Many OpenAM deployments are consumer-facing where organizations are looking to deliver a great service to their existing, and new, customers. Earlier, we talked about how self-service registration in OpenAM 12 makes it easy for new customers to sign up, but even a simple web form is too much trouble for some people (myself included).
So the arrival of Social Authentication in OpenAM 12 is warmly welcomed. This means that administrators can quickly roll out support for social identities, from the likes of Google, Facebook and Microsoft, and customers or users get a great new way to sign in by simply clicking on the social Identity Provider (IDP) logo.
No more registration forms, just easy and rapid access to your OpenAM protected service.
Here’s how it works:
- Registers the OpenAM server deployment as a Client App with the Social IDP;
- Configures OpenAM using these newly created Client App ID details at the IDP;
- That’s it! Users can now login using their Google/Facebook/Microsoft credentials.
(In this example we’ll use Google but the same basic procedure is used with all the IDPs.)
Firstly, I go to my Social IDP registration page. At the time of writing these are:
- Google – https://console.developers.google.com
- Facebook – https://developers.facebook.com/quickstarts/?platform=web
- Microsoft – Follow the procedure described http://msdn.microsoft.com/en-us/library/dn659750.aspx
(1) Create a Project:
(1a) For Google, we also need to enable the Google+ API:
(2) In a separate browser window, go to the Administration Console of OpenAM, go to the Common Tasks pane and click on the appropriate IDP, Google in our case:
(3) Copy the pre-filled Redirect URL from OpenAM:
(4) Now return to the Google developer console browser window and create a new Client ID:
(7) On clicking Create, OpenAM uses this information to automatically configure:
- An OAuth2/OpenID Connect authentication module;
- An authentication chain containing this authentication module;
- A social service which can be queried by the OpenAM user interface or other REST clients to get information about the configured social authentication providers.
Now we’ll look at the user experience…
(2) When the user clicks on this logo, she is redirected to the social authentication page:
(3) The first time the user does this a consent page is displayed:
(4) and on Accepting this, the user is logged in to OpenAM:
OpenAM can optionally create new accounts based on data gleaned from the social IDP so that services using OpenAM can identify and provide a rich experience to returning social users.
Social Authentication in OpenAM 12 takes only a few minutes for administrators to configure.
For sites looking to make life as easy as possible for new customers or users, Social Authentication is a great option.