How to Integrate NetIQ Access Manager with external OAuth Providers

0 Likes
over 8 years ago

Introduction



Many organizations need or desire to implement authentication through external OAuth providers like Gmail, Hotmail, Yahoo, Twitter, Facebook, LinkedIn, Salesforce, Foursquare, MySpace, Yammer.

Several applications and portals use external authentication, now you too can use this feature for your NAM authentication.


How it works?
http://code.google.com/p/socialauth/

  1. You get the API keys from providers like Facebook, Google and Yahoo. For this, you need to have a public domain on which you plan to deploy the application. It is important to note that your application can only run on the domain which you provided while getting the keys (Having public domain is mandatory for some oauth providers, because they validate the domain ownership). If you want to run it locally, please see the steps here. Follow the link below to know how to get API keys.
    http://code.google.com/p/socialauth/wiki/GettingStarted in the "Prerequisites" section.
    29854-1

  • You make a request for authentication by using SocialAuth library. The library redirects the user to Facebook, Yahoo or other provider’s website where they enter the credentials.

  • The provider redirects the user back to your application with a token appended. Now you call the SocialAuth library and pass it this request token.

  • Now you can call SocialAuth library to get information about the user, and contacts from the provider.
    29854-2




Setup Details



NetIQ Access Manager Identity Server setup details.




  1. Download the zip file and extract. OAuthConsumer_customAuthClass_v0.1.zip

  • Copy the dist/oauthconsumer.jar file, which has custom authentication class and dependent library jar files to folder to your NAM 3.2.x Identity Server(s) /opt/novell/nam/idp/webapps/nidp/WEB-INF/lib

  • Copy the commons-httpclient.jar, commons-io-1.4.jar, commons-lang-2.1.jar, json-200080701.jar, openid4java.jar, socialauth.jar files in extractedfolder/lib to IDP /opt/novell/nam/idp/webapps/nidp/WEB-INF/lib.

  • Copy the jsp folder files to IDP, /opt/novell/nam/idp/webapps/nidp/jsp

  • Copy socialauth folder in images folder to /opt/novell/nam/idp/webapps/nidp/images/

  • Copy oauth_consumer.properties file to /opt/novell/nam/idp/webapps/nidp/WEB-INF/classes/

  • Make sure all new files have file permissions as novlwww:novlwww and restart IDP

  • To configure OAuth authentication, in the Administration Console, click Devices > Identity Servers > Edit > Local > Classes

  • Click New then fill in the following fields

    Display name: OAuthConsumerCls

    Java class: Select Other

    Java class path: com.netiq.custom.OAuthAuthenticatorClass


    29854-3


  • Click Next then configure the following properties: Click New and add the following:

    1. If user needs to be identified locally add this property, if not ignore. After the user authenticates at the OAuth/OpenID provider, Access Manager can associate a username from the user store with the OpenID user. With this association, Access Manager can use the policies defined for the username to enforce access to protected resources

      com.novell.nidp.authentication.local.openid.mapUser=true

  • If above property is set to true, NAM identifies user locally, the following property is needed to identify user locally.

    com.novell.nidp.authentication.local.openid.ldapAttrName=givenName


  • If auto provision need to be done, if user not exist locally. The following property needs to be set. External provider user properties will be used like facebook, gmail user profile.

    com.novell.nidp.authentication.local.openid.autoProvision=true


    29854-4




  • Click finish.

  • Your NAM authentication class is now defined. Next, define a NAM Identity Server Method using the custom OAuth consumer class, Click on Methods

  • Click on New

  • Fill in the following fields:

    Display name: OAuthConsumerMethod

    Class: select previously created class

    Identifies User: leave it selected

    User stores: You can select from the list of all the user stores you have set up and move it left.


    29854-5


  • Click finish.

  • Your NAM authentication Class and Method are complete. The last Identity Server configuration task is to create a contract. Click on Contracts and click new

  • Fill in the following fields:

    Display name: OAuthConsumerContract



    URI: Specifies a value that uniquely identifies the contract from all other contracts

    Methods and Available Methods: Specifies the authentication method to use for the contract. Select created method and move it to left.


    29854-6



  • Click Next

  • Configure a card for the contract, select Image fill Text for tool tip

  • Click Finish and then Ok

  • Update IDP Server



Testing the configuration:



  1. Get key from OAuth provider by registering and providing call back/return/success URL

  • Here showing for facebook


  • Login with facebook credentials, register as a developer.

  • Follow developer registration wizard until Application screen is displayed

  • Click on "Create New App"

  • Enter details like app name (some name) etc. and click the "continue" button.
    29854-7


  • Note down the AppID and AppSecret displayed for this Application - found under the Basic App Settings field shown below

  • Click on website with facebook login

  • Disable sandbox mode and Enter OAuth Call back url http(s)://yourdomain(:port)/nidp/jsp/socialauth_return.jsp
    29854-8



  • Save Changes

  • Summary page might look like this:
    29854-9




  • Update /opt/novell/nam/idp/webapps/nidp/WEB-INF/classes/oauth_consumer.properties

    Example for facebook key as AppID and secret as AppSecret values (noted at step 'h' above or go to https://developers.facebook.com/apps and note down App ID/API Key and click on Show for App Secret):


    #facebook

    graph.facebook.com.consumer_key = 1234557890

    graph.facebook.com.consumer_secret = 07fdef……….



    For additional information about above properties, please refer to http://code.google.com/p/socialauth/wiki/SampleProperties or sample properties in downloaded zip file.




  • Restart IDP with command "/etc/init.d/novell-idp restart"

  • Access NetIQ Identity Server page http(s)://<<idp server >>:<<port>>/nidp or protected resource.

    29854-10


  • Select the card (contract) of OAuth consumer.

  • OAuth provider list displayed, select OAuth provider to be used for authentication, In This example click on Facebook.
    29854-11



  • Browser takes to OAuth provider site Facebook, provide credentials and submit.

    29788-12

  • Authorization prompt from OAuth provider shows, allow NAM as consumer to OAuth provider.
    29854-13


  • Authentication success: shows you are authenticated and OAuth provider authenticated user name will be shown on the right upper corner.
    29854-14




References:

  1. Wiki: http://code.google.com/p/socialauth/w/list






Labels:

How To-Best Practice
Comment List
Anonymous
Related Discussions
Recommended