50.3 Defining Social Identity Providers

The Social Identity Provider collects configuration details for Identity Providers such as Google, Facebook, Twitter, and the like.

Once created, you should not need to modify Social Identity Provider settings very often. The following sections provide information regarding creating, modifying and deleting Social Identity Providers.

• Creating a Social Identity Provider

• Editing or Deleting a Social Identity Provider

• Generating the Consumer Key and Consumer Secret for OAuth Providers

• Troubleshooting Facebook Social Identity Providers

50.3.1 Creating a Social Identity Provider

Social Identity Providers can also be created using the WebLogic Scripting Tool.

See Mobile and Social Commands in WebLogic Scripting Tool Command Reference for Identity and Access Management.

1. Access the Manage Social Identity page as described in Opening the Manage Social Identity Page.
2. Click Create in the Social Identity Provider panel in the home area.

   The Create New Social Identity Provider configuration page displays.

3. Enter values for the Social Identity Provider properties.

   • Name - Type a unique name for this Authentication Service Provider.

   • Description - (Optional) Type a short description that will help you or another Administrator identify this service in the future.

   • Social Identity Provider Protocol - Select the Identity Provider Protocol from the drop down menu.

     • OpenID

     • OAuth

     • Custom

     Select Custom to configure a custom Identity Provider. Your choice here will change the displayed Protocol Attributes and User Attributes Returned panels to reflect properties more specific to the authentication protocol being used by the Social Identity Provider - either OpenID or OAuth.

   • Implementation Class - Based on the Social Identity Provider Protocol selection, the appropriate provider-specific implementation of the oracle.security.idaas.rp.spi.IdentityProvider Java interface will be populated in this field. (If Custom, enter the corresponding implementation class that should interact with the Identity Provider.) The Mobile and Social server will use this information to communicate with this Social Identity Provider.

4. Enter values for the Protocol Attributes properties based on the protocol being used by the Social Identity Provider previously selected: OpenID (Table 50-1) or OAuth (Table 50-2). (If Custom, add all values required by the custom Provider and related to the authentication protocol used.)

   • Provide values required by the Identity Provider implementing the OpenID protocol as specified in Table 50-1.

     Table 50-1 OpenID Protocol Attributes

     Name	Values	Notes
     Yadis Endpoint	Must be an absolute HTTP or HTTPS URL	Type the published URL that accepts OpenID authentication protocol messages for this Identity Provider. Mobile and Social uses this URL to make user authentication requests.
     Hashing Algorithm	SHA256 is a 256-bit key length algorithm SHA1 is a 160-bit key length algorithm None	Choose a signature algorithm. Mobile and Social uses this value internally to configure the Session Type and Association Type properties for communicating with the Identity Provider.
     Authentication Policy	Choose Yes to request that an authentication policy be applied by the OpenID Provider when authenticating a user. Otherwise, choose No.	Usage of PAPE (Provider Authentication Policy Extension) allows web developers to request other modifications to the flow, such as asking that the Identity Provider re-prompt the User for their password.
     Authentication Policy Maximum Age	Provide a value greater than or equal to zero seconds. Specify 0 to force a password re-prompt.	Type the maximum length of time in seconds that a User who has not actively authenticated can use a login session before being required to authenticate using the requested authentication policy. Use this parameter to ensure that the login session of the user at the Identity Provider is recent.
     Preferred Authentication Policies		Type zero or more URIs separated by a space that represent authentication policies that the Identity Provider must satisfy when authenticating the user. For example: http://schemas.openid.net/pape/policies/2007/06/phishing-resistant http://schemas.openid.net/pape/policies/2007/06/multi-factor

   • Provide values required by the Identity Provider implementing the OAuth protocol as specified in Table 50-2.

