+

Search Tips   |   Advanced Search

Configure OpenID authentication


Google and Yahoo use OpenID. Facebook uses OAuth.

With the enable-identityprovider-tai task, we can choose between the following configurations:

To configure the appropriate identity providers for the business requirements:

  1. Set the system time to match the local time.

  2. To configure Facebook, register the WebSphere Portal server instances as Facebook applications.

    You must register two applications. One application is the protected path: /wps/myportal. One application is the public, unprotected path: /wps/portal.

    After registering, Facebook provides you with an application ID and an application secret. Use this information when running the enable-identityprovider-tai task.

    Your Facebook application has a private and public URL. The private URL is...

      http://myserver:myport/wps/myportal/

    The public URL is...

      http://myserver:myport/wps/portal/

  3. On the primary node.

      cd WP_PROFILE/ConfigEngine
      ./ConfigEngine.sh enable-identityprovider-tai -DWasUserId=username -DWasPassword=foo

    If you rerun the enable-identityprovider-tai task, the task sets new properties and does not preserve the old configuration data. To keep the existing data, add the new values to the existing values before rerunning the task.

    Add the following parameters to customize the task for your business requirements:

      -Didp.providerlist

      Set the value to facebook,openid to configure both options. Set the value to facebook to configure Facebook only. Set the value to openid to configure only identity providers that use the OpenID specifications. If you leave this field blank, the default value is facebook.

      -Dfacebook_apps

      We can use Facebook to perform authentication (app), self enrollment (pub), or both (app,pub)Default is app. Set the value to one of the following values:

        app Configure authentication only.
        pub Configure self enrollment only.
        app,pub Configure both authentication and self enrollment.

      -Dfacebook_app_id

      For Facebook authentication, set value to yourprivatefacebookappid, which you received when you registered the Portal server as a private Facebook application. This value is for the private URL.

      -Dfacebook_app_secret

      For Facebook authentication, set the value to yourprivatefacebookappsecret, which you received when you registered the Portal server as a private Facebook application. This value is for the private URL.

      -Dfacebook_app_site

      For Facebook authentication, set value to http://myserver:myport/wps/myportal/. This value is the URL for the private WebSphere Portal server that Facebook uses after a successful authentication. A protected area requires authentication to access and is not available to an anonymous user.

      -Dfacebook_pub_id

      If we are configuring Facebook for self enrollment, set value to yourpublicfacebookappid, which you received when you registered the Portal server as a Facebook application. This value is for the public URL.

      -Dfacebook_pub_secret

      If we are configuring Facebook for self enrollment, set value to yourpublicfacebookappsecret, which you received when you registered the Portal server as a Facebook application. This value is for the public URL.

      -Dfacebook_pub_site

      If we are configuring Facebook for self enrollment, set value to http://myserver:myport/wps/portal/. This value is the URL for the public WebSphere Portal server that Facebook uses after a successful authentication. A public area does not require authentication to access and is available to an anonymous user.

      -Dopenid.servicenames

      If we are configuring identity providers that use the OpenID specifications, enter a comma-separated list of the identity providers you want configured; for example: Google,Yahoo,myOpenID.

      -Dopenid.servicenames.endpoints

      If we are configuring identity providers that use the OpenID specifications, enter a comma-separated list of OpenID endpoints (access addresses). These endpoints are for the identity providers in the openid.servicenames parameter.

      For example, type https://www.google.com/accounts/o8/id,https://me.yahoo.com/,http://myopenid.com/. There must be a one-to-one correspondence between the openid.servicenames and the openid.servicenames.endpoints parameters. If you entered three identity providers in the openid.servicenames parameter, you must enter three endpoints in the openid.servicenames.endpoints parameter and in the same sequence.

      -Dprovider.openid.nonce_valid_time

      If we are configuring identity providers that use the OpenID specifications, enter a value in seconds to protect old communications from being reused in replay attacks. If this parameter is not set, we might have nonce errors in the SystemOut.log file.

  4. Required: To configure the Profile Management and Login portlets:

    Cluster note: Complete these steps on one node in the cluster.

