Wednesday, April 9, 2014

Login with Facebook for WSO2 Identity Server

Nowadays we are using services form hundreds of websites. Most of these websites need the user to create an account providing a valid email address and password. For most people it is a nightmare to remember all the different user ids and passwords. To make the life easier most websites provide a user a option to login with Facebook Account, Twitter Account or Google Account. Since most of the internet users have one of these accounts it makes creating a new account instant.

 With WSO2 Identity Server 5.0 now users can login to Identity Server with their Facebook account. To do that first you have to create a Facebook app after registering as a Facebook developer.

Step 1 : Configuring the Facebook App

  • Go to Apps > Create a New App

  • Enter an App Name and select an appropriate category and click on Create App. This will take you to the App Dashboard where you can find the AppID and AppSecret.

  • Go to Settings and click on Add platform 
Click on website and configure as shown in the screenshot.


  • Go to Settings > Advanced
Here you need to configure security settings as shown in the screenshot



  • Client OAuth Login should be set to Yes and OAuth redirect URL should be set to https://localhost:9443/commonauth .  Click on Save Changes button to save the changes.
The app is not available to general public yet. To make to app available to every Facebook user, you have to submit the app for review. After a review Facebook make the app available to every Facebook user. More information on review process can be find by clicking on Status and Review.

 Because the review process is taking some time, you can specify some Facebook users as Developers or Testers. Only the specified here can use this app to Login with Facebook until the App go public.
  • Click on Roles to go the below page and specify the required Facebook users as Developers or Testers.

Step 2 : Deploying  travelocity.com sample app


Now you have finished configuring Facebook as an Identity Provider. Now you can configure IS to login to IS sample travelocity.com app using your Facebook credentials. 

You can download travelocity.com.war file using the following link. 

https://drive.google.com/file/d/0B6TqW_IScmilVzdsSUNVWEQ0UWs/edit?usp=sharing

Deploy this sample web app on a web container. To do this, use the Apache Tomcat server. Since this sample is written based on Servlet 3.0 it needs to be deployed on Tomcat 7.x. Use the following steps to deploy the web app in the web container:

Step 3 : Configuring Identity Provider

Now you have to configure WSO2 Identity Server. First you need to download the latest version from
  • Extract the zip file and run wso2server.sh file inside the bin directory. (If you are using windows run wso2server.bat instead).
  • Login to the management console using
                           URL :  https://localhost:9443/carbon/
                           User Name : Admin                                        Password : Admin
  • In the Identity Section in the Main tab, click on Add button under Identity Providers.
  • Give a suitable name as the Identity Provider Name.



  • Go to Federated Authenticators > Facebook Configuration and enter the App ID and App Secret values form Facebook app into Client ID and Client Secret fields respectively.
  • Tick both check boxes to enable Facebook Authenticator and Make it the default. 

Step 4 : Configuring Service Provider

  • Now go back to the WSO2 IS Management console. In the Manage Section in the Main tab, click on Add button under Service Providers.
  • Enter travelocity.com in the Service Provider Name text box and click Register. 
  • Click on Configure link under Inbound Authentication Configuration > SAML2 Web SSO Configuration.


  • Now set the configuration as follows:
              Issuer : travelocity.com

              Assertion Consumer URL : http://localhost:8080/travelocity.com/home.jsp

  • Check the following check-boxes :             
              Enable Response Signing

               Enable Assertion Signing

               Enable Single Logout

               Enable Attribute Profile

               Include Attributes in the Response Always

  • Click on Update button to save the changes. Now you will be send back to the Service Providers page. 


  • Go to Local and Outbound Authentication Configuration.
  • Select the Identity Provider you created form the drop down under Federated Authentication. 
  • Select the Federated Authenticator option button and click Update button to save the changes. 

Step 5 : Configuring claim mappings for Facebook.

  • In the Identity Section in the Main tab, click on List button under Identity Providers.
  • Click on the Edit button to edit the facebook identity provider. 
  • Go to Claim Configuration > Basic Claim Configuration
  • Select Define Custom Claim Dialect option under Select Claim mapping Dialect
  • Click on Add Claim Mapping to add custom claim mappings as follows. 