     Table 50-2 OAuth Protocol Attributes

     Name	Value	Notes
     Authorization URL	The Identity Provider's published OAuth authorization URL. If an Identity Provider changes a published OAuth URL, update this value to match.	Mobile and Social directs the User to this URL after the Identity Provider returns the request token (see Request Token URL). The Identity Provider verifies the User's identity, and the User grants the Identity Provider permission to release the User's protected information to the Mobile and Social server.
     Access Token URL	Type the Identity Provider's published access token URL.	Mobile and Social uses this URL to request an access token from the Identity Provider after the User authorizes the request token (using the Authorization URL).
     Request Token URL	Type the Identity Provider's published Request Token URL. (Not applicable to Facebook.)	Mobile and Social uses this URL to obtain a request token from the Identity Provider. After the Identity Provider grants the request token, the Mobile and Social server directs the User to the Identity Provider's Authorization URL. (The term temporary credentials supplants the terms request token and request secret in RFC 5849, The OAuth 1.0 Protocol.)
     Profile URL	Type the Identity Provider's published Profile URL.	Mobile and Social uses this URL to request User attributes based on a OAuth access token.
     Consumer Key	Type the value that the Mobile and Social server should use to identify itself to the Identity Provider.	See Generating the Consumer Key and Consumer Secret for OAuth Providers for information about requesting a Consumer Key from the Identity Provider.
     Consumer Secret	Type the secret that the Mobile and Social server should use to establish ownership of the Consumer Key.	See Generating the Consumer Key and Consumer Secret for OAuth Providers for information about requesting a Consumer Secret from the Identity Provider.
     Server Time Sync	If the Mobile and Social server and a remote Identity Provider are not time synchronized, type the number of minutes of skew to add to the current server time when sending requests to the remote Provider. This field accepts both positive and negative integers.	Typically LinkedIn requires synchronized server time values. Not applicable for Facebook or Twitter. In the Attribute Name column type the local application attribute name that should be assigned to the attribute name returned by the OpenID Identity Provider. In the Attribute Schema Name column, type the URL where the Mobile and Social server can request user data from the Identity Provider. If you add attributes in the Attribute Name column that the Identity Provider does not support, those attributes will not be available in Mobile and Social.

5. Add values to the User Attributes Returned panel based on the Social Identity Provider Protocol previously selected: OpenID, OAuth or Custom.

   • OpenID: In the Attribute Name column type the local application attribute name that should be assigned to the attribute name returned by the Identity Provider. In the Attribute Schema Name column, type the URL where the Mobile and Social server can request user data from the Identity Provider. If you add attributes in the Attribute Name column that the Identity Provider does not support, those attributes will not be available in Mobile and Social. Table 50-3 and Table 50-4 lists the user attributes supported by Google and Yahoo.

     Table 50-3 User Attributes Returned By Google

     Attribute	Description
     country	Requests the user's home country. Must be set to: http://axschema.org/contact/country/home
     email	Requests the user's Gmail address. Must be set to: http://axschema.org/contact/email
     firstname	Requests the user's first name. Must be set to: http://axschema.org/namePerson/first
     language	Requests the user's preferred language. Must be set to: http://axschema.org/pref/language
     lastname	Requests the user's last name. Must be set to: http://axschema.org/namePerson/last

     Table 50-4 User Attributes Returned By Yahoo

     Attribute	Description
     gender	Requests the user's gender. Must be set to: http://axschema.org/person/gender
     email	Requests the user's e-mail address. Must be set to: http://axschema.org/contact/email
     fullname	Requests the user's full name. Must be set to: http://axschema.org/namePerson
     language	Requests the user's preferred language. Must be set to: http://axschema.org/pref/language
     nickname	Requests the user's preferred name. Must be set to: http://axschema.org/namePerson/friendly
     Timezone	Requests the user's preferred time zone. Must be set to: http://axschema.org/pref/timezone

   • OAuth: Specify the User Attributes that the OAuth Identity Provider should return. In the Attribute Name column type the local application attribute name that corresponds to the attribute name returned by the Identity Provider. In the Attribute Schema Name column, type the Identity Provider attribute name. For OAuth Providers, Attribute Name values and Attribute Schema Name values are usually the same.

     Note:

     LinkedIn does not return an e-mail address or an unencrypted login ID when it returns User Identity attributes to Mobile and Social. Please note this limitation when using Identity attributes from LinkedIn to pre-populate the registration form for Users.

     Table 50-5 and Table 50-6 lists the user attributes supported by Foursquare and Windows Live.

     Table 50-5 User Profile Attributes Returned By Foursquare

     Attribute	Description
     id	Requests the user's ID.
     firstname	Requests the user's first name.
     lastname	Requests the user's last name.
     contact.email	Requests the user's email address.
     homecity	Requests the user's home city.
     gender	Requests the user's gender.
     photo	Requests the user's photo.

