How to setup Facebook OAuth Federation Partnership

Document ID : KB000009645
Last Modified Date : 14/02/2018
Show Technical Document Details

We already have a runbook for this integration at the following URL.


This TecDoc includes a complete step by step instructions.

The facebook side layout has changed and may not appear exactly as the ver1 runbook above.

The screenshots in this TecDoc is based on the layouts from facebook site as of 1/Nov/2016.


Policy Server: R12.52SP1CR6Access Gateway: R12.52SP1CR6OS: Windows 2008 R2

There is a prerequisite to this.

You need your SPS to be using publicly trusted SSL certificate.

In this sample, my certificate is issued by COMODO.

You need to enable SSL with this publicly trusted certificate on your SPS Apache.



Secondly, register a developer account at facebook.



You might already have some existing apps, then you can directly go to the app to configure but in this sample I am not having any existing apps.

You can click on “Create App” to start.

Or, if you click “Tools & Support” – “Access Token Tool” it will also ask you to create an app.


Select "create a new app"


Click on "Create a New App"



Enter your preferred Display Name for the app, your email address and select the category of your app. 


Facebook does not accept "face" or "book" in the display name.



Now you have APP ID. This is referred to as the "Client ID", so note it down.

Click on the “Get Started” button for "Facebook Login".




At the "Facebook Login" - "Settings" enter the "Valid Oauth redirect URIs" with the following URL.


In my case it is:


Ensure "Client OAuth Login" and "Web OAuth Login" are enabled.



Goto "Dashboard" and you will find your "App Secret" which is automatically generated for you.

You can click on the "Show" button to view the "App Secret" value in clear-text.





Next, goto "Settings" - "Basic" and review the configuration



If all the configuration looks good, you need to make this app “public”.

Depending on the App Category, you may need to submit for approval, I did not need to do that.


Note down the following info from facebook app.

App ID: 809210785886086

App Secret: *********** ( Your actual App Secret value would be some hexadecimal string)

Valid Oauth redirect URIs:



Logon to AdminUI and create local entity(OauthClient)




EntityID is "Facebook-" and "<App ID>"

Disambiguation ID is "facebook<AppID>"



You only need to create the Oauth Client as there is a predefined “FacebookAuthorizationServer” entity.


If you look at the “FacebookAuthorizationServer” entity, you will find the predefined URLs and the EntityID is “Facebook”.



Create Partnership



Select the respective entities.

Here you will see the “Entity Name” as you will be selecting them from the dropdown menu.

But later it would display the “Entity ID”.



Following is after the partnership is saved, it shows the EntityID, not the Name.

Note the “Remote AuthZ Server ID” which is the EntityID.

You will need this to be specified when making a request for this use case.


You can request to send more user information.

And from the claims, you will be using email value for user disambiguation.

The runbook displays only

But you can specify the fields to get more information/claims.

Sample below, I am using ",name,first_name,last_name,email".


Client Authentication ID is the APP ID 809210785886086.

DO NOT CONFUSE THIS WITH “Client Token” at the facebook.




Activate the partnership


You need to have a matching user in your local userstore.



Test federation.

There is one requirement to this…

The should be using publicly trusted SSL certificate which I don't have.

The test URL format is:



In my case, it would be:


You will be redirected to  


Actual URL is as below.


Enter your facebook credentials.



If everything was configured correctly, you will be redirected to your TARGET url as below.



I am attaching sample logs for your reference.



I am intentionally setting the test user's email to a wrong value so the user would not be found.


So, I am getting the following error although I have configured "User Not Found" redirect in the partnership.



Sample logs below.


So, if you want to redirect to a more meaningful page when the user is not found in your local userstore, use the “User Provision” option to redirect to a page explaining the situation or to contact the administrator.


You have 3 option to create :

Open-format Cookie : There will be a cookie with the specified name and the value is encrypted.

Open-format Cookie Post : There will be a POSTDATA with the specified name and the value is encrypted.

HTTP Headers : This still generates a cookie called SMSAMLDATA and the value is encrypted.



If you need to decrypt the cookie, you can install the federation SDK(.net or the java) and it comes with samples.


For Java, there is a KB you can refer to.


For .net, the kit is 32bit only.


Once you install it, goto "<InstallRoot>\sdk\dotnet\testapp" folder and you will find the sample aspx files there.

You can also find web.config file for the configuration.


More information is available in the README.txt file in that folder as well.

You need to copy the CA.Federation.FedIdentitySdk.dll file as instructed in the README.txt file to get it working.


Refer to the documentation below.