How to Setup OAuth2 OIDC Federation in OpenAM - OpenIdentityPlatform/OpenAM GitHub Wiki
Introduction
In the following manual, we will set up a federation between two OpenAM instances via OAuth2/OIDC protocol. One OpenAM instance we will set up as OAuth2/OIDC Server - Identity Provider (IdP), and another instance OAuth2/OIDC client - Service Provider (SP).Thus, you can authenticate to an OpenAM client instance (SP) using OpenAM instance credentials (IdP) using the OAuth2/OIDC protocol.
OpenAM Instances Installation
If you already have OpenAM instances installed, you can skip this section. For demonstration purposes, we will install OpenAM IdP and SP in Docker containers.
Network Setup
Add hostnames and IP adress to the hosts file.
127.0.0.1 idp.acme.org sp.mycompany.org
In Windows hosts file located at C:\Windows\System32\drivers\etc\hosts directory. Un Linux and Mac the file location is /etc/hosts
Create a Docker network for OpenAM instances
docker network create openam-oauth
OpenAM IdP Installation
Run OpenAM Docker Container
docker run -h idp.acme.org -p 8080:8080 --network openam-oauth --name openam-idp openidentityplatform/openam
Once the OpenAM server is running, perform the initial configuration by running the following command and wait for the configuration to complete.
docker exec -w '/usr/openam/ssoconfiguratortools' openam-idp bash -c \
'echo "ACCEPT_LICENSES=true
SERVER_URL=http://idp.acme.org:8080
DEPLOYMENT_URI=/$OPENAM_PATH
BASE_DIR=$OPENAM_DATA_DIR
locale=en_US
PLATFORM_LOCALE=en_US
AM_ENC_KEY=
ADMIN_PWD=passw0rd
AMLDAPUSERPASSWD=p@passw0rd
COOKIE_DOMAIN=idp.acme.org
ACCEPT_LICENSES=true
DATA_STORE=embedded
DIRECTORY_SSL=SIMPLE
DIRECTORY_SERVER=idp.acme.org
DIRECTORY_PORT=50389
DIRECTORY_ADMIN_PORT=4444
DIRECTORY_JMX_PORT=1689
ROOT_SUFFIX=dc=openam,dc=example,dc=org
DS_DIRMGRDN=cn=Directory Manager
DS_DIRMGRPASSWD=passw0rd" > conf.file && java -jar openam-configurator-tool*.jar --file conf.file'
OpenAM SP Installation
Run OpenAM Docker Container
docker run -h sp.mycompany.org -p 8081:8080 --network openam-oauth --name openam-sp openidentityplatform/openam
Once the OpenAM server is running, perform the initial configuration by running the following command and wait for the configuration to complete.
docker exec -w '/usr/openam/ssoconfiguratortools' openam-sp bash -c \
'echo "ACCEPT_LICENSES=true
SERVER_URL=http://sp.mycompany.org:8080
DEPLOYMENT_URI=/$OPENAM_PATH
BASE_DIR=$OPENAM_DATA_DIR
locale=en_US
PLATFORM_LOCALE=en_US
AM_ENC_KEY=
ADMIN_PWD=passw0rd
AMLDAPUSERPASSWD=p@passw0rd
COOKIE_DOMAIN=sp.mycompany.org
ACCEPT_LICENSES=true
DATA_STORE=embedded
DIRECTORY_SSL=SIMPLE
DIRECTORY_SERVER=sp.mycompany.org
DIRECTORY_PORT=50389
DIRECTORY_ADMIN_PORT=4444
DIRECTORY_JMX_PORT=1689
ROOT_SUFFIX=dc=openam,dc=example,dc=org
DS_DIRMGRDN=cn=Directory Manager
DS_DIRMGRPASSWD=passw0rd" > conf.file && java -jar openam-configurator-tool*.jar --file conf.file'
OAuth2/OIDC Server Setup
Open the OpenAM console, which will be in the role of the OAuth2/OIDC server at http://idp.acme.org:8080/openam. In the login field enter the amadmin value. In the password field enter the value from ADMIN_PWD option, in this case passw0rd.