    1. Log on to WebSphere Portal as the administrator and go to...

        Administration | Portlet Management | Portlets

    2. Locate the Login portlet and click the Configure portlet icon.

    3. Configure the Login portlet with the following parameters:

      During authentication, WebSphere Portal server retrieves attributes from the Identity Provider. Custom parameters, such as languages preferences, are not automatically retrieved. You must add these parameters to Portal. If the parameter does not exist, enter the parameter name in New Preference and the parameter value in New value. Then click Add to add the new parameter to the Login portlet.

        show_idp_option

        Set this required parameter to true to show the identity provider authentication feature on the portlet.

        show_idp_max

        Set this required parameter to the maximum number of identity providers that are shown on the portlet. You define the list of providers when you run the enable-identityprovider-tai task. If we defined five identity providers and want two to show on the portlet, set this parameter to 2. On the portlet, two identity providers are shown. Click More to show the complete list of identity providers.

        show_idp_freeform_field

        Set this required parameter to true to use the full OpenID string and not restrict it to certain known services. This option shows a free-form field on the portlet. If set, users can enter any OpenID identifier.

        providername.image

        providername represents the case-sensitive name of the identity provider.

        For example, you would create the Google.image parameter. Set this optional parameter to define an image for the configured identity provider buttons. We can define whether a text button or an image is shown. Enter the URL of the identity provider image.

    4. Click OK to save your changes.

    5. Locate the Profile Management portlet and click the Configure portlet icon.

    6. Configure the Profile Management portlet with the following parameters:

      If the parameter does not exist, enter the parameter name in the New Preference field and the parameter value in the New value field. Then click Add to add the new parameter to the Profile Management portlet.

        show_idp_option

        Set this required parameter to true to show the identity provider authentication feature on the portlet.

        show_idp_max

        Set this required parameter to the maximum number of identity providers that are shown on the portlet. You define the list of providers when you run the enable-identityprovider-tai task. If we defined five identity providers and want two to show on the portlet, set this parameter to 2. On the portlet, two identity providers are shown. Click More to show the complete list of identity providers.

        show_idp_freeform_field

        Set this required parameter to true to use the full OpenID string and not restrict it to certain known services. This option shows a free-form field on the portlet. If set, users can enter any OpenID identifier.

        providername.image

        providername represents the case-sensitive name of the identity provider.

        For example, you would create the Google.image parameter. Set this optional parameter to define an image for the configured identity provider buttons. We can define whether a text button or an image is shown. Enter the URL of the identity provider image.

        providername. required

        providername represents the case-sensitive name of the identity provider service name.

        For example, you would create the Google. required parameter. Set this optional parameter to define the attribute mappings you want required between the identity provider and the Profile Management portlet. Enter a semicolon-separated list of attribute mapping pairs that are combined with a vertical bar (|); for example, attributename|openidattribute. Create a parameter for each supported identity provider; for example: Google. required, aol. required, and myOpenID. required. Check the schema documentation of each identity provider for the supported attributes. Some mapping examples include:

        • Google: all in one line

          ibm-primaryEmail|http://axschema.org/contact/email;

          preferredLanguage|http://axschema.org/pref/language;

          givenName|http://axschema.org/namePerson/first;

          sn|http://axschema.org/namePerson/last

        • myOpenId with protocol opened.sreg: all in one line

          ibm-primaryEmail|email;

          uid|nickname;

          preferredLanguage|language

        • Facebook: all in one line

          ibm-primaryEmail|email;

          givenName|first_name;

          sn|last_name;

          uid|id;

          preferredLanguage|locale

        providername.optional

        providername represents the case-sensitive name of the identity provider.

        For example, you would create the Google.optional parameter. Set this parameter to define the attribute mappings you want optional between the identity provider and the Profile Management portlet. Enter a semicolon-separated list of attribute mapping pairs that are combined with a vertical bar (|). We can create a parameter for each supported identity provider; for example: Google.optional, aol.optional, and myOpenID.optional. Check the schema documentation of each identity provider for the supported attributes. Some mapping examples include:

        • Google: all in one line

          ibm-primaryEmail|http://axschema.org/contact/email;

          preferredLanguage|http://axschema.org/pref/language;

          givenName|http://axschema.org/namePerson/first;

          sn|http://axschema.org/namePerson/last

        • myOpenId with protocol opened.sreg: all in one line

          ibm-primaryEmail|email;

          uid|nickname;

          preferredLanguage|language

        • Facebook: all in one line

          ibm-primaryEmail|email;

          givenName|first_name;

          sn|last_name;

          uid|id;

          preferredLanguage|locale

        providername.protocol

        providername represents the case-sensitive name of the identity provider. Set this required parameter to define the Identity Provider Attribute Exchange protocol. Simple Registration (SREG) and Attribute Exchange (AX) are supported. The supported values for the parameters are openid.sreg for SREG or openid.ax for AX. Create a parameter for each supported identity provider service name; for example: Google.protocol, aol.protocol, and myOpenID.protocol.

        facebook. required

        Set this required parameter to define required attribute mappings between Facebook and the Profile Management portlet. Enter a semicolon separated list of attribute mapping pairs that are combined with a vertical bar (|).