     Table 50-6 User Profile Attributes Returned By Windows Live

     Attribute	Description
     id	Requests the user's ID.
     first_name	Requests the user's first name.
     last_name	Requests the user's last name.
     name	Requests the user's name.
     link	Requests the user's link.
     email.preferred	Requests the user's preferred e-mail address.
     gender	Requests the user's gender.
     locale	Requests the user's local.
     updated_time	Requests the updated time.

   • Custom: In the Attribute Name column type the local application attribute name that should be assigned to the attribute name returned by the Custom Identity Provider. In the Attribute Schema Name column, type the URL where the Mobile and Social server can request user data from the Identity Provider.

6. Click Create to create the Social Identity Provider configuration object.

50.3.2 Editing or Deleting a Social Identity Provider

You can edit or delete a Social Identity Provider.

Select the Provider in the panel and click Edit or Delete on the panel's tool bar. See Creating a Social Identity Provider for attribute descriptions.

50.3.3 Generating the Consumer Key and Consumer Secret for OAuth Providers

The following sections describe how to generate the Consumer Key and Consumer Secret for the Social Identity Providers that support the OAuth protocol.

• Generating a Consumer Key and Consumer Secret for Facebook

• Generating a Consumer Key and Consumer Secret for Twitter

• Generating a Consumer Key and Consumer Secret for LinkedIn

• Generating a Consumer Key and Consumer Secret for Foursquare

• Generating a Consumer Key and Consumer Secret for Windows Live

• Generating a Consumer Key and Consumer Secret for Google

Note:

The steps in this section are accurate as of the date that this documentation was published. The steps required to create a Consumer Key and Consumer Secret using the Facebook, Twitter, and LinkedIn web sites are subject to change at any time.

50.3.3.1 Generating a Consumer Key and Consumer Secret for Facebook

You can generate a Consumer Key and Consumer Secret for Facebook.

To generate:

1. Open the following URL in a web browser:

   https://developers.facebook.com/apps

2. Click Create New App.
3. Complete the Create New App form.

   Facebook creates the application and assigns it a unique App ID and App Secret.

4. Complete the information in the Basic Info section.

   In the Select how your application integrates with Facebook section, select Website with Facebook Login.

5. In the Site URL field, provide the URL where the Mobile and Social Server can be reached. For example:

   http://OAM-Hosted-Machine: Port/

6. Click Save Changes.
7. From the Mobile and Social Console, open the "Social Identity Providers" > "Facebook" configuration page as described in section Editing or Deleting a Social Identity Provider.
8. Paste the App ID in the Consumer Key field and paste the App Secret in the Consumer Secret field.

   Click Apply to save your changes.

50.3.3.2 Generating a Consumer Key and Consumer Secret for Twitter

You can generate a Consumer Key and Consumer Secret for Twitter.

To generate:

1. Open the following URL in a web browser:

   https://dev.twitter.com/apps/new

2. Complete the Create an application form.

   In the Callback URL field provide the URL where the Mobile and Social Server can be reached. For example:

   http://OAM-Hosted-Machine: Port/oic_rp/return

   Twitter creates the application and assigns it a unique Consumer key and Consumer secret.

3. (Optional) Configure your Twitter application as needed and save your changes.
4. From the Mobile and Social Console, open the "Social Identity Providers" > "Twitter" configuration page as described in section Editing or Deleting a Social Identity Provider.
5. Paste the Consumer Key in the Consumer Key field and paste the Consumer Secret in the Consumer Secret field.

   Click Apply to save your changes.

50.3.3.3 Generating a Consumer Key and Consumer Secret for LinkedIn

You can generate a Consumer Key and Consumer Secret for LinkedIn.

To generate:

1. Open the following URL in a web browser:

   https://www.linkedin.com/secure/developer?newapp=

2. Complete the Add New Application form.

   In the OAuth User Agreement section, add the URL in the OAuth Redirect URL field where the Mobile and Social Server can be reached. For example:

   http://OAM-Hosted-Machine:Managed Server Port/

3. Click Add Application.

   LinkedIn creates the application and assigns it a unique API Key and Secret Key.

4. From the Mobile and Social Console, open the "Social Identity Providers" > "LinkedIn" configuration page as described in section Editing or Deleting a Social Identity Provider.
5. Paste the API Key in the Consumer Key field and paste the Secret Key in the Consumer Secret field.

   Click Apply to save your changes.