  • You can retrieve all the public information of the user and the email address. Here are some common attribute names. 

    • id
    • email
    • name
    • first_name
    • last_name
    • link
    • gender
    • locale
    • age_range
          
  • More information is available from the following link.
                https://developers.facebook.com/docs/facebook-login/permissions/v2.0


  • You can map these attributes to any Local Claim URI which you feels suitable. 


    Step 6 : Configuring requested claims for travelocity.com


    • In the Identity Section in the Main tab, click on List button under Service Providers.

    • Click on the Edit button to edit the travelocity.com service provider. 

    • Go to Claim Configuration 

    • Click on Add Claim URI  under Requested Claims to add the requested claims as follows. Here you should add the claims you mapped in the Identity Provider claim configuration. 



      • Select a suitable claim for the Subject Claim URI(Please not that email address cannot use without allowing using email addresses as user names in carbon.xml. To allow using email address as usernames uncomment <!--EnableEmailUserName>true</EnableEmailUserName--> in carbon.xml file inside wso2is-5.0.0/repository/conf)

      Now you have finished the configurations. To see the thing at work go to the following URL.

      http://localhost:8080/travelocity.com



      • Click on : Click here to login with SAML from WSO2 Identity Server.
      Now you will be redirected to Facebook Login page. Enter your Facebook credentials and you will be taken to the home page of the travelocity.com app.



      Posted by at

      19 comments:

      1. Andun SameeraJune 1, 2014 at 8:10 AM

        I did all the things in this blog. My app redirect me to FB and when I authenticated and comes back SAML response building failed. Console shows this error,

        [2014-06-01 14:15:23,081] INFO {org.opensaml.xml.security.credential.criteria.EvaluableEntityIDCredentialCriteria} - Could not evaluate criteria, credential contained no entity ID
        [2014-06-01 14:15:23,083] INFO {org.opensaml.xml.security.credential.criteria.EvaluableUsageCredentialCriteria} - Could not evaluate criteria, credential contained no usage specifier
        [2014-06-01 14:15:23,087] ERROR {org.wso2.carbon.identity.sso.saml.builders.DefaultResponseBuilder} - Error when reading claim values for generating SAML Response

        Can you please help!

        ReplyDelete
        Replies
        1. Prasad TisseraJune 9, 2014 at 11:43 PM

          You have to do claim configurations which was not mentioned in the blog. I have updated the blog with those information. Thank you for pointing out. Thanks.

          Delete
      2. Prasad TisseraJune 9, 2014 at 1:06 AM

        This comment has been removed by the author.

        ReplyDelete
      3. Prasad TisseraJune 9, 2014 at 10:23 PM

        This comment has been removed by the author.

        ReplyDelete
      4. Susinda PereraJuly 2, 2014 at 4:35 AM

        Nice article well explained, thanks for sharing

        ReplyDelete
      5. Suhan DharmasuriyaAugust 19, 2014 at 12:17 AM

        Hi,

        FYI.

        I was running WSO2 Identity Server.
        While I was using facebook configuration as federated authenticator, I got the following error in web browser.

        SAML 2.0 based Single Sign-On
        Error when processing the authentication request!
        Please try login again.

        When I searched the error it directed me towards a jira bug[3] which is not the root cause for this setup.

        This error occurred due to usage of non standard values for Identity Provider Claim URI field in Identity provider's basic claim configuration.
        Once I corrected the values (emailaddress -> email, lastname -> last_name, firstname -> first_name) the authentication was working as expected.

        Correct values
        email
        first_name
        last_name

        Useful Facebook permission link[1].
        Tomcat deployment war file[2].

        Hope this will help to save your time... :)

        IS Server console output error details.
        [2014-08-19 10:36:59,958] ERROR {org.wso2.carbon.identity.sso.saml.builders.DefaultResponseBuilder} - Error when reading claim values for generating SAML Response
        java.lang.NullPointerException
        at org.wso2.carbon.utils.multitenancy.MultitenantUtils.getTenantAwareUsername(MultitenantUtils.java:50)
        at org.wso2.carbon.identity.sso.saml.builders.DefaultResponseBuilder.buildSAMLAssertion(DefaultResponseBuilder.java:135)
        at org.wso2.carbon.identity.sso.saml.builders.DefaultResponseBuilder.buildResponse(DefaultResponseBuilder.java:69)

        [1] https://developers.facebook.com/docs/facebook-login/permissions/v2.1
        [2] https://docs.google.com/file/d/0B6TqW_IScmilVzdsSUNVWEQ0UWs/edit
        [3] https://wso2.org/jira/browse/IDENTITY-2494

        ReplyDelete
      6. UnknownSeptember 8, 2015 at 3:32 AM

        This comment has been removed by the author.

