Single Sign-On Service › SSO Partnership Federation Guide › Configure Social Sign-on › Configure the Tenant Environment

Configure the Tenant Environment

This section contains the following topics:

Create a CHS Application and Map the SSO Authentication Method

Enable OAUTH Self Registration

Enable the Self Registration Check Box

Create a CHS Application and Map the SSO Authentication Method

This topics shows you how to create a credential handling service (CHS ) application, as well as how to map the social sign on authentication method.

Follow these steps:

1. Log in to the Tenant Console as CSP Administrator.
2. Navigate to Applications, Modify Application.
3. Search for the desired Application.
4. Select your <tenant_name>, and then click Select.
5. Click Add, and the desire application.
6. Click Submit.
7. Navigate to Applications, Authentication Methods, Modify Authentication Scheme.
8. Select the Authentication Method of your application to modify.
9. Select the Enabled checkbox.
10. From the Authentication Method Scheme drop-down list, select your application.
11. Update the Authentication URL :

    https://<baseURL_of_the_partnership>/affwebservices/public/oauthtokenconsumer?AuthzServerID=<authorization_server_id>
    

Or

https://<baseURL_of_the_partnership>/affwebservices/public/ oauthtokenconsumer/<disambiguation id>?AuthzServerID=<authorization_server_id>

Enable OAUTH Self Registration

Eenable Self Registration for your application’s OAUTH authentication.

Follow these steps:

1. Under the Tenant domain of your applications’s OAUTH Realm, create a new Rule such as (OAuth_<Your Application Name>_SelfReg
2. Create a new Response (OAuth_SelfReg_Response) under the Tenant domain.

   Note: Ignore this step if SelfReg Response is already created for any other OAUTH Self registration.

3. Add the new Rule and Response to Tenant domain policy.

Enable the Self Registration Check Box

Log in to the Tenant console and select the Self Registration check box for the OAUTH Authentication method.

Follow these steps:

1. Login into Tenant console.
2. Navigate to Applications, Authentication Methods, Modify Authentication Method.
3. Select your Authentication Method.
4. Makes sure to select the “Enabled for Self Registration” check box.

Important! When user gets authenticated from a social sign-on page such as Facebook, the cspadmin must protect the Credential Handling Service (CHS) application with a Forms authentication scheme.

Specifically, if CloudMinder is acting as an OAuth Authz Server hub, and a user gets authenticated from a social sign-on page so that SMSESSION passed to L7 for validation, protect the resource with Forms authentication using the following format:

/chs/redirect/<tenant name>/CHS App name_Used in L7/

For example:

/chs/redirect/layer7/Layer7IDP

Troubleshooting Configure Social Sign-on

SSO Successful but Unable to Find a User

If the SSO is successful, but unable to find a user, check if the filed in "User ID Attribute Name" maps to the user ID lookup on the OAuth client side.

Certificate-Related Exceptions Communicating with External Social IdP

If you have any certificate-related exceptions communicating with an external social IdP, make sure you have performed the following:

• On a CA CloudMinder deployment, verify that the default CA certificate of the OAuth authorization server was imported.
• Import any other existing CA signed certificate that is required using the smkey tool provided.

Issues Passing Application Attributes After Successful SSO

If you have issues passing application attributes after a successful SSO, refer to the Application Attribute Definitions settings in Partnership.

SSO Fails with Social IdP

If the SSO fails with social IdP, review the log files:

• For SPS, check FWSTRACE.log: This file contains the log trace at the OAuth Consumer Service
• For SMPS