different social identity provider client configurations, and you can only have one mTLS certificate by realm (either PKI-related, or self-signed).
Make the certificate available to AM configuring it in an AM secret store, and map its alias to the
am.services.oauth2.mtls.client.authenticationsecret ID.For example, you can create a
PKCS12keystore secret store.For more information, see Configuring Secret Stores.
To trust the self-signed certificate, the social identity provider must be able to access its public key and certificate. Social identity providers may have different ways of accessing public keys; for example, you may be able to configure the public JWK directly in the provider, or you may be able to provide AM's /oauth2/connect/rp/jwk_uri endpoint, which exposes it.
Refer to your social identity provider documentation for more information.
Required: Yes.
Specifies the PKCE transformation method AM uses when making requests to the provider's authorization endpoint, as specified in Section 4.2 of the Proof Key for Code Exchange by OAuth Public Clients specification.
Select
NONEto disable PKCE transformations.Required: No.
(OpenID Connect providers only) Specifies whether AM should provide a request object JWT to the provider. Possible values are:
NONE. AM does not send a request object to the provider.REFERENCE. The request object JWT is stored in AM's CTS token store, and AM exposes a unique identifier for it using theoauth2/request_uriendpoint for the realm. The URL to the endpoint and the JWT's unique identifier are passed to the provider in therequest_uriparameter of the request.Ensure that the provider can reach the endpoint.
An example of the URL is
https://platform.example.com:8443/am/realms/root/realms/myRealm/oauth2/request_uri/requestobjectIDNote
When integrating with itsme, ensure that the base URL of AM contains the
443port. For example,https://platform.example.com:443/am.To do this, configure the reverse proxy or load balancer to expose the port, or the Base URL Source Service:
In the AM console, go to Realms > Realm Name > Services.
Add a Base URL Source service if one is not already configured, or select it to change its properties:
VALUE. AM appends the JWT as the value of therequestparameter of the request.In the Request Parameter JWT Option field, select either
VALUEorREFERENCE.Refer to your identity provider's documentation for more information.
Obtain a list of supported signing algorithms from the provider's
.well-knownendpoint, and decide which one you will use.In the JWT Signing Algorithm field, select the signing algorithm that AM will use to sign the request object. For example,
RS256.This field may already be configured if the client is using JWT client authentication.
Create a signing secret that uses the algorithm you selected previously, and map it to the
am.services.oauth2.oidc.rp.jwt.authenticity.signingsecret ID in an AM secret store.The secret ID may already have secrets mapped to it if the client is using JWT client authentication, or if another client in the realm is already using it.
For more information, see Configuring Secret Stores, and /oauth2/connect/rp/jwk_uri.
Provide a JWK with the public key to the identity provider. Refer to the their documentation for more information.
For example, you could copy the contents of the public JWK in a field in the provider's service configuration, or you could configure the realm's
/oauth2/connect/rp/jwk_uriendpoint, which exposes the client's public keys.Follow the steps in How Do I Configure the Client to Send Signed Request Objects? to configure AM to send signed request objects.
Now you are ready to configure AM to send encrypted request objects.
Enable Encrypt Request Parameter JWT.
Obtain a list of supported encryption algorithms and methods from the provider's
.well-knownendpoint, and decide which one you will use.In the JWT Encryption Algorithm field, select the encryption algorithm.
If the required encryption algorithm does not appear in the drop-down, check the reference entry for the JWT Encryption Algorithm field for information on how to add it.
This field may already be configured if the client is encrypting authentication JTWs.
In the JWT Encryption Method field, select the encryption method.
This field may already be configured if the client is encrypting authentication JWTs.
In the JWKS URI Endpoint field, configure the URI containing the provider's public JWK set.
Obtain the URI from the provider's
.well-knownendpoint.AM will use the JWK URI to fetch the provider's public encryption key.
(Optional) Perform one of the following steps depending on the encryption method you configured:
If you chose Direct AES Encryption method, select
NONEin the JWT Signing Algorithm field. Signing is redundant with this encryption method.If you chose an encryption method different from the Direct AES Encryption method, configure signing. For more information, see How Do I Configure the Client to Send Signed Request Objects?.