50.3.3.4 Generating a Consumer Key and Consumer Secret for Foursquare

You can generate a Consumer Key and Consumer Secret for Foursquare.

To generate:

1. Open the following URL in a web browser:

   https://foursquare.com/developers/register

2. Fill in the application name and website URL.
3. Enter the URL where the Mobile and Social Server can be reached in the Callback URL field.

   For example:

   http://OAM-Hosted-Machine:Port/

4. Save your changes.

   From the screen that is displayed, copy the 'Client ID' and 'Client secret' codes.

5. From the Mobile and Social Console, open the "Social Identity Providers" > "Foursquare" configuration page as described in section Editing or Deleting a Social Identity Provider.
6. Paste the Client ID in the Consumer Key field and the Client Secret in the Consumer Secret field and click Apply to save your changes.

50.3.3.5 Generating a Consumer Key and Consumer Secret for Windows Live

You can generate a Consumer Key and Consumer Secret for Windows Live.

To generate:

1. Open the following URL in a web browser:

   https://manage.dev.live.com/

2. Sign in with your Windows Live ID and password.
3. Click Create Application.
4. Fill in the application name.
5. Read and accept the terms of use.

   From the screen that is displayed, copy the 'Client ID' and 'Client secret' codes.

6. From the Mobile and Social Console, open the "Social Identity Providers" > "Windows Live" configuration page as described in section Editing or Deleting a Social Identity Provider.
7. Paste the Client ID in the Consumer Key field and the Client Secret in the Consumer Secret field and click Apply to save your changes.

50.3.3.6 Generating a Consumer Key and Consumer Secret for Google

You can generate a Consumer Key and Consumer Secret for Google.

To generate:

1. Open the following URL in a web browser:

   https://code.google.com/apis/console

2. Under APIs & auth (on the left side) click Credentials.
3. Under OAuth click Create new Client ID.

   The Create Client ID form opens.

4. Complete and submit the form.

   The new Client ID and secret are added.

5. From the Mobile and Social Console, open the "Social Identity Providers" > "Google" configuration page as described in section Editing or Deleting a Social Identity Provider.
6. Paste the Client ID in the Consumer Key field and the Client Secret in the Consumer Secret field.

   Click Apply to save your changes.

50.3.4 Troubleshooting Facebook Social Identity Providers

This section documents known configuration issues that affect the Facebook Social Identity Provider.

• Configuring WebLogic Server for Facebook Compatibility

• Configuring WebLogic Server 10.3.5 and Older for Facebook Compatibility

50.3.4.1 Configuring WebLogic Server for Facebook Compatibility

You can configure WebLogic Server from the WebLogic Console to support Facebook.

To configure:

1. Open the WebLogic Console.

   http://host:port/console

2. Choose Domain > Environment > Servers > Managed Server.
3. Click the SSL tab, then click Advanced.
4. Click Lock and Edit configuration.
5. Change the Host Name Verifier to None.
6. Restart the Managed Server.

If Host Name Verifier is not set to None, the following error may display when trying to access a protected resource if Facebook is the Identity Provider:

Exception in processRequest method: oracle.security.idaas.rp.RPException:
oracle.security.idaas.rp.RPException: Request failed:

50.3.4.2 Configuring WebLogic Server 10.3.5 and Older for Facebook Compatibility

Facebook's SSL certificate contains *.facebook.com as a wildcard host identifier. WebLogic Server versions 10.3.5 and older have a problem verifying host names that contain wildcards that can lead to communication failures between Facebook and installations of Oracle Access Management Mobile and Social deployed on WebLogic Server.

The following workarounds are available:

• If using WebLogic Server versions 10.3.5 or older, follow these steps:

  1. In the administration console, choose servers > oam_server_where_Mobile_and_Social_is_deployed > SSL > Advanced.

  2. Change Hostname Verifier to NONE.

• This WebLogic Server bug has been fixed in version 10.3.6 as follows: A new custom host name verifier SSLWLSWildcardHostnameVerifier was implemented, derived from the default host name verifier, so that it supports everything the default host name verifier does, including SANs. You must configure your WebLogic server to use this custom host name verifier if support for wildcard certificates is required during the SSL handshake. One option is to use the following WebLogic property:

  -Dweblogic.security.SSL.hostnameVerifier=weblogic.security.utils.SSLWLSWildca rdHostnameVerifier