Nowadays most of the people have multiple internet accounts, each of them
with their own credentials, so we usually struggle to remember which user and
password were used for a website. Also, web administrators realised many
users refuse to register in their sites because they do not want to go through
the process of entering all the required data and having another credential to
remember.
To avoid this problem, web applications started to de integrated with
social media APIs. This way, registration process is easier and login just
takes a couple of clicks, making more attractive the site to users.
In the case of Oracle WebCenter Portal, authentication is usually managed
in Oracle Access Manager (OAM) and this product can be integrated with social
login. In this post I am going to focus on the integration with Google
authentication.
When I started this integration with my colleague Sara Manzanero, we found
this post and this one explaining
the process, which seemed quite straight forward. However, they were written
when Google used the OpenID protocol, and now it is using the OAuth 2.0
protocol; also there were some missed steps.
1. Configuring web server
Web server needs to be configured for the roots "oic_rest" and
oic_rp". The following fragment is an example for OHS:
# Social Login
<Location /oic_rest>
SetHandler
weblogic-handler
WeblogicCluster
<ip1>:<oam1_port>,<ip2>:<oam_port2>
Satisfy
any
Allow from
all
</Location>
<Location /oic_rp>
WeblogicCluster
<ip1>:<oam1_port>,<ip2>:<oam_port2>
Satisfy
any
Allow from
all
</Location>
2. Enabling Mobile and Social
In order to enable social login in OAM, perform the following actions:
1. Login to OAM console.
2. Navigate to Configuration -> Available Services.
3. Enable "Identity Federation" and "Mobile and Social"
services.
3. Creating user identity
store
1. In OAM console, navigate to User Identity Stores.
2. Create a new IDS Repository with the connection data to the client
identity store (LDAP, AD, ....).
3. Create an IDS Profile pointing to the IDS repository created in
the previous step.
4. Set the new profile as the Default Store and save changes.
4. Editing Mobile
Services
1. Navigate to Mobile
and Social > Mobile Services.
2. Edit
UserProfile in Service Providers table.
3. Set the Identity Directory Service to the one created in the previous
section.
5. Creating Google Project
A Google project must be created using our own account:
1. Login to Google developer console:
2. Create a new project:
3. Once created, navigate to Credentials and createa new client ID.
4. Set your website URL and for "Redirect URIs", specify this:
http://<host>:<ohs_port>/oic_rp/return
5. Eventually, the Client ID and secret will be displayed for this project:
6. Copy those values for later use.
6. Editing Internet Identity
Provider
1. Back to OAM console, navigate to Social Identity.
2. In Internet Identity Providers section, edit Google.
IMPORTANT: In order
to use the Google Identity Provider with OAuth 2.0, the following patch must be
applied:
Or simply upgrade OAM to 11.1.2.2.4 with BP04:
After patching, providers must be updated with the WLST instruction msUpgrade().
3. Paste the Consumer key and secret from your Google project.
4. Save changes.
7. Configuring User Identity
Store
1. Navigate to User Identity Store screen and edit the IDS Profile
created in section 3.
2. In the Entity Attributes tab, there is a table with the
mappings of the identity store.
3. Ensure the attributes needed are defined and properly mapped, such
as cn, userPassword or mail.
4. Click on the Entities tab and edit the attribute values, they should be
provided by the Identity store (LDAP, AD) administrator team.
5. Save changes.
NOTE: If the following error is prompted at saving changes, check that all
the attributes have Name, Field and Description.
8. Editing Application Profile
1. Navigate to the Social Identity screen and edit the application
profile is being used.
2. Set the attribute values according to your needs. It is important
to choose the UserID Attribute to the Entity Attribute that will be
checked when users log in with Google (previous task). For Shared Secret,
choose a password of yor choice.
3. Create the Application User Attributes needed for the login and
map them to the registration names. The A-Team has a good post explaining
this process.
4. In the last section of the page, select Google and define the mappings
between the Identity provider (Google) and application.
