Versions Compared

Old Version 48

changes.mady.by.user Former user

Saved on

compared with

New Version 49

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Current trends require usage of services from hundreds of websites in a connected world. Most of these websites need the user to create an account with them by providing a valid email address and password. Remembering all the different user IDs and passwords that you use can be difficult and cumbersome. To make life easier most websites now provide the user with an option to log in using their Facebook account, Twitter account or Google account. Since most of the internet users have one of these accounts, it makes creating a new account an instant action.

WSO2 Identity Server enables users to log in to applications with their Facebook account. To do that, first you have to create a Facebook app after registering as a Facebook developer.

Tip
titleBefore you begin!

Please refer this document to download the travelocity.com sample application.

This topic provides instructions on how to configure the Facebook app and the Identity Server to integrate using a sample app. See the following sections for more information.

Table of Contents
maxLevel3
minLevel3

Configuring the Facebook app

Excerpt
  1. Go to https://developers.facebook.com/ and log in using your Facebook credentials.
  2. Click on Create App.  
    Image Modified 
  3. Enter a Display Name, Contact Email, and click Create App ID.
    Image RemovedImage Added
  4. Enter code for security check, and click Submit.
  5. On Select product page, click Set up under Facebook Login.
    Image RemovedImage Added
  6. Select Website as the platform for the app used in this sample.
    Image Modified

  7. Enter https://localhost:9443/ as the Site URL and click Save.

    Info

    If you have configured WSO2 Identity Server to run using the IP or hostname, you need to provide the IP or hostname instead of localhost.

  8. Under Products on the left navigation panel, Click Facebook Login

  9. You can configure the Client OAuth Settings on the window that appears.
    Image Modified

    1. Client OAuth Login should be set to Yes.
      Client OAuth Login is the global on-off switch for using OAuth client token flows. It helps to secure your application and prevent abuse by locking down which token redirect URIs are allowed.
    2. Web OAuth Login should be set to Yes.
       Web OAuth Login settings enables any OAuth client token flows that use the Facebook web login dialog to return tokens to your own website.

    3. Valid OAuth redirect URIs should be set to https://localhost:9443/commonauth.
      Enter the ACS URL (Assertion Consumer URL) which is the endpoint in WSO2 Identity Server which accepts the response sent by facebook.

  10. Scroll down and click Save Changes button to save the changes.

  11. Click on Dashboard. You can see the App ID and App Secret as shown in the image below. Click Show to view the App Secret.

    Info

    App ID is the Client ID and the App Secret is the Client Secret in OAuth terminology. The API Version is Facebook’s API that is used to create the application.

  12. Click Settings on the left menu and navigate to the Basic tab. Add the App Domains (since WSO2 IS is running on localhost, you can add localhost as the App Domain) 

  13. Click Save Changes.  

Now you have finished configuring Facebook as an Identity Provider.

Info
titleAbout accessing the app

The app is not available to general public yet. To make to app available to every Facebook user, you have to submit the app for review. After a review, Facebook makes the app available to every Facebook user. You can find more information on the review process by clicking on App Review in the left navigation menu of your app's dashboard.

The review process may take some time, so for the purposes of this sample, you can specify some Facebook users as Developers or Testers. Only the users specified here can use this app to log in with Facebook until the app goes public. To do this, click on Roles in the left navigation menu of the dashboard and specify the required Facebook users as Developers or Testers.

Image Modified

Deploying travelocity.com sample app

The next step is to deploy the travelocity.com sample app in order to use it in this scenario. Please  

Tip
titleBefore you begin!

If you haven't downloaded the samples, please refer this document to download

...

the travelocity.com

...

 sample application.

  1. Open a terminal window and add the following entry to the /etc/hosts file of your machine to configure the hostname.

    Code Block
    languagebash
    127.0.0.1	wso2is.local
    Info
    titleWhy is this step needed?

    Some browsers do not allow you to create cookies for a naked hostname, such as localhost. Cookies are required when working with SSO. Therefore, to ensure that the SSO capabilities work as expected in this tutorial, you need to configure the etc/host file as explained in this step.

    The etc/host file is a read-only file. Therefore, you won't be able to edit it by opening the file via a text editor. Instead, edit the file using the terminal commands.
    For example, use the following command if you are working on a Mac/Linux environment.