Go to the root realm and in the Dashboard select Configure OAuth Provider.
Next, Configure OpenID Connect.
Leave the settings unchanged and click the Create button.
Create a Client Application
Open the OAuth2/OIDC server admin console, navigate to the desired realm and select Applications → OAuth 2.0 from the left menu
In the list, click the New button.
Fill the Name (client_id) and Password (client_secret) fields. Repeat the password and press the Create button.
Open the created application and fill the settings.
| Setting | Value |
|---|---|
| Redirection URIs | http://sp.mycompany.org:8081/openam/oauth2c/OAuthProxy.jsp |
| Scope | openid |
| Token Endpoint Authentication Method | client_secret_post |
| ID Token Signing Algorithm | RS256 |
OAuth2/OIDC Client Setup
Create OAuth2/OIDC Authentication Module
Open the console of OpenAM, which will be in the role of OAuth2/OIDC client at http://openam-sp.example.org:8081/openam. In the login field enter the value amadmin, in the password field enter the value specified in the ADMIN_PWD setting, in this case passw0rd.
Open the realm and select Authentication → Modules from the left menu. Click the Add Module button.
Тип модуля выберите OAuth2/OpenID Connect, имя модуля может быть любым, путь оно будет oauth.
Press the Create button.
In the list, open the settings of the created module and fill in the settings:
| Setting | Value |
|---|---|
| Client Id | test_client |
| Client Secret | Password specified when registering the application |
| Authentication Endpoint URL | http://idp.acme.org:8080/openam/oauth2/authorize |
| Access Token Endpoint URL | http://idp.acme.org:8080/openam/oauth2/access_token |
| User Profile Service URL | http://idp.acme.org:8080/openam/oauth2/tokeninfo |
| Scope | openid |
| OAuth2 Access Token Profile Service Parameter name | access_token |
| Proxy URL | http://sp.mycompany.org:8081/openam/oauth2c/OAuthProxy.jsp |
| Account Mapper | org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper |
| Account Mapper Configuration | sub=uid |
| Attribute Mapper | org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper |
| Attribute Mapper Configuration | sub=uid |
| Create account if it does not exist | disabled |
| Prompt for password setting and activation code | disabled |
| Map to anonymous user | disabled |
| OpenID Connect validation configuration type | .well-known/openid-configuration_url |
| OpenID Connect validation configuration value | http://idp.acme.org:8080/openam/oauth2/.well-known/openid-configuration |
| Name of OpenID Connect ID Token Issuer | http://idp.acme.org:8080/openam/oauth2 |
Setup OAuth2/OIDC Authentication Chain
Open the OpenAM Service Provider administrator console. Select the realm and in the left menu go to Authentication → Chains.
Create a new authentication chain
Click the Add a Module button and add the oauth module. Set the Criteria to Requisite. Click OK and then Save Changes.
Realm Setup
Go to the OpenAM SP administrator console. In the left menu, go to Authentication → Settings. On the User Profile tab, select Ignore. Save the changes.
Test the Solution
Go to the OpenAM OAuth2/OIDC Server admin console, select realm, under Dashboard in the left menu select Subjects.
This will open a list of users. Create a new testIdp account
Log out of the OpenAM OAuth2/OIDC Server administration console and the OpenAM OAuth2/OIDC Client administration console or open a browser in incognito mode.
Open the OAuth2/OIDC Client authentication URL of the oauth chain http://sp.mycompany.org:8081/openam/XUI/?service=oauth
You will be redirected to authenticate to the OAuth2/OIDC Server. Enter the users testIdP credentials.
Confirm consent to access the test_client application user data
After accepting the consent, you well be redirected to OpenAM OAuth2/OIDC Client console with the OpenAM OAuth2/OIDC Server user credentials.