Specifies whether the request parameter must be encrypted when Request Parameter JWT Option is set to
REFERENCEorVALUE.(OpenID Connect providers only) Specifies a space-separated list, in order of preference, of the client's
acrvalues.Required: No.
(OpenID Connect providers only) Specifies the URL for retrieving information about the provider, such as endpoints, and public keys. For example,
https://accounts.google.com/.well-known/openid-configuration.Required: Yes.
(OpenID Connect providers only) Specifies the intended audience (
aud) of the request object when the Request Parameter JWT Option field is set toVALUEorREFERENCE.When not configured, the value of the Issuer field will be used as the audience of the request object.
(OpenID Connect providers only) Specifies whether the provider encrypts ID Tokens.
Obtain a list of supported ID token encryption algorithms from the provider's
.well-knownendpoint, and decide which one the client will use.Create a suitable secret for the algorithm that you chose, and map it to the
am.services.oauth2.oidc.rp.idtoken.encryptionsecret ID in an AM secret store.The secret ID may already have secrets mapped if another client in the realm is already using it.
For more information, see Configuring Secret Stores, and /oauth2/connect/rp/jwk_uri.
Provide a JWK with the public key to the identity provider. Refer to the their documentation for more information.
For example, you could copy the contents of the public JWK in a field in the provider's service configuration, or you could configure the realm's
/oauth2/connect/rp/jwk_uriendpoint, which exposes the client's public keys.Required: No.
(OpenID Connect providers only) Specifies the issuer of ID Tokens. Must exactly match the value returned in the ID token.
Obtain the
issuervalue from the provider's.well-knownendpoint.Required: Yes.
(OpenID Connect providers only) When enabled, the provider native SDK must include a
nonceclaim in the ID token. The value of the claim must be the value of thenonceclaim sent in the Authentication Request.Required: No.
(OpenID Connect providers only) Specifies the format in which the provider's
userinfoendpoint returns data. Possible values are:JSON. The provider'suserinfoendpoint returns a JSON.SIGNED_JWT. The provider'suserinfoendpoint returns a signed JWT.SIGNED_THEN_ENCRYPTED_JWT. The provider'suserinfoendpoint returns a signed, then encrypted JWT.Some of the options require additional configuration:
In the JWKS URI Endpoint field, configure the URL containing the provider's public JWK set. Obtain it from the provider's
.well-knownendpoint, or their documentation.AM will use this URL to fetch the provider's public signing key.
Follow the steps in How Do I Configure the Client to Receive Signed userinfo JWTs? to configure AM to receive signed JWTs.
Now you are ready to configure AM to receive encrypted JWTs.
Obtain a list of supported ID token encryption algorithms from the provider's
.well-knownendpoint, and decide which one the client will use.Create a suitable secret for the algorithm that you chose, and map it to the
am.services.oauth2.oidc.rp.idtoken.encryptionsecret ID in an AM secret store.The secret ID may already have secrets mapped if another client in the realm is already using it, or if the provider encrypts ID tokens.
For more information, see Configuring Secret Stores, and /oauth2/connect/rp/jwk_uri.
Provide a JWK with the public key to the identity provider. Refer to the their documentation for more information.
For example, you could copy the contents of the public JWK in a field in the provider's service configuration, or you could configure the realm's
/oauth2/connect/rp/jwk_uriendpoint, which exposes the client's public keys.Specifies the URI that contains the public keys of the identity provider. AM will use these keys to verify signatures, or to encrypt objects.
Configure this field when:
Client Authentication Method is set to
ENCRYPTED_PRIVATE_KEY_JWT.Encrypt Request Parameter JWT is enabled.
User Info Response Format is set to
SIGNED_JWTorSIGNED_THEN_ENCRYPTED_JWT.Required: No.
Specifies the signing algorithm supported by the provider that AM use to sign the following:
Client authentication JWTs when Client Authentication Method is set to
PRIVATE_KEY_JWT.(OpenID Connect providers only) Request JWTs when Request Parameter JWT Option is set to
VALUEorREFERENCE.Obtain a list of the supported algorithms from the provider's
.well-knownendpoint.Select
NONEif the client will encrypt the JWT with the Direct AES Encryption method, because the signature will be redundant.Required: No.
