OpenAM 12 and Social Authentication

Many OpenAM deployments are consumer-facing where organizations are looking to deliver a great service to their existing, and new, customers. Earlier, we talked about how self-service registration in OpenAM 12 makes it easy for new customers to sign up, but even a simple web form is too much trouble for some people (myself included).

So the arrival of Social Authentication in OpenAM 12 is warmly welcomed. This means that administrators can quickly roll out support for social identities, from the likes of Google, Facebook and Microsoft, and customers or users get a great new way to sign in by simply clicking on the social Identity Provider (IDP) logo.
No more registration forms, just easy and rapid access to your OpenAM protected service.

Here’s how it works:

Overview

The OpenAM administrator needs an account with the relevant IDP but then he simply:
  1. Registers the OpenAM server deployment as a Client App with the Social IDP;
  2. Configures OpenAM using these newly created Client App ID details at the IDP;
  3. That’s it! Users can now login using their Google/Facebook/Microsoft credentials.

Configuration

(In this example we’ll use Google but the same basic procedure is used with all the IDPs.)
Firstly, I go to my Social IDP registration page. At the time of writing these are:

…and create a project or app.
With Google it goes like this (click on the screenshots to zoom in):

(1) Create a Project:

(1a) For Google, we also need to enable the Google+ API:

(2) In a separate browser window, go to the Administration Console of OpenAM, go to the Common Tasks pane and click on the appropriate IDP, Google in our case:

(3) Copy the pre-filled Redirect URL from OpenAM:

(4) Now return to the Google developer console browser window and create a new Client ID:

 

(5) Paste the previously copied Redirect URL to associate it with this Client ID:

(6) Now copy the Google Client ID and Secret and paste them back into OpenAM:

(7) On clicking Create, OpenAM uses this information to automatically configure:

  1. An OAuth2/OpenID Connect authentication module;
  2. An authentication chain containing this authentication module;
  3. A social service which can be queried by the OpenAM user interface or other REST clients to get information about the configured social authentication providers.

User Experience

Now we’ll look at the user experience…

(1) When the login page is reached the new OpenAM 12 XUI, which is a smart javascript client, queries the REST endpoint of the social authentication service to discover what is available. This endpoint provides a logo which is displayed as part of the login dialog:

(2) When the user clicks on this logo, she is redirected to the social authentication page:

(3) The first time the user does this a consent page is displayed:

(4) and on Accepting this, the user is logged in to OpenAM:

OpenAM can optionally create new accounts based on data gleaned from the social IDP so that services using OpenAM can identify and provide a rich experience to returning social users.

Summary

Social Authentication in OpenAM 12 takes only a few minutes for administrators to configure.
For sites looking to make life as easy as possible for new customers or users, Social Authentication is a great option.

– FB

This blog post by the Access Management product manager was first published @ thefatblokesings.blogspot.com, included here with permission.

3 Comments

Comments are closed.

  1. nisha_mehta 4 years ago

    In my project, there is a requirement to integrate linked in with Open AM 11. Is this integration possible? If yes, can you share a link or provide some pointers?
    Thanks in Advance.

  2. Rogerio Rondini 4 years ago

    Hi Nisha,

    If you plan to use LinkedIn as Google and Facebook in the above example, you need to look into the LinkedIn documentation to get the OAuth End Points and steps to create application.

    I found the following URL which has step-by-step to do it. From the OpenAM side, you need to follow the same steps as above, just using LinkedIn instead of Google.

    https://developer.linkedin.com/docs/oauth2

  3. nisha_mehta 4 years ago

    Thank you Rogerio Rondini for the quick response.

©2019 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?