Single Sign-On Service › SSO Getting Started Guide › Configure and Apply an OAuth Authentication Scheme › Copy and Modify the OAuth Provider Configuration File

Copy and Modify the OAuth Provider Configuration File

An OAuth provider configuration file (oauthproviders.xml) is installed with the Policy Server. The provider configuration file contains configuration details of each provider and the protected application. If the file does not include the correct settings, authentication fails.

Information about the file:

• By default, the file includes sample settings for all of the providers that the OAuth FCC makes available. Review the sample settings and modify them as required.

  Important! The values are samples only. We recommend that you verify all configuration settings with your OAuth provider before deploying the authentication scheme.

• The provider configuration is separated from the registered applications configuration to reuse the provider configuration for multiple applications.
• Providers configuration details must follow application configuration details. Each application uses one of the predefined provider configurations.
• Each application must have a PROVIDERLINK to one provider with which it is registered.
• If you configure multiple OAuth authentication schemes, each scheme can use its own provider configuration file (oauthproviders.xml).

Follow these steps:

1. Log in to the Policy Server host system.
2. Go to the following location:

   siteminder_home/config/properties
   

   siteminder_home

   Specifies the Policy Server installation path.

3. Copy the oauthproviders.xml file and name the copy to reflect the tenant.

   Note: You do not need to create a separate oauthproviders.xml file per OAuth provider. Settings per provider are indicated within the file. You only need a separate oauthproviders.xml file per tenant.

   Examples:

   • oauthproviders-tenant1.xml
   • oauthproviders-tenant2.xml
4. Open the file copy.
5. Review the file and determine if the necessary OAuth provider settings are available. To add a provider, complete the following steps:
   1. Copy an existing OAuth provider node and all of its child nodes. All provider nodes are included within the following root node:

      <OAuthProvider>
      </OAuthProvider>
      

   2. Add the new OAuth provider node and all of its child nodes under the following root node:

      <TrustedOAuthProviders>
      </TrustedOAuthProviders>
      

6. Configure the settings for each provider. Update values for the following settings:

   OAuth providername

   Identifies the OAuth provider for this node. Enter the name of the provider.

   Note: Use lower-case when entering a provider name.

   AuthorizationURL

   Provides the authorization server end-point URL for this provider. This URL must generate an authorization token after successful authentication of a user.

   Google example: https://accounts.google.com/o/oauth2/auth

   Facebook example: https://www.facebook.com/dialog/oauth

   AccessTokenURL

   Provides an access token end-point URL. A user can query for an access token by exchanging authorization code along with application configuration details.

   Google example: https://accounts.google.com/o/oauth2/token

   Facebook example: https://graph.facebook.com/oauth/access_token

7. Configure the settings for each registered application. Application nodes and all child notes exist under the root node:

   <Application>
   </Application>
   

   Update values for the following settings:

   Application appname

   Identifies the configuration for the OAuth registered application and the user authentication configuration. The end user must provide this identifier in the FCC page to use the configuration for the OAuth authentication.

   Examples: googleapp, facebookapp

   ApplicationURL

   Specifies the registered application URL. Update the value of this setting with the same application redirect URL you entered during the application registration. Enter the URL using the following format:

   https://cloudminder_host/siteminderagent/forms/oauthcb.fcc?SMQUERYDATA=Sample

   Example: https://cloud.ca.com/siteminderagent/forms/oauthcb.fcc?SMQUERYDATA=Sample

   Important! If the SecureURLs parameter for the CAM-AgentObj object is set to "No", instead enter the ApplicationURL as follows:

   http://cloudminder_host/siteminderagent/forms/oauthcb.fcc

   By default, the SecureURLs parameter is set to "Yes" during SiteMinder Policy Server installation. You can check the value of the SecureURLs parameter in the CSP Console. Log in to the CSP Console, then click Infrastructure, Agent, Agent Configuration Objects. Select CAM-AgentObj and click Edit. Page forward to the SecureURLs parameter.

   ClientID

   Contains the identifier of the registered client application at the OAuth server. Update the value of this setting with the generated client ID. The authorization server provides this value when the application is successfully registered.

   Secret

   Indicates the secret associated with the ClientID. Update the value of this setting with the secret associated with the ClientID. The authorization server provides this value when the application is successfully registered.

   PROVIDERLINK

   Links the application with a provider. Specify the providername value of a defined provider. This application uses the provider configuration while performing OAuth authentication.

   Examples: google, facebook

   Scope

   Specifies the required type of permission the application is requesting from the user. For example, if the scope value is https://www.googleapis.com/auth/userinfo.profile, the application can gain read-only access to basic user profile information.

   This scope value is passed in the authorization token request. The client can use the code to access resource URLs, which are specified in the UserInfoURL attribute. Administrator can specify a single value or multiple space separated values for this attribute.

   UserInfoURL

   Designates a single URL or multiple space-separated URLs for which user information can be queried with the generated access token. The URL represents the resource the that client is trying access.

   UserAttribute

   Specifies a user attribute. Update this value with the user identifying claim from the OAuth user information. The value of this attribute is used to disambiguate the user. For Google or Facebook, set the user attribute to "email."

8. Save and close the file.