OAuth 2.0 authentication method installation - SSO
This chapter goes through the necessary steps to configure authentication to Ubisecure SSO by OAuth 2.0.
Preliminary Steps
Before OAuth 2.0 authentication is possible, it is typically necessary to:
- Register for a developer account and created a client at the service offering OAuth 2.0 authentication or authorization
- Obtain the following from the third-party service
- Client ID and client secret associated with the client account/integration
- OAuth 2.0 Authorization Endpoint URL
- OAuth 2.0 Access Token Endpoint URL
- UserInfo Endpoint URL
UserInfo Endpoint is an OAuth 2.0 protected resource server, which return information about the authorizing user. The data returned by a UserInfo Endpoint must be in JSON format. The UserInfo Endpoint is mandatory.
Obtaining client credentials is out of scope for this guide. Usually it involves registering a new application in the developer console of the service provider, such as:
- https://developers.facebook.com/ for Facebook
- https://vk.com/dev for VKontakte
- https://console.developers.google.com/ for Google
- https://developer.github.com/apps/building-integrations/setting-up-and-registering-oauth-apps/ for Github
For convenience, on this page a list of Endpoint URLs and settings is provided. Note that Ubisecure has no control over the lifetimes of these URLs and we can only hope that service providers will notify in good time if changes happen.
Configuring the Authentication Method
- Log on to SSO Management with administration privileges
- Navigate to Home → Global Method Settings
- Click New Method…
Enter Title, Name and choose OAuth 2.0 as Method Type, the field Method Class will then be automatically filled:
Select OAuth 2.0 tab and fill in client credentials obtained from service provider, endpoint URLs and other settings
You can refer to table in Appendix A: General Parameters for Selected OAuth 2.0 Service Providers for service provider specific parameters, but it may be necessary to double-check from service provider's knowledge base for most current (or best choice of) endpoint URLs
Method Parameters
Redirect URI:
The URI where SSO expects service provider to redirect the user agent after successful authorization. Service providers usually require this to be registered on the client account or refuse to do the redirection.
Client ID:
The identifier of the OAuth 2.0 client. This value is provided by OAuth 2.0 service provider.
Client Secret:
A shared secret used to authenticate Client to OAuth 2.0 service provider.
Authorization Endpoint URL:
URL of the Authorization Server's Authorization Endpoint.
Scope:
A whitespace delimited list of scopes, which denote the types of attributes to request from UserInfo Endpoint. These are defined by OAuth 2.0 service provider.
Token Endpoint URL:
URL of the Authorization Server's Token Endpoint
Userinfo Endpoint URL:
URL of the UserInfo Endpoint, which is an OAuth 2.0 protected resource server returning information of the authorizing user in JSON format.
Configuration String:
Provides possibility to define extra parameters for service providers which do not conform expected standards. The extra parameters currently supported are:
- userinfoEndpointAccessTokenParameter → The name of GET request parameter, which is used for passing the access token to the UserInfo Endpoint.