In this post we are going to walk through setting up Mobile & Social so we can log in to a protected page using a Google account.

My starting point is a fresh install of OAM R2 PS2 (11.1.2.2). I also have OHS installed (11.1.1.7) with an 11g Webgate. For my Identity Store, I have a fresh instance of OUD, also 11.1.2.2.

The first thing I like to do is setup my webserver. To keep things clean I’m going to move my default root to $MW_HOME/wwwroot and in here I will create two directores:

  • $MW_HOME/wwwroot/public
  • $MW_HOME/wwwroot/protected

In both I will have an index.html file that simply tells you where you are.

To verify we are good to go, we try the public page:

And the protected, which should prompt for login first:

Create The Identity Store

  • Open OAM Console and go to the User Identity Stores section
  • We are not going to create a normal Identity Store, but instead we’ll setup an Identity Directory Service, made up of an IDS Repository and an IDS profile.
  • Click Create under the IDS Repositories
  • Fill out the connection information for your directory. Mine looks like this:
  • Click Create under the IDS Profile section
  • In the Create Identity Store Profile screen, give it a name and make sure to select Use Existing and select the Repository Name we created in the previous step. Also make sure to update the User and Group sections, especially the Base DNs for each.
  • Note that you now also have an auto-generated entry under the normal OAM ID Stores, named “IDSPROFILE-xxxxx”. The userrole and idxuserrole are built in and cannot be edited
  • From the User Identity Stores page, change the Default Store to the newly created IDSPROFILE-xxx Identity Store
  • And lastly, we must point the LDAP Authentication module to our new ID store as well. From Launch Pad, select Authentication Modules, Search and select “LDAP”
  • Change User Identity Store to the same one as before

Configure Mobile & Social

  • First we need to enable the Mobile & Social services. From the Launch Pad page, click the Available Service link and Enable Mobile and Social
  • Next, open the Social Identity section from the Launch Pad
  • In this screen, note that under Application Profiles, there is a default entry called OAMApplication. For this demo, we’ll just use this default profile, but you can easily create your own later
  • A very key thing to note: The Application Profile name must match the name of the corresponding Application Domain. When I configured the webgate, I chose for it to automatically create the policies for me, so it created an Application Domain with the same name as my webgate, “iamWG1”. We must rename this Application Domain to “OAMApplication”. (Alternativelly, you can create a new Application Profile matching an existing Application Domain name, but we’re keeping things simple and default for now)
  • From the Launch Pad, open the Application Domains section and click Search. Here is my results:
  • Select the Application Domain under which the page we’re trying to protect resides, in my case “iamWG1” and rename it to “OAMApplication
  • Back on the Social Identity section, select the OAMApplication under Application Profiles and click Edit
  • Enter a Shared Secret
  • Update the Return URL and Registration URL to use Fully Qualified Domain Names
  • Change Login Type to “Internet Identity Provider Authentication only”
  • Change Enable Browser Pop-up to “No”. (I was having issues with the Google Auth screen being in a popup, you may not. Feel free to experiment)
  • Here are my settings so far:
  • Configure the Registration Service Details with Application User Attribute Mapping as follows:
  • At the bottom, also make sure that Google is checked under the Application User Attribute and Internet Identity User Attribute Mapping section
  • [/li_item]
Please take note of the User Profile Service Endpoing, which has “/userprofile” selected. This means that User Registration actions will go through this Profile. By default, this profie is associated with the built in weblogic ldap, so if we don’t update it, our new users will be created in weblogic, not OUD. Next section will cover this.

Update the Service Provider

  • From the Launch Pad, select Mobile Services
  • In the Service Providers section, select and edit the “UserProfile” Service Provider. (The “/userprofile” endpoint above is actually a Service Profile which references this Service Provider)
  • In the Identity Directory Service section, select IDS instance we created in the beggining

Update Authentication Policy

  • To get the Social login to come up, we need to change the Authentication Sheme for our resource to OICScheme.
  • Go back to your Application Domain (Launch Pad -> Application Domains -> Search -> OAMApplication)
  • Switch to the Authentication Policies tab and click Protected Resource Policy
  • Change the Authentication Shceme to “OICScheme”

Testing and Followup

  • Access our protected URL, in my case http://demo.idm.guru:7777/protected. You should be redirected to the Social login screen, with Google available as an option
  • Select the Google button and log in using your Google account credentials
  • Once you are authenticated, OAM will try to match you to a user in the selected Identity Store, and if that match isn’t found, it will take you to a registration page
    If you get redirected back to the Google button and your OAM logs show an
    LDAP: error code 123 – You do not have sufficient privileges to use the proxied authorization control” error, please see this post
  • After registraiton, you are finally taken to the protected page
  • Now if we check our OUD directory, we should see a new user entry

Next Steps

In my next post, I am going to automate the registration process so it doesn’t require any input from the user. We’ll create a custom registration page which pulls the information passed from the Google authentication and automatically creates the account in LDAP using the new OAM User Profile REST API. This will be totally seamless to the user and they will just be redirected to the protected page after login. Check back here for the link when it’s up.

UPDATE: I’ve published an article on configuring a custom Registration page which automatically creates the user with OAM’s User Profile REST APIs: OAM: Configuring Automated User Provisioning for Social Login Using OAM REST APIs