LinkedIn Social Identity Provider
Set Up a LinkedIn App
Before you start, you will need a LinkedIn account. You can use a personal LinkedIn account for testing, but you should ultimately use an organizational account to avoid problems if individuals leave your organization.
To set up a LinkedIn app:
Log in to LinkedIn and navigate to LinkedIn Developers -> MyApps.
Select Create app and enter the following information:
App name. Enter any unique name that is fewer than 50 characters.
Company. The company name that will be associated with this application.
Privacy policy URL. An optional URL that displays your company's Privacy Policy.
Business email. The business email address that is associated with this application.
App logo. The logo that is displayed to users when they authenticate with this app.
Select the products that should be integrated into the app.
Accept LinkedIn's legal terms.
Select Verify to associate the app with your company, then follow the verification approval process.
After you have approved the app, select it under My Apps, then select the Auth tab.
Take note of the
Client ID
andClient Secret
—you will need them in the next procedure.The app should have the following Permissions:
r_emailaddress
r_liteprofile
w_member_social
Under OAuth 2.0 settings, select Add redirect URL and enter the FQDN and port number of your IDM instance. For example,
http://openidm.example.com:8080/
Note
For LinkedIn's procedure, see their documentation on Authenticating with OAuth 2.0.
Configure a LinkedIn Social Identity Provider
To configure a LinkedIn social identity provider, log in to the Admin UI and navigate to Configure > Social ID Providers.
Enable the LinkedIn social identity provider.
Make sure that the Redirect URI on this screen matches the OAuth 2.0 Redirect URL that you entered in "Set Up a LinkedIn App".
Copy the
Client ID
andClient Secret
that you obtained in "Set Up a LinkedIn App".(Optional) Change any of the
Advanced Options
listed in "LinkedIn Social Identity Provider Configuration Details".Select Save.
When you enable a LinkedIn social identity provider, IDM generates the corresponding identityProvider-linkedIn.json
file in your project's conf/
subdirectory.
When you review that file, you should see information beyond what you see in the Admin UI. The first part of the file includes the name of the provider, endpoints, as well as the clientId
and encrypted clientSecret
.
{ "provider" : "linkedIn", "authorizationEndpoint" : "https://www.linkedin.com/oauth/v2/authorization", "tokenEndpoint" : "https://www.linkedin.com/oauth/v2/accessToken", "userInfoEndpoint" : "https://api.linkedin.com/v2/me?projection=(id,firstName,lastName,profilePicture(displayImage~:playableStreams))", "emailAddressEndpoint" : "https://api.linkedin.com/v2/emailAddress?q=members&projection=(elements*(handle~))", "clientId" : "77l9udb8qmqihq", "clientSecret" : { "$crypto" : { "type" : "x-simple-encryption", "value" : { "cipher" : "AES/CBC/PKCS5Padding", "stableId" : "openidm-sym-default", "salt" : "2cmC36Ds++6xAtRhlvNOEw==", "data" : "TJ7VOHjJI0VWWedTKX4agviqc3H3Un5RDVAWyB2u64g=", "keySize" : 16, "purpose" : "idm.config.encryption", "iv" : "QbGAUSuOMrCh1i8F0fWGyA==", "mac" : "rUFVcSJ5+s+LZL6YFB3rFQ==" } } }, "scope" : [ "r_liteprofile", "r_emailaddress" ], ...
You should also see UI settings related to the social identity provider icon (badge) and the sign-in button, described in "Social Identity Provider Button and Badge Properties".
The file includes schema
information, indicating the properties of each social identity account that will be collected by IDM, and the order in which these properties appear in the Admin UI. When you have registered a user with a LinkedIn social identity, you can verify these properties by selecting Manage > LinkedIn, then selecting the user.
Further down in the file, the propertyMap
maps user information between the source
(social identity provider) and the target
(IDM).
For more information about the properties in this file, see "LinkedIn Social Identity Provider Configuration Details".
Configure User Registration With LinkedIn
After you have configured the LinkedIn social identity provider, activate it by enabling User Registration:
Select Configure > User Registration > Enable.
On the Social tab, enable Social Registration. For more information about user self-service features, see "Self-Service End User UI".
Note
When you enable social registration, you are allowing users to register in IDM through all active social identity providers.
LinkedIn Social Identity Provider Configuration Details
You can set up the LinkedIn social identity provider through the Admin UI or in a conf/identityProvider-linkedIn.json
file. IDM generates the identityProvider-linkedIn.json
file when you configure and enable this social identity provider in the Admin UI. Alternatively, you can create the file manually.
The following table includes the information shown in the Admin UI LinkedIn Provider pop-up window, along with associated information in the identityProvider-linkedIn.json
file:
Property (UI) | Property (JSON file) | Description |
---|---|---|
Client ID | clientId | The client identifier for your LinkedIn Application |
Client Secret | clientSecret | Used with the Client ID to access the applicable LinkedIn API |
Scope | scope | An array of strings that allows access to user data; see LinkedIn's documentation on Lite Profile Fields. |
Authorization Endpoint | authorizationEndpoint | Per RFC 6749, "used to interact with the resource owner and obtain an authorization grant". For LinkedIn's implementation, see their documentation on Authenticating with OAuth 2.0. |
Token Endpoint | tokenEndpoint | Endpoint that receives a one-time authorization code, and returns an access token. For LinkedIn's implementation, see their documentation on Authenticating with OAuth 2.0. |
User Info Endpoint | userInfoEndpoint | Endpoint that transmits scope-related fields through LinkedIn's API. |
Email Address Endpoint | emailAddressEndpoint | API that must be called to retrieve the email address of the user. |
Well-Known Endpoint | wellKnownEndpoint | Not used for LinkedIn |
Not in the Admin UI | name | Name of the social identity provider |
Not in the Admin UI | type | Authentication module |
Not in the Admin UI | authenticationId | Authentication identifier, as returned from the User Info Endpoint for each social identity provider |
Not in the Admin UI | propertyMap | Mapping between LinkedIn and IDM |
For information on social identity provider buttons and badges, see "Social Identity Provider Button and Badge Properties".