How to Integrate NetIQ Access Manager with external OAuth Providers

How to Integrate NetIQ Access Manager with external OAuth Providers

Introduction



Many organizations need or desire to implement authentication through external OAuth providers like Gmail, Hotmail, Yahoo, Twitter, Facebook, LinkedIn, Salesforce, Foursquare, MySpace, Yammer.

Several applications and portals use external authentication, now you too can use this feature for your NAM authentication.


How it works?
http://code.google.com/p/socialauth/

  1. You get the API keys from providers like Facebook, Google and Yahoo. For this, you need to have a public domain on which you plan to deploy the application. It is important to note that your application can only run on the domain which you provided while getting the keys (Having public domain is mandatory for some oauth providers, because they validate the domain ownership). If you want to run it locally, please see the steps here. Follow the link below to know how to get API keys.
    http://code.google.com/p/socialauth/wiki/GettingStarted in the "Prerequisites" section.
    29854-1

  2. You make a request for authentication by using SocialAuth library. The library redirects the user to Facebook, Yahoo or other provider’s website where they enter the credentials.

  3. The provider redirects the user back to your application with a token appended. Now you call the SocialAuth library and pass it this request token.

  4. Now you can call SocialAuth library to get information about the user, and contacts from the provider.
    29854-2




Setup Details



NetIQ Access Manager Identity Server setup details.




  1. Download the zip file and extract. OAuthConsumer_customAuthClass_v0.1.zip

  2. Copy the dist/oauthconsumer.jar file, which has custom authentication class and dependent library jar files to folder to your NAM 3.2.x Identity Server(s) /opt/novell/nam/idp/webapps/nidp/WEB-INF/lib

  3. Copy the commons-httpclient.jar, commons-io-1.4.jar, commons-lang-2.1.jar, json-200080701.jar, openid4java.jar, socialauth.jar files in extractedfolder/lib to IDP /opt/novell/nam/idp/webapps/nidp/WEB-INF/lib.

  4. Copy the jsp folder files to IDP, /opt/novell/nam/idp/webapps/nidp/jsp

  5. Copy socialauth folder in images folder to /opt/novell/nam/idp/webapps/nidp/images/

  6. Copy oauth_consumer.properties file to /opt/novell/nam/idp/webapps/nidp/WEB-INF/classes/

  7. Make sure all new files have file permissions as novlwww:novlwww and restart IDP

  8. To configure OAuth authentication, in the Administration Console, click Devices > Identity Servers > Edit > Local > Classes

  9. Click New then fill in the following fields

    Display name: OAuthConsumerCls

    Java class: Select Other

    Java class path: com.netiq.custom.OAuthAuthenticatorClass


    29854-3


  10. Click Next then configure the following properties: Click New and add the following:

    1. If user needs to be identified locally add this property, if not ignore. After the user authenticates at the OAuth/OpenID provider, Access Manager can associate a username from the user store with the OpenID user. With this association, Access Manager can use the policies defined for the username to enforce access to protected resources

      com.novell.nidp.authentication.local.openid.mapUser=true

    2. If above property is set to true, NAM identifies user locally, the following property is needed to identify user locally.

      com.novell.nidp.authentication.local.openid.ldapAttrName=givenName


    3. If auto provision need to be done, if user not exist locally. The following property needs to be set. External provider user properties will be used like facebook, gmail user profile.

      com.novell.nidp.authentication.local.openid.autoProvision=true


      29854-4




  11. Click finish.

  12. Your NAM authentication class is now defined. Next, define a NAM Identity Server Method using the custom OAuth consumer class, Click on Methods

  13. Click on New

  14. Fill in the following fields:

    Display name: OAuthConsumerMethod

    Class: select previously created class

    Identifies User: leave it selected

    User stores: You can select from the list of all the user stores you have set up and move it left.


    29854-5


  15. Click finish.

  16. Your NAM authentication Class and Method are complete. The last Identity Server configuration task is to create a contract. Click on Contracts and click new

  17. Fill in the following fields:

    Display name: OAuthConsumerContract



    URI: Specifies a value that uniquely identifies the contract from all other contracts

    Methods and Available Methods: Specifies the authentication method to use for the contract. Select created method and move it to left.


    29854-6



  18. Click Next

  19. Configure a card for the contract, select Image fill Text for tool tip

  20. Click Finish and then Ok

  21. Update IDP Server



Testing the configuration:



  1. Get key from OAuth provider by registering and providing call back/return/success URL

  2. Here showing for facebook

  3. Access https://developers.facebook.com/apps/ ( for more info follow References 4)

  4. Login with facebook credentials, register as a developer.

  5. Follow developer registration wizard until Application screen is displayed

  6. Click on "Create New App"

  7. Enter details like app name (some name) etc. and click the "continue" button.
    29854-7


  8. Note down the AppID and AppSecret displayed for this Application - found under the Basic App Settings field shown below

  9. Click on website with facebook login

  10. Disable sandbox mode and Enter OAuth Call back url http(s)://yourdomain(:port)/nidp/jsp/socialauth_return.jsp
    29854-8



  11. Save Changes

  12. Summary page might look like this:
    29854-9




  13. Update /opt/novell/nam/idp/webapps/nidp/WEB-INF/classes/oauth_consumer.properties

    Example for facebook key as AppID and secret as AppSecret values (noted at step 'h' above or go to https://developers.facebook.com/apps and note down App ID/API Key and click on Show for App Secret):


    #facebook

    graph.facebook.com.consumer_key = 1234557890

    graph.facebook.com.consumer_secret = 07fdef……….



    For additional information about above properties, please refer to http://code.google.com/p/socialauth/wiki/SampleProperties or sample properties in downloaded zip file.




  14. Restart IDP with command "/etc/init.d/novell-idp restart"

  15. Access NetIQ Identity Server page http(s)://<<idp server >>:<<port>>/nidp or protected resource.

    29854-10


  16. Select the card (contract) of OAuth consumer.

  17. OAuth provider list displayed, select OAuth provider to be used for authentication, In This example click on Facebook.
    29854-11



  18. Browser takes to OAuth provider site Facebook, provide credentials and submit.

    29788-12

  19. Authorization prompt from OAuth provider shows, allow NAM as consumer to OAuth provider.
    29854-13


  20. Authentication success: shows you are authenticated and OAuth provider authenticated user name will be shown on the right upper corner.
    29854-14




References:

  1. Wiki: http://code.google.com/p/socialauth/w/list

  2. Project url: http://code.google.com/p/socialauth/

  3. Facebook api key registration: https://developers.facebook.com/apps/

  4. Facebook application registration: https://developers.facebook.com/docs/web/tutorials/scrumptious/register-facebook-application/

  5. Google+ api key registration: https://code.google.com/apis/console/

  6. Refer to the following url for Twitter, LinkedIn, Hotmail, Yahoo, Yammer, Salesforce, MySpace, Foursquare, Mendeley: http://code.google.com/p/socialauth/w/list

Labels (1)

DISCLAIMER:

Some content on Community Tips & Information pages is not officially supported by Micro Focus. Please refer to our Terms of Use for more detail.
Comments
This feature has been added to Access Manager 4.0sp1:
https://www.netiq.com/documentation/netiqaccessmanager4/identityserverhelp/data/b1ac07ic.html
The new socialauth require a Google+ account, while it seems that the above method worked even with just a gmail account. Is it possible to integrate gmail auth with the recent version of the product?
Thanks
Top Contributors
Version history
Revision #:
3 of 3
Last update:
‎2020-01-31 22:06
Updated by:
Micro Focus Contributor
 
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.