Specifies the encryption algorithm supported by the provider that AM should use to encrypt the following:
Client authentication JWTs when Client Authentication Method is set to
PRIVATE_KEY_JWT.(OpenID Connect providers only) Request JWTs when Request Parameter JWT Option is set to
VALUEorREFERENCE.If set to
NONE, AM will not encrypt the JWTs.Obtain a list of the supported algorithms from the provider's
.well-knownendpoint.Configure the algorithms exposed in this field using the AM advanced server property, openam.private.key.jwt.encryption.algorithm.whitelist.
To configure advanced server properties in the AM Admin UI for all AM instances, go to Configure > Server Defaults > Advanced.
To configure advanced server properties for a particular instance, go to Deployment > Servers > Server Name > Advanced.
If the property you want to add or edit is not already configured, add it with its value, then click on the plus () button.
If the property you want to add or edit is already configured, click on the pencil () button to edit it. When you are finished, click on the tick () button.
Save your changes.
Required: No.
Specifies the encryption algorithm supported by the provider that AM should use to encrypt the following:
Client authentication JWTs when Client Authentication Method is set to
PRIVATE_KEY_JWT.(OpenID Connect providers only) Request JWTs when Request Parameter JWT Option is set to
VALUEorREFERENCE.Use in conjunction with
JWT Encryption Algorithm.Obtain a list of the supported methods from the provider's
.well-knownendpoint.Required: No.
Specifies the amount of time, in seconds, that AM will cache the client authentication JWT before creating a new one.
Caching the JWT avoids creating a new one for every client authentication. However, it may also become invalid if the provider changes it configuration.
Required: No.
(OpenID Connect providers only) Specify the way the provider will return ID tokens to AM. Possible values are:
DEFAULT. The provider returns the ID token as query parameters, as explained in the OpenID Connect Core 1.0 incorporating errata set 1 specification.Most preconfigured providers use the
DEFAULTresponse mode.FORM_POST. The provider returns the ID token by submitting an HTML form using the HTTP POST method, as explained in the OAuth 2.0 Form Post Response Mode specification.When using this response mode, add the
/oauth2/client/form_post/ClientConfigNameURI to the Redirect URL, where ClientConfigName is the name of the social identity provider client that you are configuring. For example,https://platform.example.com:8443/am/oauth2/client/form_post/myAppleClient.By default, the
form_postendpoint processes the post data, encrypts it, and redirects with it back to the authentication tree to resume authentication.However, environments using custom login pages need to configure the Redirect after form post URL property to redirect back to the custom login pages.
Important
The
/oauth2/client/form_postdoes not require authentication. Protect it from denial of service (DoS) attacks by limiting the rate at which it can take connections in your load balancer or proxy.Moreover, if you configured AM with AES Key Wrap encryption, ensure that you configure the
org.forgerock.openam.encryption.useextractandexpandproperty.For more information, see Preparing AES Key Wrap Encryption.
Required: Yes.
Specifies a map of properties defined and consumed in the UI. The map affects how the identity provider's logo will show on the login page.
buttonImage: A relative path to an image in the End User UI.buttonCustomStyle: Any custom CSS you wish to apply to the button outside of normal End User UI styling.buttonClass: Adds the specified class to the identity provider button, for any additional styling you want to apply.buttonCustomStyleHover: Adds custom styling when the cursor is hovering over the button.buttonDisplayName: The name of the identity provider, which will be included either on the button or in the button'saltattribute, depending on styling.iconFontColor: Specifies the color of the icon. You can use methods supported in CSS (such aswhite, or#ffffff).iconClass: Adds the specified class to the identity provider icon, for any additional styling you want to apply.iconBackground: The color for the background of the icon. You can use methods supported in CSS (such aswhite, or#ffffff).Required: Yes.
Specifies a script to convert the provider's raw profile object into a normalized object. An authentication tree will later convert the object again into attributes the AM can use.