        ReplyDelete
      7. UnknownSeptember 8, 2015 at 3:36 AM

        Hi,

        I did all steps according to this blog. When I was using Facebook configuration as federated authenticator, I have mapped correct Identity provider claim URIs with local claim URIs. Still I got the same error in web browser as below.

        SAML 2.0 based Single Sign-On
        Error when processing the authentication request!
        Please try login again.

        In my log file shows bellow error message,

        Adding claim mapping : id <> id :
        Adding claim mapping : name <> name :

        Failed to process Facebook Connect response. {org.wso2.carbon.identity.application.authenticator.facebook.FacebookAuthenticator}
        org.wso2.carbon.identity.application.authentication.framework.exception.
        {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultAuthenticationRequestHandler} - Sending response back to: /samlsso...

        commonAuthAuthenticated: false
        authenticatedUser: null
        authenticatedIdPs: null

        To solve this I had mapped "id" and "name" values with following claim URIs

        id -> emailaddress
        name -> fullname

        Also I had specified the "name" as the claim URI that identifies the user identifier at the identity provider.

        ReplyDelete
      8. AnonymousNovember 12, 2015 at 12:57 PM

        Jayomi Rajapaksha,
        The id at least lets me authenticate the user but it just gives back a lot string and not the actual email address. Did you have this issue?

        ReplyDelete
      9. UnknownNovember 16, 2015 at 7:06 PM

        Hi,
        Do you have any experience to implement multiple way for login on IS authencatepoint
        login page? i want to use my app to authenticate user after sp send the saml request to IS.

        thanks,

        ReplyDelete
      10. AnonymousJune 28, 2018 at 10:22 AM

        Hi,
        I placed org.wso2.carbon.identity.application.authenticator.facebook-5.1.12.jar file /repository/components/dropins folder. But I unable to see Facebook configuration option in create new provider Federated Authenticators

        ReplyDelete
      11. Sharon M JenkinsOctober 7, 2018 at 4:20 AM

        This comment has been removed by the author.

        ReplyDelete
      12. Sharon M JenkinsOctober 7, 2018 at 4:21 AM

        Numerous organizations and clubs essentially have individuals and a large number of these associations deliver ID cards also. Buy fake id I have two or three photograph security identifications in my wallet alongside a PADI card and a couple of others cards with my photo on them.

        ReplyDelete
      13. saadJanuary 19, 2019 at 11:27 AM

        Thanks so much for this information. I have to let you know I concur on several of the points you make here and others may require some further review, but I can see your viewpoint. Discord Hack

        ReplyDelete
      14. UnknownMarch 3, 2019 at 5:17 AM

        I like this post,And I guess that they having fun to read this post,they shall take a good site to make a information,thanks for sharing it to me. Buy Facebook 5 Star Ratings Reviews

        ReplyDelete
      15. HalesJuly 3, 2019 at 3:12 AM

        I was surfing the Internet for information and came across your blog. I am impressed by the information you have on this blog. It shows how well you understand this subject. Scannable Fake Id

        ReplyDelete
      16. max simthAugust 11, 2019 at 8:42 AM

        Your website is really cool and this is a great inspiring article. Thank you so much. Buy Facebook Accounts

        ReplyDelete
      17. Customer Support NumberJune 24, 2020 at 8:07 PM

        One can very smoothly adjust push notifications on Facebook for that the user should click on the three-dot icon further go to “settings and privacy “further click on “settings”, from there you can change the settings as per your preference, if needed then to know more the user should reach out to the technical experts at +44-800-368-9064 also the technicians can also be reached for help and support through live chats and emails.
        Facebook Support Number UK

        ReplyDelete

      Subscribe to: Post Comments (Atom)