IDM 7.3.0

LinkedIn social identity provider

Social authentication is deprecated and will be removed in a future release of IDM. For more information, refer to Deprecation.

Set up a LinkedIn app

Before you start, you will need a LinkedIn account. You can use a personal LinkedIn account for testing, but you should use an organizational account to avoid problems if individuals leave your organization.

To set up a LinkedIn app:

  1. Log in to LinkedIn, and navigate to LinkedIn Developers → MyApps.

  2. Select Create app, and enter the following information:

    • App name—Any unique name fewer than 50 characters.

    • Company—The company name associated with this application.

    • Privacy policy URL—An optional URL that displays a privacy policy.

    • Business email—The business email address that is associated with this application.

    • App logo—The logo that is displayed to users when they authenticate with this app.

  3. Select the products that should be integrated into the app.

  4. Accept LinkedIn’s legal terms.

  5. Select Verify to associate the app with your company, then follow the verification approval process.

  6. After you have approved the app, select it under My Apps, then select the Auth tab.

  7. Take note of the Client ID and Client Secret—you will need them in the next procedure.

  8. The app should have the following Permissions:

    • r_emailaddress

    • r_liteprofile

    • w_member_social

  9. Under OAuth 2.0 settings, select Add redirect URL and enter the FQDN and port number of your IDM instance. For example, http://openidm.example.com:8080/

For LinkedIn’s procedure, refer to their documentation on Authenticating with OAuth 2.0.

Configure a LinkedIn social identity provider

To configure a LinkedIn social identity provider using the admin UI:

  1. From the navigation bar, click Configure > Social ID Providers.

  2. On the Social Identity Providers page, enable LinkedIn.

  3. In the LinkedIn Provider window, enter applicable values in the fields, and click Save. For a complete list of fields, refer to LinkedIn Social Identity Provider Configuration Details.

After you save the social identity provider configuration, IDM generates a conf/identityProvider-linkedIn.json file:

{
    "provider" : "linkedIn",
    "authorizationEndpoint" : "https://www.linkedin.com/oauth/v2/authorization",
    "tokenEndpoint" : "https://www.linkedin.com/oauth/v2/accessToken",
    "userInfoEndpoint" : "https://api.linkedin.com/v2/me?projection=(id,firstName,lastName,profilePicture(displayImage~:playableStreams))",
    "emailAddressEndpoint" : "https://api.linkedin.com/v2/emailAddress?q=members&projection=(elements*(handle~))",
    "clientId" : "77l9udb8qmqihq",
    "clientSecret" : {
        "$crypto" : {
            "type" : "x-simple-encryption",
            "value" : {
                "cipher" : "AES/CBC/PKCS5Padding",
                "stableId" : "openidm-sym-default",
                "salt" : "2cmC36Ds++6xAtRhlvNOEw==",
                "data" : "TJ7VOHjJI0VWWedTKX4agviqc3H3Un5RDVAWyB2u64g=",
                "keySize" : 16,
                "purpose" : "idm.config.encryption",
                "iv" : "QbGAUSuOMrCh1i8F0fWGyA==",
                "mac" : "rUFVcSJ5+s+LZL6YFB3rFQ=="
            }
        }
    },
    "scope" : [
        "r_liteprofile",
        "r_emailaddress"
    ],
...

The file includes schema information, indicating the properties of each social identity account that will be collected by IDM, and the order in which these properties appear in the admin UI. When you have registered a user with a LinkedIn social identity, you can verify these properties by selecting Manage > LinkedIn, then selecting the user.

Further down in the file, the propertyMap maps user information between the source (social identity provider) and the target (IDM).

For more information about the properties in this file, refer to LinkedIn Social Identity Provider Configuration Details.

Configure user registration with LinkedIn

To configure LinkedIn social user registration using the admin UI:

  1. From the navigation bar, click Configure > User Registration, and click the Social tab.

  2. Enable Social Registration.

    For more information, refer to Self-service end user UI.

When you enable social registration, you are allowing users to register in IDM through all active social identity providers.

LinkedIn social identity provider configuration details

You can set up the LinkedIn social identity provider through the admin UI or in a conf/identityProvider-linkedIn.json file. IDM generates the identityProvider-linkedIn.json file when you configure and enable this social identity provider in the admin UI. Alternatively, you can create the file manually.

The following table includes the information shown in the admin UI LinkedIn Provider pop-up window, along with associated information in the identityProvider-linkedIn.json file:

LinkedIn social identity provider configuration properties
Property (UI) Property (JSON file) Description

Client ID

clientId

The client identifier for your LinkedIn Application

Client Secret

clientSecret

Used with the Client ID to access the applicable LinkedIn API

Scope

scope

An array of strings that allows access to user data; refer to LinkedIn’s documentation on Lite Profile Fields.

Authorization Endpoint

authorizationEndpoint

As per RFC 6749, "used to interact with the resource owner and obtain an authorization grant". For LinkedIn’s implementation, refer to their documentation on Authenticating with OAuth 2.0.

Token Endpoint

tokenEndpoint

Endpoint that receives a one-time authorization code, and returns an access token. For LinkedIn’s implementation, refer to their documentation on Authenticating with OAuth 2.0.

User Info Endpoint

userInfoEndpoint

Endpoint that transmits scope-related fields through LinkedIn’s API.

Email Address Endpoint

emailAddressEndpoint

API that must be called to retrieve the email address of the user.

Well-Known Endpoint

wellKnownEndpoint

Not used for LinkedIn

Not in the admin UI

name

Name of the social identity provider

Not in the admin UI

type

Authentication module

Not in the admin UI

authenticationId

Authentication identifier, as returned from the User Info Endpoint for each social identity provider

Not in the admin UI

propertyMap

Mapping between LinkedIn and IDM

For information on social identity provider buttons and badges, refer to Social identity provider button and badge properties.

Copyright © 2010-2023 ForgeRock, all rights reserved.