        Some mapping examples include: all in one line

        • attributename|facebookattribute;

        • attribute2|facebookattribute2

        The following item is a mapping example: all in one line

        • uid|id;ibm-primaryEmail|email;

        • givenName|first_name;sn|last_name;
        • preferredLanguage|locale

    7. Click OK to save your changes.

  5. Verify the following .jar files have been copied to the WAS_HOME\lib\ext directory:

    Cluster note: Complete this step on each node in the cluster.

    • PORTAL_HOME\prereqs.infra\prereq.commons.httpclient\lib\ext\commons-codec-1.3.jar

    • PORTAL_HOME\prereqs.infra\prereq.commons.httpclient\lib\ext\commons-httpclient-3.0.1.jar

  6. Required: Add SSL certificates for the configured identity providers; some providers require multiple certificates:

    If an identity provider uses multiple server endpointo that require different SSL certificates, we might receive error message EJPAK0062E.

    Cluster note: In a clustered environment, complete these steps only on the dmgr.

    Farm note: In a farm environment, complete these steps on each server in the farm.

    1. Log on to the WAS admin console and go to...

        Security | SSL certificate and key management | Configuration settings | Manage endpoint security configurations | Outbound | hostname | nodes | node_name | servers | WebSphere_Portal server | Related Items | Key stores and certificates

    2. Click NodeDefaultTrustStore.

      For clusters choose CellDefaultTrustStore instead of NodeDefaultTrustStore.

    3. Under Additional Properties, click Signer certificates.

    4. Click Retrieve from port.

    5. Enter the following information and then click Retrieve signer information:

        Host

        Enter the endpoint for the identity provider without specifying the protocol, for example, http:// or https://. Type www.google.com for Google or graph.facebook.com for Facebook.

        Port

        Enter the port number for the identity provider, for example, type 443.

        Alias

        Enter the certificate alias name, which is specified in the SSL configuration; for example type graph.facebook.com_cert for Facebook.

    6. Verify the Retrieved signer information and then click Apply.

    7. Click Save.

    8. If you receive error message EJPAK0062E, we might be missing a certificate. Open the SystemOut.log file and search for CWPKI0022E: SSL HANDSHAKE FAILURE. If this error message is present, import the certificate where the domainname is part of the SubjectDN.

  7. Required: Stop and restart the WebSphere_Portal server:

    Cluster note: Recycle the server or cluster instance.

    1. Change to the following directory:

        WP_PROFILE/bin

    2. To stop the WebSphere_Portal server, where WebSphere_Portal is the name of the WebSphere Portal server:

        ./stopServer.sh WebSphere_Portal -username wpadmin -password foo

    3. To start the WebSphere_Portal server, where WebSphere_Portal is the name of the WebSphere Portal server:

        ./startServer.sh WebSphere_Portal

  8. Required: Complete the following steps in a clustered environment to configure the OpenidObjCache cache instance:

    1. Log on to the WAS admin console and go to...

        Resources | Cache instances | Object cache instances | OpenidObjCache

    2. Under the Consistency settings section, set the following values:

      • Select the Enable cache replication check box.

      • Select Both Push and Pull for the Replication type.

    3. Click OK.

    4. Click Save.

    5. Stop and restart the cluster servers to propagate the changes.

  9. Optional: Depending on the security settings for the identity providers, modify attributes for your identity provider trust association. To modify the trust association:

    Cluster note: Complete these steps on one node in the cluster.

    1. Log on to the WAS admin console and go to...

    2. Add or modify properties to change the default behavior; for example, we can add or modify the following properties:

        bindattribute

        This property stores the user profile attribute containing the identity provider user IDDefault is labeledURI.

        loginattribute

        Define the attribute that is retrieved from the repository that uniquely identifies the userDefault is uid.

New users can register a new WebSphere Portal profile with a valid identity provider specified in labeledURI. Existing users can update their profile with a valid identity provider specified in labeledURI. To support the profile update, a writable user repository must exist. They can then log on to WebSphere Portal using the alternate login field. They are redirected to the identity provider login page.


Parent: Integrate with OpenID authentication
Related:
Start and stop servers, dmgrs, and node agents
Related:

Response Format

Federated Login for Google Account Users

User