Single Sign-On Service › SSO Partnership Federation Guide › Configure Social Sign-on › Configure the SMPS Environment: Authenticate Users Using an OAuth Authorization Server

Configure the SMPS Environment: Authenticate Users Using an OAuth Authorization Server

To configure the SMPS environment, you must authenticate users using an OAuth authorization server. To do this, configure single sign-on between the federation system and the OAuth authorization server.

The federation system provides default support for the following OAuth authorization servers:

OAuth 1.0a
OAuth 2.0

The following process describes how the federation system processes a user request to access a federated resource:

The federation system redirects the user request to the OAuth authorization server specified in the user request.
The OAuth authorization server authenticates the user and sends an authentication response with claims about the user to the federation system.
The federation system verifies the authentication response, completes the authentication process, and authorizes the user to access the federated resource.

The following flowchart describes how you can authenticate users using an OAuth authorization server:

Configure the federation system to let users sign-on using their OAuth authorization server credentials.

This section contains the following topics:

Verify the Prerequisites

Create a Local OAuth Client Entity

Create or Modify the Remote Entity of an Authorization Server

Create an OAuth Partnership for Single Sign-On

Migrate an OAuth Authentication Scheme Set-up to OAuth Partnership

Verify the Prerequisites

Perform the following steps before you configure a partnership to configure single sign-on between the federation system and an OAuth authorization server:

Enable SSL on the federation system.
To use an OAuth authorization server that the federation system supports by default, perform the following steps before you invoke the partnership:
- On a CA CloudMinder deployment, verify that the default CA certificate of the OAuth authorization server was imported.
- Import any other existing CA signed certificate that is required using the smkey tool provided.
To use an OAuth authorization server that the federation system does not support by default, obtain and import the SSL CA certificate of the OAuth authorization server before you invoke the partnership.
Clear the policy server cache after importing the certificates.

Create a Local OAuth Client Entity

Create a local OAuth client entity for the partnership between the federation system and an OAuth authorization server.

Follow these steps:

Navigate to Federation, Entities, and click Create Entity.
Choose Local in Entity Location.
Select OAuth Client from New Entity Type.
Select the OAuth version, and click Next.
Enter the required values, and click Next.
Confirm the entered values and click Finish.
The Redirect URL is constructed. Use this URL for initiating an OAuth transaction.

Create or Modify the Remote Entity of an Authorization Server

The system provides remote entities for each of the following OAuth authorization servers that are supported by default:

OAuth 1.0a
OAuth 2.0

The values of each remote entity are pre-configured with known values of the entity. You can modify the values to suit your federation environment or create a remote entity for any OAuth authorization server.

Follow these steps:

Perform one of the following tasks:
Create a new remote entity:

a. Navigate to Federation, Entities, Create Entity.

b. Select Remote as Entity Location, and select OAuth Authz Server as the New Entity Type.

c. Click Next.

d. Enter the values and click Next.

Modify the pre-populated values of a remote entity:

a. Navigate to Federation, Entities, and search for the entity that you want to modify.

b. Click the Actions option of the entity, and click Modify.

c. Click Next to go to the Configure Entity tab.

d. Modify the values and click Next.
Confirm the changes and click Finish.

Create an OAuth Partnership for Single Sign-On

To let the federation system retrieve user information from the authorization server, create an OAuth partnership between the OAuth authorization server as the asserting party and the federation system as the relying party.

Follow these steps:

Navigate to Federation, Partnerships and click Create Partnership.
Select the OAuth Client - Authz Server partnership type.
Configure the partnership information.
Confirm the values and click Finish.

An OAuth partnership is configured to let users sign-on to a federated resource using the OAuth authorization server credentials.

When the federation system receives a user request in the following format, the request is processed per the partnership configuration:

https://baseURL_of_the_partnership/affwebservices/public/oauthtokenconsumer?AuthzServerID=authorization_server_id

https://baseURL_of_the_partnership/affwebservices/public/ oauthtokenconsumer/disambiguation_id?AuthzServerID=<authorization_server_id>

The federation system is configured to implement the social sign-on feature.

Note: The Authorization URL constructed above should be configured as part of the External Authentication Scheme created for the tenant. You must then map it to an application in the CA CloudMinder tenant portal.

Migrate an OAuth Authentication Scheme Set-up to OAuth Partnership

If you configured an OAuth authentication scheme in your environment to authenticate users using an OAuth provider, you can migrate your authentication scheme set-up to a federation partnership.

Follow these steps:

Create a partnership between the OAuth client and the OAuth authorization server.
Perform one of the following steps:
- If you want to use both the OAuth authentication scheme and an OAuth partnership simultaneously, update the existing redirect URL at the OAuth authorization server to the appropriate partnership redirect URL of the following format :
```
https://server:port/affwebservices/public/oauthtokenconsumer
```
- If you want to use an OAuth partnership instead of the OAuth authentication scheme,
  1. update the existing redirect URL at the OAuth authorization server to the appropriate partnership redirect URL of the following format:
```
https://server:port/affwebservices/public/oauthtokenconsumer 
```
  and
  1. Disassociate the realm created for authmethod in Siteminder.
  2. Modify the Authentication Method in Tenant Console that is currently set to:
  Either:
```
/chs/redirect/<tenantName>/<uniqueName> 
```
  Or:
```
/affwebservices/<tenantName>/<uniqueName.jsp> 
```
  To:
```
https://server:port/affwebservices/public/oauthtokenconsumer?AuthzServerID=<AuthorizationServerID>
```

Configure the Management Console Environment

The topic shows you how to configure the attributes in the “openformatcookie” used by the user provisioning service to provision new users.

Follow these steps:

Log in to the Manage console.
Click Environments.
Click the Tenant name.
Click Advanced Settings, Miscellaneous.
Add the following five properties shown in the table below, and then Save the configuration.

Property	Value	Description
openformat.cookie.domain	ca.com	Enter the domain name with which the cookie needs to be created.
openformat.cookie.zone	SM
openformat.cookie.name	DEFAULT
openformat.cookie.encryption.password	Firewall	Password used User provisioning section in the partnership
openformat.cookie.encryptiontype	AES256/CBC/PKCS5Padding	Encryption algorithm used to generate the above password. AES128/CBC/PKCS5Padding AES192/CBC/PKCS5Padding AES256/CBC/PKCS5Padding 3DES_EDE/CBC/PKCS5Padding