LinkedIn Social Identity Provider

Set Up a LinkedIn App

Before you start, you will need a LinkedIn account. You can use a personal LinkedIn account for testing, but you should ultimately use an organizational account to avoid problems if individuals leave your organization.

To set up a LinkedIn app:

Log in to LinkedIn and navigate to LinkedIn Developers -> MyApps.
Select Create app and enter the following information:
- App name. Enter any unique name that is fewer than 50 characters.
- Company. The company name that will be associated with this application.
- Privacy policy URL. An optional URL that displays your company's Privacy Policy.
- Business email. The business email address that is associated with this application.
- App logo. The logo that is displayed to users when they authenticate with this app.
Select the products that should be integrated into the app.
Accept LinkedIn's legal terms.
Select Verify to associate the app with your company, then follow the verification approval process.
After you have approved the app, select it under My Apps, then select the Auth tab.
Take note of the Client ID and Client Secret—you will need them in the next procedure.
The app should have the following Permissions:
- r_emailaddress
- r_liteprofile
- w_member_social
Under OAuth 2.0 settings, select Add redirect URL and enter the FQDN and port number of your IDM instance. For example, http://openidm.example.com:8080/

Note

For LinkedIn's procedure, see their documentation on Authenticating with OAuth 2.0.

Configure a LinkedIn Social Identity Provider

To configure a LinkedIn social identity provider, log in to the Admin UI and navigate to Configure > Social ID Providers.
Enable the LinkedIn social identity provider.
Make sure that the Redirect URI on this screen matches the OAuth 2.0 Redirect URL that you entered in "Set Up a LinkedIn App".
Copy the Client ID and Client Secret that you obtained in "Set Up a LinkedIn App".
(Optional) Change any of the Advanced Options listed in "LinkedIn Social Identity Provider Configuration Details".
Select Save.

When you enable a LinkedIn social identity provider, IDM generates the corresponding identityProvider-linkedIn.json file in your project's conf/ subdirectory.

When you review that file, you should see information beyond what you see in the Admin UI. The first part of the file includes the name of the provider, endpoints, as well as the clientId and encrypted clientSecret.

{
    "provider" : "linkedIn",
    "authorizationEndpoint" : "https://www.linkedin.com/oauth/v2/authorization",
    "tokenEndpoint" : "https://www.linkedin.com/oauth/v2/accessToken",
    "userInfoEndpoint" : "https://api.linkedin.com/v2/me?projection=(id,firstName,lastName,profilePicture(displayImage~:playableStreams))",
    "emailAddressEndpoint" : "https://api.linkedin.com/v2/emailAddress?q=members&projection=(elements*(handle~))",
    "clientId" : "77l9udb8qmqihq",
    "clientSecret" : {
        "$crypto" : {
            "type" : "x-simple-encryption",
            "value" : {
                "cipher" : "AES/CBC/PKCS5Padding",
                "stableId" : "openidm-sym-default",
                "salt" : "2cmC36Ds++6xAtRhlvNOEw==",
                "data" : "TJ7VOHjJI0VWWedTKX4agviqc3H3Un5RDVAWyB2u64g=",
                "keySize" : 16,
                "purpose" : "idm.config.encryption",
                "iv" : "QbGAUSuOMrCh1i8F0fWGyA==",
                "mac" : "rUFVcSJ5+s+LZL6YFB3rFQ=="
            }
        }
    },
    "scope" : [
        "r_liteprofile",
        "r_emailaddress"
    ],
...

You should also see UI settings related to the social identity provider icon (badge) and the sign-in button, described in "Social Identity Provider Button and Badge Properties".

The file includes schema information, indicating the properties of each social identity account that will be collected by IDM, and the order in which these properties appear in the Admin UI. When you have registered a user with a LinkedIn social identity, you can verify these properties by selecting Manage > LinkedIn, then selecting the user.

Further down in the file, the propertyMap maps user information between the source (social identity provider) and the target (IDM).

For more information about the properties in this file, see "LinkedIn Social Identity Provider Configuration Details".

Configure User Registration With LinkedIn

After you have configured the LinkedIn social identity provider, activate it by enabling User Registration:

Select Configure > User Registration > Enable.
On the Social tab, enable Social Registration. For more information about user self-service features, see "Self-Service End User UI".

Note

When you enable social registration, you are allowing users to register in IDM through all active social identity providers.

LinkedIn Social Identity Provider Configuration Details

You can set up the LinkedIn social identity provider through the Admin UI or in a conf/identityProvider-linkedIn.json file. IDM generates the identityProvider-linkedIn.json file when you configure and enable this social identity provider in the Admin UI. Alternatively, you can create the file manually.

The following table includes the information shown in the Admin UI LinkedIn Provider pop-up window, along with associated information in the identityProvider-linkedIn.json file:

LinkedIn Social Identity Provider Configuration Properties

Property (UI)	Property (JSON file)	Description
Client ID	`clientId`	The client identifier for your LinkedIn Application
Client Secret	`clientSecret`	Used with the Client ID to access the applicable LinkedIn API
Scope	`scope`	An array of strings that allows access to user data; see LinkedIn's documentation on Lite Profile Fields.
Authorization Endpoint	`authorizationEndpoint`	Per RFC 6749, "used to interact with the resource owner and obtain an authorization grant". For LinkedIn's implementation, see their documentation on Authenticating with OAuth 2.0.
Token Endpoint	`tokenEndpoint`	Endpoint that receives a one-time authorization code, and returns an access token. For LinkedIn's implementation, see their documentation on Authenticating with OAuth 2.0.
User Info Endpoint	`userInfoEndpoint`	Endpoint that transmits scope-related fields through LinkedIn's API.
Email Address Endpoint	`emailAddressEndpoint`	API that must be called to retrieve the email address of the user.
Well-Known Endpoint	`wellKnownEndpoint`	Not used for LinkedIn
Not in the Admin UI	`name`	Name of the social identity provider
Not in the Admin UI	`type`	Authentication module
Not in the Admin UI	`authenticationId`	Authentication identifier, as returned from the User Info Endpoint for each social identity provider
Not in the Admin UI	`propertyMap`	Mapping between LinkedIn and IDM

For information on social identity provider buttons and badges, see "Social Identity Provider Button and Badge Properties".