Introduction

...

1. Start the configuration by creating a new site. Give a name to the site. E.g. 'Online web shop'.

   Image Modified

   
   

2. Create a new application

   Image Modified

   
   

3. Name it e.g. 'OAuth Application' or after the application, select Application type as 'OAuth 2.0' and check the 'Enable' check box. Click 'OK'

   Image Modified

   
   

4. Upload the redirect_uris information into Application Metadata from a file in a following format. The redirect URL should be given by application development

   Image Modified

   
   

   Code Block
   language xml
   { "redirect_uris": [ "https://client.example.com/response" ] }

   This JSON can either be uploaded from a file or copy and pasted into the activation window.

   Image Modified

   More than one redirect_uri can be given, for example if the same application is hosted at different domains. In the following example Authorization Requests will be allowed to a range of different address with or without https on a range of port numbers.

   Code Block
   language xml
   { "redirect_uris":[ "https://localhost/authorised.html","https://localhost:8080/authorised.html","http://localhost/authorised.html", "http://localhost:8080/authorised.html","http://localhost/test/authorised.html","http://localhost:8080/test/authorised.html", "https://localhost/test/authorised.html","https://localhost:8080/test/authorised.html" ] }

    Once you have entered the redirect_uris information, click OK and then press on Activate. A new client_id and client_secret is generated and activated. Save this file and give it to the application development team configuring the Relying Party.You can also set the human readable client name into the metadata, when this is used instead of default service URL in the login screen. This is set by inserting the client_name in to the metadata. By default system uses this based on the locale setting, if this is not found, then it uses the default, without locale. If client_name is not found then the URL is used. ´Same logic goes with application logo that can be set in metadata. By default the system uses the image based on the locale setting, and then the default one without locale if it exists. Note that application logo usage is set in the properties file.

   Code Block
   language xml
   { "redirect_uris": [ "https://client.example.com/response" ], "client_name":"oauth-testiagent","client_name#fi":"oauth-testiagent-suomeksi", ", "logo_uri":"http://hifkfotboll.fi/wp-content/uploads/2015/02/NetLogo.png", "logo_uri#fi":"http://img-b.foreca.net/i/l/foreca_logo_small.gif" }

   
   

5. Click ‘Update’ to save the configuration

   Image Modified

   
   

6. Go to the ‘Authorization policies’ tab now, and create a new policy e.g. ‘Online web shop AP’. Go to ‘Attributes’ tab to add attributes

   Image Modified

   
   

7. The following attributes can be added to the Application’s Authorization Policy

   Image Modified

   
   

   Info

   The Authorization Policy defines which attributes are available to a relying party in the id_token and the userinfo endpoint. Because some attributes may be multi-valued, each attribute value is sent by default as a JSON array. If it is known that there is only one permitted attribute, set the attribute name in the “Single Value Attributes” sections of the Authorization tab. The format of the data will change in this case to a string. More information related to attributes can be found from Manage authorization policies - SSO Where possible, it is recommended to follow common specifications in attribute names. OpenID Connect defines specific attribute values at http://openid.net/specs/openid-connect-core-1_0.html#Claims .

   
   

8. [OPTIONAL] Defining single value attributes

   Image Modified

   
   

9. Select the Application to use this authorization policy

   Image Modified

   
   

10. Enable the authentication method for the application by checking adding it in Site Methods. Press the ‘Add Method...’ -button

    Image Added

    
    Then check the check box and click ‘OK’

    Image Added

    
    

    
    Then check the check box in Allowed Methods and press the ‘Update’ -button below

    Image Modified

    
    

11. Allow eIDMUser group to use this application and click ‘OK’

    Image Modified

    
    

Now the Application is configured to use OAuth 2.0.

...

The information that an application developer needs are:

Compatibility flags

The following compatibility flags are supported for OAuth 2.0 applications.

Finnish Trust Network specific configurations

Trusted OAuth 2.0 and OpenID Connect applications in Finnish Trust Network (FTN) can provide their friendly name to be shown in the login UI and sent as the display name for Authentication Methods by setting Configuration String AllowFtnSpname as true. To do this in the Management UI, add AllowFtnSpname=true to the last line in Configuration String.