Versions Compared

Old Version 2

changes.mady.by.user Former user

Saved on

compared with

New Version Current

changes.mady.by.user ubisebastian

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Introduction

...

  1. Start the configuration by creating a new site. Give a name to the site. E.g. 'Online web shop'.


  2. Create a new application


  3. Name it e.g. 'OAuth Application' or after the application, select Application type as 'OAuth 2.0' and check the 'Enable' check box. Click 'OK'


  4. Upload the redirect_uris information into Application Metadata from a file in a following format. The redirect URL should be given by application development


    Code Block
    languagexml
    {
     "redirect_uris": [ "https://client.example.com/response" ]
}

    This JSON can either be uploaded from a file or copy and pasted into the activation window.

    More than one redirect_uri can be given, for example if the same application is hosted at different domains. In the following example Authorization Requests will be allowed to a range of different address with or without https on a range of port numbers.

    Code Block
    languagexml
    {
"redirect_uris":[
"https://localhost/authorised.html","https://localhost:8080/authorised.html","http://localhost/authorised.html",
"http://localhost:8080/authorised.html","http://localhost/test/authorised.html","http://localhost:8080/test/authorised.html",
"https://localhost/test/authorised.html","https://localhost:8080/test/authorised.html"
]
}

     Once you have entered the redirect_uris information, click OK and then press on Activate. A new client_id and client_secret is generated and activated. Save this file and give it to the application development team configuring the Relying Party.You can also set the human readable client name into the metadata, when this is used instead of default service URL in the login screen. This is set by inserting the client_name in to the metadata. By default system uses this based on the locale setting, if this is not found, then it uses the default, without locale. If client_name is not found then the URL is used. ´Same logic goes with application logo that can be set in metadata. By default the system uses the image based on the locale setting, and then the default one without locale if it exists. Note that application logo usage is set in the properties file.

    Code Block
    languagexml
    {
"redirect_uris": [ "https://client.example.com/response" ], 
"client_name":"oauth-testiagent","client_name#fi":"oauth-testiagent-suomeksi", ",                              
"logo_uri":"http://hifkfotboll.fi/wp-content/uploads/2015/02/NetLogo.png",
"logo_uri#fi":"http://img-b.foreca.net/i/l/foreca_logo_small.gif"
}


  5. Click ‘Update’ to save the configuration


  6. Go to the ‘Authorization policies’ tab now, and create a new policy e.g. ‘Online web shop AP’. Go to ‘Attributes’ tab to add attributes


  7. The following attributes can be added to the Application’s Authorization Policy



    Info

    The Authorization Policy defines which attributes are available to a relying party in the id_token and the userinfo endpoint.

    Because some attributes may be multi-valued, each attribute value is sent by default as a JSON array. If it is known that there is only one permitted attribute, set the attribute name in the “Single Value Attributes” sections of the Authorization tab. The format of the data will change in this case to a string.

    More information related to attributes can be found from Manage authorization policies - SSO

    Where possible, it is recommended to follow common specifications in attribute names. OpenID Connect defines specific attribute values at http://openid.net/specs/openid-connect-core-1_0.html#Claims .


  8. [OPTIONAL] Defining single value attributes


  9. Select the Application to use this authorization policy


  10. Enable the authentication method for the application by adding it in Site Methods. Press the ‘Add Method...’ -button


    Then check the check box Select the method you want to add to the site and click ‘OK’



    Then check the check box Allow password.2 for the application in Allowed Methods and press click the ‘Update’ -button below


  11. Allow eIDMUser group to use this application and click ‘OK’


...

client_id

Contained in file generated when Activate is pressed

secret

Contained in file generated when Activate is pressed

https://sso.example.com/uas/oauth2/metadata.json

This publically available URL returns all of the required OAuth2 endpoints in JSON format.

Compatibility flags

The following compatibility flags are supported for OAuth 2.0 applications.

...