AM provides scripts for the preconfigured identity providers; they are ready to use, and suitable for most use cases.
To write a script in Groovy or Javascript for an identity provider, go to Realms > Realm Name > Scripts, and use the provided scripts as a reference.
The following is the default Groovy transformation script for Google:
import static org.forgerock.json.JsonValue.field import static org.forgerock.json.JsonValue.json import static org.forgerock.json.JsonValue.object return json(object( field("id", rawProfile.sub), field("displayName", rawProfile.name), field("givenName", rawProfile.given_name), field("familyName", rawProfile.family_name), field("photoUrl", rawProfile.picture), field("email", rawProfile.email), field("username", rawProfile.email), field("locale", rawProfile.locale)))The script returns a JSON object with all the mapped objects.
Each field is a map with the following format:
("platformAttributeName", rawProfile.providerAttributeName).For example,
id) is the platform attribute name, whilerawProfile.subis the field received from the provider.Note that some field names are the same (
emailandrawProfile.email, for example). These fields still need to be mapped, so they are included in the returned JSON object.Important
The social authentication nodes expect every attribute to have a value. In other words, the attributes returned by the identity provider cannot be empty, or
null. If any of the attributes is empty ornull, the social authentication tree journey will end with an error.For example, if a user tries to log in using Google as the identity provider, but they did not configure a surname in their account, Google will return
nullas the value of thefamilyNamefor the identity, and social authentication will fail.Ensure that all the users have their social profiles configured correctly, or modify the transformation scripts so that they not collect attributes that may be empty.
Required: Yes.
Save your changes.
You are ready now to "Configure a Basic Social Registration Tree".
Tip
To let AM contact Internet services through a proxy, see Configuring AM for Outbound Communication.
You can control the behavior of the connection factory that AM uses as a client of the social identity providers:
The following advanced server properties control different aspects of the connection factory:
org.forgerock.openam.httpclienthandler.system.clients.connection.timeoutorg.forgerock.openam.httpclienthandler.system.clients.max.connectionsorg.forgerock.openam.httpclienthandler.system.clients.pool.ttlorg.forgerock.openam.httpclienthandler.system.clients.response.timeoutorg.forgerock.openam.httpclienthandler.system.clients.retry.failed.requests.enabledorg.forgerock.openam.httpclienthandler.system.clients.reuse.connections.enabledThey have sensible defaults configured, but if you need to change them, see Advanced Properties.
Configure a Basic Social Registration Tree
There are two nodes associated with Identity Providers:
The "Select Identity Provider Node" prompts the user to select a social identity provider to register or log in with, or (optionally) continue on with a local registration or login flow. When a provider is selected, the flow continues on to the Social Provider Handler node.
The "Social Provider Handler Node" is used in combination with the Select Identity Provider node. It communicates with the selected provider and then collects the information provided after the user has authorized the service. It then takes that information and runs a transformation script to prepare it.
AM includes a transformation script called Normalized Profile to Identity, which this node uses to transform the identity object gathered from the identity provider into a user profile in AM's identity store.
The node then queries the identity store available for the realm to see if the user already exists. If the user exists, they are logged in. If the user does not exist, the user will need to be created.
Perform the following steps to configure the tree:
In the AM console, go to Realms > Realm Name > Authentication > Trees, and create a new tree.
Decide whether users can log in with their AM credentials, and add the relevant nodes to the tree:
Social authentication trees allowing local authentication might look like the following:
Social authentication trees enforcing social authentication login might look like the following:
To configure either option, use the Include local authentication switch in the "Select Identity Provider Node".
To support both local and social authentication in the same page, you must use the "Page Node" as shown in the example.
Configure the "Social Provider Handler Node":
In the Transformation Script field, configure
Normalized Profile to Identity. This script will transform the normalized identity provider's profile object into the appropriate user profile attributes of the realm's identity store.If you are not using DS as the identity store, or if you added customized fields to it, you may need to modify the script.
Find the script in Realms > Realm Name > Scripts.
In Client Type, select
BROWSERwhen using the AM UI, or the ForgeRock SDK for JavaScript.