This post provides detailed steps for how to create a
Java application which allows users to login with their Social credentials
(Facebook, Twitter, Google, Yahoo, LinkedIn).
Prerequisites
OAM Installed and configured to authenticate users in OID.
OAM and Social features enabled.
If using OAuth, the shared secret has been configured and your app registered with the OAuth provider.
Java App
Deploy the war
Deploy the custom war to WebLogic.
Here are some examples of important calls:
login-oic.jsp
-Create the RPClient
-Build the Login links
-Save the TAP Token and TAPSubmitURL parameters in the session for retrieval in oic_submit.jsp
oic_submit.jsp
-Create the RPClient
-Get the saeToken from the request and validate it and then extract the mail value.
-Extract the TAPToken and TAPSubmitURL from the session
-Create the DAPToken from tap_token.
-Build a new DAPToken with mail attribute as userID.
-Encrypt and encode token
-Send redirect to tapSubmitURL
Copy the OicClient.properties file
This properties file must exist outside of the war in a
location accessible by the Managed Server.
I.e.
/home/oracle/oic_test/OicClient.properties
rp.server.hosturl=http://iamdemo.mycompany.com:14100
rp.server.idp.service=/oic_rp/rest/identityproviders
rp.server.init.service=/oic_rp/RPInitServlet
rp.server.connection.timeout=60000
rp.server.connection.sae.sharedsecret=
rp.server.connection.sae.cryptotype=symmetric
rp.server.connection.sae.keystrength=128
rp.server.connection.sae.algorithm=AES
rp.server.idp.service=/oic_rp/rest/identityproviders
rp.server.init.service=/oic_rp/RPInitServlet
rp.server.connection.timeout=60000
rp.server.connection.sae.sharedsecret=
rp.server.connection.sae.cryptotype=symmetric
rp.server.connection.sae.keystrength=128
rp.server.connection.sae.algorithm=AES
Setup the Java Arguments
Restart the Managed Server once this change has been made.
OAM Configuration
Create Authentication Scheme
Be sure to select a unique Name and TAPPartnerId.
Create Custom Authentication Policy
Protect a resource with this policy and use the
Authentication Scheme created above.
Register 3rd Party TAP Provider
Connect to the AdminServer using WLST
> $ORACLE_HOME/common/bin/wlst.sh
> connect()
>
> registerThirdPartyTAPPartner(partnerName='CustomRPPartner',keystoreLocation='/u01/app/oracle11gr2/admin/OAMDomain/TAP/TAPKeyStore/customoictapkeystore.jks',password='abcd1234',tapTokenVersion='v2.1',tapScheme='CustomOICScheme',tapRedirectUrl='http://iamdemo.mycompany.com:14300/custom-oic/login-oic.jsp')
Reference the partnerName that corresponds to TAPPartnerId
used in the scheme you created.
The keystoreLocation is a new keystore.
The tapScheme is the Name used above when creating the
Authentication Scheme.
The tapRedirectUrl must be a valid path to the login-oic.jsp
page of the custom-oic.war as deployed on WebLogic Server.
Create Application Profile
Create Application Profile called CustomOIC which uses the DefaultServiceProviderInterface and Disable Browser Popup.
Set the Return URL to /custom-oic/oic_submit.jsp
Validation
To validate, go to http://sso.mycompany.com/custom-oic/sso.jsp
(this is the resource you created to be protected by the new Authentication
Policy)
You should then be redirected to /custom-oic/login-oic.jsp
(the tapRedirectUrl used in the register wlst command).
Click on the Facebook link to perform login with Facebook.
In order to successfully authenticate a user to OAM, there
needs to exist in OID, a user with a uid that equals the mail attribute used by
Facebook.
If successful, you’ll be redirected to your
custom-oic/sso.jsp resource and see a OAM_REMOTE_USER HTTP Parameter. The app
can then use this parameter to authenticate a user and allow use of the app.
Hi Seth
ReplyDeleteWhere are you getting the custom OIC war from?