    Code Block
    sudo nano /etc/hosts
  2. Download the travelocity.com.war file from here.
  3. Deploy this sample web app on a web container. 
    1. Use the Apache Tomcat server to do this.
    2. Since this sample is written based on Servlet 3.0, it needs to be deployed on Tomcat 7.x.

    3. Copy the .war file into the webapps folder. For example, <APACHE_HOME>/apache-tomcat-7.0.50/webapps.

    4. Start the tomcat server.

  4. Open the travelocity.properties file found in the <APACHE_HOME>/webapps/travelocity.com/WEB-INF/classes directory and configure the following property with the hostname (wso2is.local) that you configured above. Finally restart the tomcat server.

    Code Block
    languagetext
    #The URL of the SAML 2.0 Assertion Consumer
SAML2.AssertionConsumerURL=http://wso2is.local:8080/travelocity.com/home.jsp
Tip

Tip: If you wish to change properties like the issuer ID, consumer URL, and IdP URL, you can edit the travelocity.properties file found in the travelocity.com/WEB-INF/classes directory. Also if the service provider is configured in a tenant you can use "QueryParams" property to send the tenant domain. As an example "QueryParams=tenantDomain=wso2.com".

This sample uses the following default values.

PropertiesDescription
SAML2.SPEntityId=travelocity.com
A unique identifier for this SAML 2.0 Service Provider application

SAML2.AssertionConsumerURL=http://wso2is.local:8080/travelocity.com/home.jsp

The URL of the SAML 2.0 Assertion Consumer

SAML2.IdPURL=https://localhost:9443/samlsso

The URL of the SAML 2.0 Identity Provider
SAML2.IsPassiveAuthn=true
Set this to send SAML2 passive authentication requests

If you edit the travelocity.properties file, you must restart the Apache Tomcat server for the changes to take effect.

...

  1. Return to the Management Console.
  2. In the Identity section under the Main tab, click Add under Service Providers.
  3. Enter travelocity.com in the Service Provider Name text box and click Register.
  4. In the Inbound Authentication Configuration section, click Configure under the SAML2 Web SSO Configuration section and set the configuration as follows:

    1. Enter the following values:

      Panel

      Issuer: travelocity.com

      Assertion Consumer URLhttp://wso2is.local:8080/travelocity.com/home.jsp

    2. Select the following check-boxes:

      Panel

      Enable Response Signing

      Enable Single Logout

      Enable Attribute Profile

      Include Attributes in the Response Always

  5. Click Register. Now you will be sent back to the Service Providers page.

  6. Go to the Local and Outbound Authentication Configuration section.

  7. Select the Federated Authentication radio button and select the Identity Provider you created from the dropdown list under Federated Authentication
    Image RemovedImage Added

  8. Click Update to save the changes.

You have now added and configured the service provider.

Note

The default client-truststore.jks found in the <IS_HOME>/repository/resources/security/ directory contains the Facebook certificate by default.

Panel
titleRelated Topics

For more information on SSO, see Single Sign-On.

...

Configuring requested claims for travelocity.com (optional)

Generally, the service providers need some information from the Identity Provider side after the authentication process in order to provide their service. To help this process we need to configure the necessary claims on the service provider side.

...

  1. In the Identity section under the Main tab, click List under Service Providers.
  2. Click Edit to edit the travelocity.com service provider.
  3. Go to Claim Configuration.

  4. Click on Add Claim URI under Requested Claims to add the requested claims as follows. Here you should add the claims you mapped in the Identity Provider claim configuration. Select the Mandatory Claim checkbox for any claims that are mandatory. 

    Info
    titleDo only,

    If the service provider needs any claims to be used after authentication process, the SP can request those claims from IDP as "Requested Claims".

    Image Modified

    Info

    Here, the claims which are marked as mandatory are requested by the service provider from the identity provider. If they are not available, the user will be redirected to a different page to request those mandatory claim values from the user as they are mandatory.

  5. Subject Claim URI is the unique claim which we can use to identify a service provider. Therefore, select a suitable claim for the Subject Claim URI such that it will become a unique identifier for the service provider.

  6. Click Update to save changes.

...

  1. To test the sample, go to the following URL: http://wso2is.local:8080/travelocity.com
  2. Click the link to log in with SAML from WSO2 Identity Server.
  3. You are redirected to the Facebook Login page. Enter your Facebook credentials and you will be taken to the home page of the travelocity.com app.