Just in Time Provisioning in OpenAM 13.0.0 Using Social Login

Tagged: 

This topic has 12 replies, 2 voices, and was last updated 5 years, 6 months ago by usowmyas.

  • Author
    Posts
  • #9713
     usowmyas
    Participant

    Hi this is very good vedio : “Just in Time Provisioning in OpenAM Using Social Login” in youtube . can we have the same vedio for OpenAM 13.0.0 ?

    • This topic was modified 5 years, 6 months ago by Peter Major.
    #9714
     usowmyas
    Participant

    @rajeshr , Hi this is very good vedio : “Just in Time Provisioning in OpenAM Using Social Login” in youtube . can we have the same vedio for OpenAM 13.0.0 ?

    i’m trying the similar setup by modifying the Authentication tab of new Realm that i created . but does not work . The page is being redirected to facebook login , once logged in , it fails to create a new user in LDAP directory and error our with resource not available.

    #9716
     Rajesh R
    Participant

    @usowmyas Thank you for your kind and encouraging comment on the Video log. Someone had raised a similar question earlier on this forum, and the following configuration that I posted as a reply (a working configuration of Facebook Authentication in OpenAM 13) seemed to work. Please give it a try and let us know:

    –snip–
    Client Id: 9****3**19****8
    Access Token Endpoint URL: https://graph.facebook.com/oauth/access_token
    User Profile Service URL: https://graph.facebook.com/v2.5/me?fields=email
    Scope: public_profile,email
    Proxy URL: http://idp.mydomain.com:8080/openam/oauth2c/OAuthProxy.jsp
    Account Mapper: org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper|email|facebook-
    Account Mapper Configuration: email=mail
    Attribute Mapper: org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper|email|facebook-
    Email attribute in OAuth2 Response: <Empty>
    Create account if it does not exist: <Unchecked>
    Prompt for password setting and activation code: <Unchecked>
    OAuth 2.0 Provider logout service: <Empty>
    Logout options: Prompt
    Mail Server Gateway implementation class: org.forgerock.openam.authentication.modules.oauth2.DefaultEmailGatewayImpl
    SMTP host: localhost
    SMTP port: 25
    SMTP User Name: <empty>
    SMTP User Password: <empty>
    SMTP SSL Enabled: <unchecked>
    Authentication Level: 0
    OpenID Connect validation configuration type: client_secret
    Name of OpenID Connect ID Token Issuer : <empty>
    Anonymous User: anonymous
    OpenID Connect validation configuration value: <empty>
    Client Secret : ***********************
    Authentication Endpoint URL : https://www.facebook.com/dialog/oauth
    OAuth2 Access Token Profile Service Parameter name: access_token
    Account Provider: org.forgerock.openam.authentication.modules.common.mapping.DefaultAccountProvider
    Attribute Mapper Configuration: email=mail
    Save attributes in the session: <checked>
    Map to anonymous user: <unchecked>
    SMTP From address: [email protected]
    –snip–

    #9718
     usowmyas
    Participant

    no sure how to apply this configuration . can i have steps of how to apply this configuration ?

    or a similar video ?

    #9719
     Rajesh R
    Participant

    @usowmyas What is posted earlier are the values of Social Authentication Configuration in OpenAM. Create a new Authentication Module Instance in OpenAM 13 for Social Authentication and key in the values as mentioned in there. Some of them are populated by default in there. At the next best opportunity, I can try making a video log and post it.

    #9720
     usowmyas
    Participant

    @rajeshr , i’m not quite sure as to how to apply this configuration . can i have steps of how to apply this configuration ?

    or a similar video ?

    #9721
     usowmyas
    Participant

    @rajeshr , ok … got it … setting up now , will let you know shortly

    #9722
     usowmyas
    Participant

    @rajeshr , Create account if it does not exist: <Unchecked> .. this should be checked as we need to create an account if it does not exist .. looks like something is missing here

    #9723
     Rajesh R
    Participant

    @usowmyas Yes, if you want to create a new account in OpenAM during Social Authentication, you should check it. In my configuration, I did not opt to create an account, so left it unchecked.

    #9725
     usowmyas
    Participant

    @rajeshr , Able to log in , but seeing below error

    App Not Setup : This app is still in development mode , and you dont have access to it . Switch to a registered test user or ask an app admin for permissions

    also below three configurations correct ?

    Account Mapper: org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper|email|facebook-
    Account Mapper Configuration: email=mail
    Attribute Mapper: org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper|email|facebook-

    abruptly ends with a – and in the previous awesome video , you have included all of “first_name=givenName , id=uid , name=cn , email=mail , last_name=sn” instead of just “email=mail”

    #9726
     usowmyas
    Participant

    added “first_name=givenName , id=uid , name=cn , email=mail , last_name=sn” to Account Mapper Configuration , still the same issue persists

    #9732
     usowmyas
    Participant

    @rajeshr , what should be the policy configuration ?

    Specify the subject conditions to which the policy applies : apart from Authenticated users should we add any other rules here ?

    #9746
     usowmyas
    Participant

    @rajeshr , hi , we are able to get authentication and policy agent authorization flow working.

    validateGoto action succeeds in the authorization for the protected URL with 200 status code, but the URL fails to load with 403 access denied error. However if the same URL is listed in ‘No Enforced URI Processing’ under ‘Application’ of the agent configuration in OpenAM, the protected URL does load in the browser.

Viewing 13 posts - 1 through 13 (of 13 total)

You must be logged in to reply to this topic.

©2021 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?