Social Authentication

AM supports delegated authentication through third-party identity providers, such as Facebook, Google, and VKontakte. The following table summarizes the social authentication providers and standards that AM 7 supports:

Provider/StandardAuthentication Node?Authentication Module?
OpenID Connect 1.0 Yes Yes
OAuth 2.0 Yes Yes
Facebook Yes Yes [a]
Google Yes Yes [a]
InstagramNo Yes
Microsoft Yes [b] Yes [c]
VKontakteNo Yes
WeChatNo Yes
WeChat MobileNo Yes

[a] Configure a Social Auth OpenID authentication module.

[b] Configure an OAuth 2.0 authentication node.

[c] Configure a Social Auth OAuth2 authentication module.

Configuring Social Authentication

Configuring social authentication is a tree-step process:

  1. Obtain a client ID and client secret from the social provider, as well as their implementation details.

    Some modules and nodes are pre-configured for specific providers because of their implementation of OAuth 2.0/OpenId Connect, while you need the details for other providers, as shown in the preceding table.

    To obtain a Client ID and Client Secret, register an application with the third party provider. For example:

    Facebook

    Facebook App Quickstart

    Google

    Google Developers Console

    Note

    You must enable the Google+ API in order to authenticate with Google. To enable the Google+ API, login to the Google Developers Console, select your project, navigate to APIs and auth > APIs, and then set the status of the Google+ API to ON.

    VKontakte

    VKontakte Developers - My apps

    If you need to use the generic OAuth 2.0 or OpenID Connect modules, you need at least, the following details from your provider:

    • Does it need an OAuth 2.0 or an OpenID Connect client?

    • What is the URL of their authentication endpoint?

    • What is the URL of their access token endpoint?

    • What is the URL of their user profile service?

    • Which scopes you need to request from them?

  2. Configure a chain or tree that contains the module or node relevant for your social provider. See the preceding table for links to more information about each of them.

    For general information about configuring modules and chains, and nodes and trees, see "Authentication Modules and Chains" and "Authentication Nodes and Trees".

    Optionally, you can also integrate social authentication modules with IDM. See "To Integrate Social Authentication with Identity Management".

  3. Configure the Social Authentication Implementation service to add social provider logos to the login page, if required. For example:

    Login screen with social authentication logos.

    See "Configuring the Social Authentication Implementations Service".

Note

To allow AM to contact internet services through a proxy, see "Settings for Configuring a JVM Proxy".

To Integrate Social Authentication with Identity Management

After configuring the relevant node or module, perform the following additional steps to configure AM to work with an IDM deployment:

  1. (Optional) (Google only) Navigate to the configuration of the node or module:

    • Go to Realms > Realm Name > Authentication > Modules, and click on the name of the module. For example, GoogleSocialAuthentication.

    • Go to Realms > Realm Name > Authentication > Trees, and click on the name of the tree that has the social node. For example, GoogleSocialTree.

    Modify the configuration of the node or module as follows:

    1. Add sub=iplanet-am-user-alias-list to the Account Mapper Configuration property.

      The iplanet-am-user-alias-list property defines one or more aliases for mapping a user's multiple profiles.

    2. Add org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper|iplanet-am-user-alias-list|google- to the Attribute Mapper property.

    3. Add org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper|iplanet-am-user-alias-list|google- to the Attribute Mapper property.

  2. (Optional) (Google only) Navigate to the configuration of the node or module:

    • Go to Realms > Realm Name > Authentication > Modules, and click on the name of the module. For example, GoogleSocialAuthentication.

    • Go to Realms > Realm Name > Authentication > Trees, and click on the name of the tree that has the social node. For example, GoogleSocialTree.

  3. (Optional) (Facebook only) Navigate to the configuration of the node or module:

    • Realms > Realm Name > Authentication > Modules, and click on the name of the module For example, FacebookSocialAuthentication.

    • Go to Realms > Realm Name > Authentication > Trees, and click on the name of the tree that has the social node. For example, FacebookSocialTree.

    Modify the configuration of the node or module as follows:

    1. Add id=iplanet-am-user-alias-list to the Account Mapper Configuration property.

      The iplanet-am-user-alias-list property defines one or more aliases for mapping a user's multiple profiles.

    2. Add org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper|iplanet-am-user-alias-list|facebook- to the Attribute Mapper property.

  4. Enable the Create account if it does not exist property.

  5. Save your changes.


Configuring the Social Authentication Implementations Service

You can add logos to the login page to allow users to authenticate using configured social authentication providers.

To Configure the Social Authentication Implementations Service

Perform the following steps to add a logo for the authentication provider to the AM login screen:

  1. Go to Realms > Realm Name > Services, and perform one of the following actions:

    • If the Social Authentication Implementations Service exists, click on it.

    • If the Social Authentication Implementations Service does not exist, add it as a service.

    The social authentication implementations page appears.

  2. In the Display Names section, enter a Map Key, enter the text to display as ALT text on the logo in the Corresponding Map Value field, and then click Add.

    For example, add Facebook as the key, and Authenticate with Facebook as the text.

    Note

    AM uses the value in the Map Key fields throughout the configuration to tie the various implementation settings to each other. The value is case-sensitive.

  3. In the Authentication Chains section, re-enter the Map Key used in the previous step, and click Add.

    Now, select the relevant authentication tree or chain from the drop-down list.

  4. In the Icons section, re-enter the Map Key used in the previous steps, enter the path to a logo image to be used on the login screen in the Corresponding Map Value list, and then click Add.

  5. In the Enabled Implementations field, re-enter the Map Key used in the previous steps.

    Tip

    Removing a Map Key from the Enabled Implementations list removes the associated logo from the login screen. There is no need to delete the Display Name, Authentication Chain or Icon configuration to remove the logo from the login screen.

  6. Review your configuration, and save your changes.

    Configuring the Social Authentication Implementations service
    Configuring the Social Authentication Implementations service.

    An icon now appears on the AM login screen, allowing users to authenticate with the third party authentication provider.

Read a different version of :