How to setup Facebook OAuth Federation Partnership

Document ID : KB000009645
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

We already have a runbook for this integration at the following URL.

https://support.ca.com/phpdocs/1/8231/runbooks/CASM-FacebookIDPFederationRunbook-ver1.pdf

 

This TecDoc includes a complete step by step instructions.

The facebook side layout has changed and may not appear exactly as the ver1 runbook above.

The screenshots in this TecDoc is based on the layouts from facebook site as of 1/Nov/2016.

 

Environment:
Policy Server: R12.52SP1CR6Access Gateway: R12.52SP1CR6OS: Windows 2008 R2
Instructions:

There is a prerequisite to this.

You need your SPS to be using publicly trusted SSL certificate.

In this sample, my certificate is issued by COMODO.

You need to enable SSL with this publicly trusted certificate on your SPS Apache.

 

 

Secondly, register a developer account at facebook.

https://developers.facebook.com

 

 

You might already have some existing apps, then you can directly go to the app to configure but in this sample I am not having any existing apps.

You can click on “Create App” to start.

Or, if you click “Tools & Support” – “Access Token Tool” it will also ask you to create an app.

 

Select "create a new app"

 

Click on "Create a New App"

 

 

Enter your preferred Display Name for the app, your email address and select the category of your app. 

 

Facebook does not accept "face" or "book" in the display name.

 

 

Now you have APP ID. This is referred to as the "Client ID", so note it down.

Click on the “Get Started” button for "Facebook Login".

 

 

 

At the "Facebook Login" - "Settings" enter the "Valid Oauth redirect URIs" with the following URL.

https://<yourFQHN>/affwebservices/public/oauthtokenconsumer/facebook<APPID>

In my case it is:

https://www.kimlabs.net/affwebservices/public/oauthtokenconsumer/facebook809210785886086

 

Ensure "Client OAuth Login" and "Web OAuth Login" are enabled.

 

 

Goto "Dashboard" and you will find your "App Secret" which is automatically generated for you.

You can click on the "Show" button to view the "App Secret" value in clear-text.

 

 

 

 

Next, goto "Settings" - "Basic" and review the configuration

 

 

If all the configuration looks good, you need to make this app “public”.

Depending on the App Category, you may need to submit for approval, I did not need to do that.

 

Note down the following info from facebook app.

App ID: 809210785886086

App Secret: *********** ( Your actual App Secret value would be some hexadecimal string)

Valid Oauth redirect URIs: https://www.kimlabs.net/affwebservices/public/oauthtokenconsumer/facebook809210785886086

 

 

Logon to AdminUI and create local entity(OauthClient)

 

 

 

EntityID is "Facebook-" and "<App ID>"

Disambiguation ID is "facebook<AppID>"

 

 

You only need to create the Oauth Client as there is a predefined “FacebookAuthorizationServer” entity.

 

If you look at the “FacebookAuthorizationServer” entity, you will find the predefined URLs and the EntityID is “Facebook”.

 

 

Create Partnership

 

 

Select the respective entities.

Here you will see the “Entity Name” as you will be selecting them from the dropdown menu.

But later it would display the “Entity ID”.

 

 

Following is after the partnership is saved, it shows the EntityID, not the Name.

Note the “Remote AuthZ Server ID” which is the EntityID.

You will need this to be specified when making a request for this use case.

 

You can request to send more user information.

And from the claims, you will be using email value for user disambiguation.

The runbook displays only https://graph.facebook.com/me?

But you can specify the fields to get more information/claims.

Sample below, I am using "https://graph.facebook.com/me?fields=id,name,first_name,last_name,email".

 

Client Authentication ID is the APP ID 809210785886086.

DO NOT CONFUSE THIS WITH “Client Token” at the facebook.

 

 

 

Activate the partnership

 

You need to have a matching user in your local userstore.

 

 

Test federation.

There is one requirement to this…

The www.kimlabs.net should be using publicly trusted SSL certificate which I don't have.