5. Save changes.
9. Updating Authentication
Scheme
1. Navigate to Authentication Schemes and select OICScheme.
2. Set Challenge URL to the /oic_rp/login.jsp path, including
host and port. Also, include the parameter MatchLDAPAttribute to the
attribute that will uniquely identify users in the identity store, this is
configured in section 7.
3. Save changes.
10. Configuring Application
Domain
1. Finally, navigate to Application Domains and select the one is
being used (OAMApplication) or create a new one if it is a new
installation.
NOTE: The name of the application domain must match the name of the
Application Profile (section 8).
2. Click on the Authentication Policies tab.
3. Click on the Protected Resource Policy and set the
Authentication Scheme to OICScheme.
4. Save changes and configuration is finished.
Checking Google Login
Once all the configuration steps have be implemented, it is time to test
the functionality.
1. Enter the URL to a protected resource of your application and the
following screen will be displayed.
2. Click on the Google icon and you will have to login with Google (if you
are not already logged in) and confirm the application can access your Google
account.
3. the registry page will be loaded with some of the fields already filled in from your Google account.
NOTE: The above screen is the default one, taken from documentation, the
displayed attributes do not correspond to the configuration described in this
post.
4. After filling all the required information, click Register and
the user should be created in the identity store.
5. The next time that I want to access the application, I would simply
click the Google link in the login page and I will be logged in directly.
In a future post I will explain how to use customised WebCenter Portal
pages for registy and login.
References
SR 3-10408828701 : OAM Integration with Facebook
Invalid OAuth access token value
Hi Javiar,
ReplyDeleteGreat post. Tried all the steps you mentioned in this post but I am not able to bypass to the login screen. I am getting below error. "No application found with the given applicationID param value".
All my applications are deployed in intranet and all servers are having internet access but they only respond if we give IP address (host name needs to be present in hosts file to access the server with host name).
I need to do this integration ASAP. Any help on this is much appreciated.
My OAM and OID versions:
OAM 11.1.2.3
OID: 11.1.1.7
Thanks
Hi Chava,
ReplyDeleteI have not faced that issue before, but I would check OAM application names, as it is written in section 7:
" NOTE: The name of the application domain must match the name of the Application Profile (section 8)."
Hope this helps
Javier
Thanks Javier. I have named them both with same. When I checked OAM managed server log files I find this error:
ReplyDelete[APP: oam_server#11.1.2.0.0] Could not find shared secret.[[
java.lang.NullPointerException
at java.lang.String.(String.java:168)
at oracle.security.idaas.rp.security.SAEUtil.getSAEToken(SAEUtil.java:91)
at oracle.security.idaas.rp.common.IDPListUtil.getAppIDPUrlList(IDPListUtil.java:89)
at jsp_servlet.__login._jspService(__login.java:322)
at weblogic.servlet.jsp.JspBase.service(JspBase.java:34)
at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:301)
Hi Javier,
ReplyDeleteHave you tried same with PS3. Can you share some lights on how differently ps3 will achieve that as oamps3 has all components integrated. Also, is it possible to login to OAM Console via facebook/google?
Hi Mukul,
ReplyDeleteThanks for your comment. I am afraid I have not tried with PS3, certification with that version should be checked with Oracle matrix. Regarding the integration of OAM console login with Social login, I do not think it would be possible.
Regards
Javier
Hi Chava, it seems that the Share Secret in your Application Profile is not defined. By default it come empty, you have to enter anything you want there.
ReplyDeleteJavier, I have all configured as you said (also, I compared it to several blogs I analized). Everything is fine according to all posts I found.
Almost all appears to be working. I go to the protected resource, then I am presented the SI screen, I select Google and go to Google Login. After that, the allow screen. Then the registration screen. After that, I fall into the OAM Error Screen. The user appears on my OUD, so the last step is made succefully, and if I try again the registration screen is not shown again.
Log appears to be fine, except the last 2 lines:
This is al I have, I have Social Identity in 32 debug level..
If you have any idea.. it would be very appreciated.
Hi,
ReplyDeleteIs there a way to revoke the access token during logout from OAM?
Hi Giannis, I do not know any way to achieve that. Thanks
Delete