ELMGoogleSocialLogin < Deployment

<div id="header-title" style="padding: 10px 15px; border-width:1px; border-style:solid; border-color:#FFD28C; background-image: url(<nop>https://jazz.net/wiki/pub/Deployment/WebPreferences/TLASE.jpg); background-size: cover; font-size:120%">
---+!! Configure Google Social Login for ELM  
%DKGRAY% Authors: Main.ShradhaSrivastav <br>
Build basis: Engineering Lifecycle Management and Jazz Authorization Server 7.x 
%ENDCOLOR%</div></sticky>

<!-- Page contents top of page on right hand side in box -->
<sticky><div style="float:right; border-width:1px; border-style:solid; border-color:#DFDFDF; background-color:#F6F6F6; margin:0 0 15px 15px; padding: 0 15px 0 15px;">
%TOC{title="Page contents"}%
</div></sticky>

<sticky><div style="margin:15px;"></sticky>
---++ Configure Google Social Login for ELM 

Any application that uses OpenID Connect to access Google APIs must have authorization credentials that identify the application to Google's OIDC Provider. The following steps explain how to create credentials for your project. Your applications can then use the credentials to access APIs that you have enabled for that project.

---+++ Create authorization credentials

   1. Go to the [[https://console.developers.google.com/apis/credentials][Credentials page]]. 
   1. Click Configure Consent Screen &#8594; Select External &#8594; Click Create <br>
<img src="%ATTACHURLPATH%/1.png" alt="1.png" width="500" height="400" /> %BR% 
<br>
   * Click Create credentials > OAuth client ID. <br>
<img src="%ATTACHURLPATH%/2.png" alt="2.png" width="600" height="400" /> %BR% 
<br>
   * Select the Web application application type. <br>
<img src="%ATTACHURLPATH%/3.png" alt="3.png" width="500" height="450" /> %BR% 
<br>
   * Name your OIDC client and click Create <br>
   * The redirect URL points to the ID of your configured oidcLogin element in the following format 
<verbatim>
 https://liberty_host:SSL_port/ibm/api/social-login/redirect/oidclogin_id
</verbatim>
<img src="%ATTACHURLPATH%/5.png" alt="5.png" width="500" height="650" /> %BR% 
<br>
   * After configuration is complete, take note of the client ID that was created. You will need the client ID to complete the next steps.<br>
<img src="%ATTACHURLPATH%/7.png" alt="7.png" width="500" height="450" /> %BR% 
<br>
   * Move to OAuth consent screen and add Users in the Test user section which will be used for login into application. (The user should exist in ELM user repository with same UserID) <br>
<img src="%ATTACHURLPATH%/8.png" alt="8.png" width="500" height="200" /> %BR% 
<br>

---+++ Import Google Certificates 

   * Access google.com on FireFox
   * Click on Certificate from address bar -> Connection Secure -> More Information <br>
<img src="%ATTACHURLPATH%/googlecert.png" alt="googlecert.png" width="500" height="100" /> %BR%  
<br>
   * Click View Certificate <br>
<img src="%ATTACHURLPATH%/viewcerts.png" alt="viewcerts.png" width="500" height="200" /> %BR% 
<br>
   * Download the cert chain <br>
<img src="%ATTACHURLPATH%/dwnldcerts.png" alt="dwnldcert.png" width="500" height="500" /> %BR% 
<br>
   * Import the downloaded certificate to the JAS truststore. Use a key management tool such as iKeyman or the Java keytool utility to add the certificate to the JAS truststore file. <br>
<img src="%ATTACHURLPATH%/importcerts.png" alt="importcerts.png" width="500" height="300" /> %BR% 

---+++ Configure Social Login in JAS to Redirect to Google Login

You can configure a Liberty server so that users can authenticate to websites that are hosted on the Liberty server by logging in with their social media accounts. For JAS to connect to a different OIDC server we define our own social login configuration that is based on the OAuth 2.0 or !OpenID Connect 1.0 standards.

In Liberty, social login is enabled by the socialLogin-1.0 feature. Here are instructions to configure Social Login for a 3rd Party OIDC server.

   * Open the =[JAS_HOME]\wlp\usr\servers\jazzop\server.xml= configuration file and add the socialLogin-1.0 , ssl-1.0 and appSecurity-2.0 features.
<verbatim>
<featureManager>
    <feature>socialLogin-1.0</feature>
    <feature>appSecurity-2.0</feature>
    <feature>ssl-1.0</feature>
    ...
</featureManager>
</verbatim>

   * Add the =oidcLogin= element and configure the connection to your OIDC provider
   * Define the OIDC server endpoints on the =authorizationEndpoint= , =tokenEndpoint= , =jwksUri= and =issuer= attributes<br>
      The Liberty server first redirects the user to the authorization endpoint to authenticate the user and obtain the OAuth authorization code. Then, it invokes the token endpoint to exchange the OAuth authorization code for an OAuth token.