The test URL format is:

https://<YourFQDN>/affwebservices/public/oauthtokenconsumer/<disambiguationID>?AuthzServerID=<RemoteEntityID>

 

In my case, it would be:

https://www.kimlabs.net/affwebservices/public/oauthtokenconsumer/facebook809210785886086?AuthzServerID=Facebook

 

You will be redirected to https://www.facebook.com/login.php  

 

Actual URL is as below.

https://www.facebook.com/login.php?skip_api_login=1&api_key=809210785886086&signed_next=1&next=https%3A%2F%2Fwww.facebook.com%2Fv2.8%2Fdialog%2Foauth%3Fredirect_uri%3Dhttps%253A%252F%252Fwww.kimlabs.net%252Faffwebservices%252Fpublic%252Foauthtokenconsumer%252Ffacebook809210785886086%26state%3D15fc2397-1106ecfb-98b54ac7-cd315dcc-45d84600-a60%26scope%3Demail%26response_type%3Dcode%26client_id%3D809210785886086%26ret%3Dlogin%26logger_id%3De4c3e8e5-bba5-41a8-a981-1ac358c132aa&cancel_url=https%3A%2F%2Fwww.kimlabs.net%2Faffwebservices%2Fpublic%2Foauthtokenconsumer%2Ffacebook809210785886086%3Ferror%3Daccess_denied%26error_code%3D200%26error_description%3DPermissions%2Berror%26error_reason%3Duser_denied%26state%3D15fc2397-1106ecfb-98b54ac7-cd315dcc-45d84600-a60%23_%3D_&display=page&locale=en_GB&logger_id=e4c3e8e5-bba5-41a8-a981-1ac358c132aa

 

Enter your facebook credentials.

 

 

If everything was configured correctly, you will be redirected to your TARGET url as below.

 

 

I am attaching sample logs for your reference.

https://communities.ca.com/servlet/JiveServlet/download/5498-1-154050/Facebook_FWSTrace.log.zip 

https://communities.ca.com/servlet/JiveServlet/download/5498-1-154051/Facebook_smtracedefault.log.zip

 

 

I am intentionally setting the test user's email to a wrong value so the user would not be found.

 

So, I am getting the following error although I have configured "User Not Found" redirect in the partnership.

 

 

Sample logs below.

https://communities.ca.com/servlet/JiveServlet/download/5498-1-154052/UserNotFound_FWSTrace.log.zip

https://communities.ca.com/servlet/JiveServlet/download/5498-1-154053/UserNotFound_smtracedefault.log.zip

 

So, if you want to redirect to a more meaningful page when the user is not found in your local userstore, use the “User Provision” option to redirect to a page explaining the situation or to contact the administrator.

 

You have 3 option to create :

Open-format Cookie : There will be a cookie with the specified name and the value is encrypted.

Open-format Cookie Post : There will be a POSTDATA with the specified name and the value is encrypted.

HTTP Headers : This still generates a cookie called SMSAMLDATA and the value is encrypted.

 

 

If you need to decrypt the cookie, you can install the federation SDK(.net or the java) and it comes with samples.

 

For Java, there is a KB you can refer to.

https://communities.ca.com/community/ca-security/blog/2016/10/04/tech-tip-ca-single-sign-on-policy-serverhow-to-decrypt-federation-open-format-cookie-java

 

For .net, the kit is 32bit only.

https://support.ca.com/irj/portal/solncdndtls?aparNo=RS89893&os=WINDOWS&fc=16&actionID=3

 

Once you install it, goto "<InstallRoot>\sdk\dotnet\testapp" folder and you will find the sample aspx files there.

You can also find web.config file for the configuration.

 

More information is available in the README.txt file in that folder as well.

You need to copy the CA.Federation.FedIdentitySdk.dll file as instructed in the README.txt file to get it working.

 

Refer to the documentation below.

https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/programming/federation-net-sdk-guidance/installation-of-the-net-sdk