Implementing coarse grained authorization along with Identity Federation in OpenAM

PingFederate – Identity Provider

OpenAM – Service Provider with Coarse grained authorization capability

• Create a SP connection in PingFederate to OpenAM and register PingFederate as remote identity provider in OpenAM Circle of Trust
• Create two users in Data store of PingFederate. In this example, Active Directory

• Use the pseudonym identity mapping between IdP and SP

• Install and configure policy agent according to http://openam.forgerock.org/openam-documentation/openam-doc-source/doc/agent-install-guide/

• Create two local user accounts in OpenAM dummy, dummy2 and set the mail attribute

• Install the agentapp sample application provided by OpenAM
• Create an access policy in OpenAM with filter condition about the user’s mail address

• Initiate IdP initiated SSO from PingFederate and mention the target resource as the web application protected by OpenAM(In this example, agentapp)
• Input the two AD users credentials created above and validate the authorization check
• For the initial SSO request, OpenAM re-authenticates the user to map the remote User to the local user profile

          Note: Cookies can be used for verifying SSO enablement for subsequent requests

• Verify the above mentioned psudonym user identifier from the OpenAM Federation.log file

Federation establishment with PingFederate IdP and OpenAM SP

• Create a Hosted SP in OpenAM and check "Use Name ID as User ID"  in Account Mapper

 

• Configure Identity Provider role in PingFederate

• Export the metadata from OpenAM using ssoadm.jsp and create SP connection in PingFederate

• Export metadata from PingFederate and create a remote identity provider in OpenAM

• Verify the SP and IDP in Circle of Trust and Initiate IdP initiated SSO from PingFederate and verify the SAML assertion in OpenAM Federation.log file
   
   Note: The Name ID sent from IDP (PingFederate) should match the local account user ID

Establishing federation using Facebook Identity in PingFederate

Facebook identity can be used for User authentication and web application access in SSO environment. This post describes the steps involved in using Facebook user identity for accessing a web application protected by PingFederate within the same domain 

• Register PingFederate as a Facebook application in Facebook Developer Apps page

 

• Enter the Site URL as https://pingfederate-host:pingfederate-port/ext/facebook-authn And copy the App ID & App Secret generated

• Create a Facebook IdP adapter and enter the App ID, App Secret & Site URL (required). Enter other optional info, if needed

• Create an Open Token Adapter at PingFederate SP
• Create an Adapter-Adapter mapping from Facebook IdP Adapter to SP Open Token

• Access the web application using adapter2adapter end point https://pingfederate-host:pingfederate-port/pf/adapter2adapter.ping?IdPAdapterId=facebookadapterid&TargetResource=appurl
• User gets redirected to Facebook login page for Authentication

•  After Authentication, user is prompted for Authorization to share user info. Allow

• User attributes are fetched from Facebook and passed to the target application. This can be verified in the server log