   * The endpoints data required in the configuration can be obtained from the discovery endpoint URL of the OIDC provider.<br>
      Lets take an example of Google OIDC provider, the discovery endpoint URL is  =https://accounts.google.com/.well-known/openid-configuration= 

   * The configuration with data from the discovery endpoint is as seen below and needs to be included in =[JAS_HOME]\wlp\usr\servers\jazzop\appConfig.xml= after =oauthProvider= section
<verbatim>
 <oidcLogin id="myoidcserver" displayName="OIDC Login"
      clientId="[my_client_Id]"
      clientSecret="[my_client_password]"            
      authorizationEndpoint="https://accounts.google.com/o/oauth2/v2/auth"
      tokenEndpoint="https://www.googleapis.com/oauth2/v4/token"
      jwksUri="https://www.googleapis.com/oauth2/v3/certs"  		  
      issuer="https://accounts.google.com"
      scope="openid profile email"
      userNameAttribute="email" 
      mapToUserRegistry="true" > 
 </oidcLogin>
</verbatim>

   * The =clientId= and =clientSecret= are to be generated by your OIDC provider (In the next step)
   * The redirect URL  points to the ID of your configured oidcLogin element in the following format 
<verbatim>
 https://liberty_host:SSL_port/ibm/api/social-login/redirect/oidclogin_id
</verbatim>

   * For example, the redirect URL for the oidcLogin configuration example has the following format:
<verbatim>
 https://[JAS_HOST]:[Port]/ibm/api/social-login/redirect/myoidcserver
</verbatim>
<br>


Note:- As the Google OIDC provider works with user email address as User ID, update the configuration in JAS and JTS to use mail as userID instead of sAMAccountName default for MS AD.

To configure JAS login with email address, update =ldapUserRegistry.xml= located at  =[JAS_HOME]\wlp\usr\servers\jazzop=  and modify to match your enviornment, example below

*Microsoft Active Directory*

<verbatim>
<server>
<ldapRegistry ldapType="Microsoft Active Directory" baseDN="CN=Users,DC=test,DC=com" 
        bindDN="CN=CLM Admin,CN=Users,DC=test,DC=com" bindPassword="********" 
        host="ldapserver" id="ldapserver:389" ignoreCase="true" port="389" realm="ldapserver:389"
        recursiveSearch="true" sslEnabled="false">  
        
        <activedFilters
                        userFilter="(&amp;(mail=%v)(objectcategory=user))"
                        groupFilter="(&amp;(cn=%v)(objectcategory=group))"
                        userIdMap="*:mail"
                        groupIdMap="*:cn"
                        groupMemberIdMap="memberOf:member" >
                </activedFilters>
    </ldapRegistry>
</server>
</verbatim>

*ApacheDS*

<verbatim>
<server>
        <ldapRegistry ldapType="Custom" baseDN="dc=example,dc=com" host="localhost" 
              id="localhostexample:10389" ignoreCase="true" port="10389"  
              realm="localhostexample:10389" recursiveSearch="true" sslEnabled="false">
<customFilters 
        groupFilter="(&amp;(cn=%v)(|(objectclass=groupOfUniqueNames)))" 
        groupIdMap="*:cn" 
        groupMemberIdMap="groupOfUniqueNames:uniquemember" 
        userFilter="(&amp;(mail=%v)(objectclass=inetOrgPerson))" 
        userIdMap="*:mail" >
  </customFilters>
</ldapRegistry>
</server>
</verbatim>

Update following parameters in JTS =teamserver.properties= file to use mail address as the User ID

<verbatim>
com.ibm.team.repository.ldap.userAttributesMapping=userId\=mail,name\=cn,emailAddress\=mail
com.ibm.team.repository.ldap.findUsersByUserIdQuery=mail\=?1
</verbatim>


---+++++!! Related topics: [[DeploymentWebHome][Deployment web home]], [[DeploymentWebHome][Deployment web home]]

---+++++!! External links:          

   * [[https://www.ibm.com][IBM]]

<sticky></div></sticky>
This topic: Deployment > WebHome > DeploymentInstallingUpgradingAndMigrating > JazzAuthorizationServer > ELMGoogleSocialLogin
History: r4 - 2024-03-14 - 05:34:29 - ShradhaSrivastav
Copyright © by IBM and non-IBM contributing authors. All material on this collaboration platform is the property of the contributing authors.
Contributions are governed by our Terms of Use. Please read the following disclaimer.
Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.