How to Setup OAuth2/OIDC Federation in OpenAM

Original article: https://github.com/OpenIdentityPlatform/OpenAM/wiki/How-to-Setup-OAuth2-OIDC-Federation-in-OpenAM

Introduction

In the following manual, we will set up a federation between two OpenAM instances via OAuth2/OIDC protocol. One OpenAM instance we will set up as OAuth2/OIDC Server - Identity Provider (IdP), and another instance OAuth2/OIDC client - Service Provider (SP).Thus, you can authenticate to an OpenAM client instance (SP) using OpenAM instance credentials (IdP) using the OAuth2/OIDC protocol.

OpenAM Instances Installation

If you already have OpenAM instances installed, you can skip this section. For demonstration purposes, we will install OpenAM IdP and SP in Docker containers.

Network Setup

Add hostnames and IP adress to the hosts file.

127.0.0.1 idp.acme.org sp.mycompany.org

In Windows hosts file located at C:\Windows\System32\drivers\etc\hosts directory. Un Linux and Mac the file location is /etc/hosts

Create a Docker network for OpenAM instances

docker network create openam-oauth

OpenAM IdP Installation

Run OpenAM Docker Container

docker run -h idp.acme.org -p 8080:8080 --network openam-oauth --name openam-idp openidentityplatform/openam

Once the OpenAM server is running, perform the initial configuration by running the following command and wait for the configuration to complete.

docker exec -w '/usr/openam/ssoconfiguratortools' openam-idp bash -c \
'echo "ACCEPT_LICENSES=true
SERVER_URL=http://idp.acme.org:8080
DEPLOYMENT_URI=/$OPENAM_PATH
BASE_DIR=$OPENAM_DATA_DIR
locale=en_US
PLATFORM_LOCALE=en_US
AM_ENC_KEY=
ADMIN_PWD=passw0rd
AMLDAPUSERPASSWD=p@passw0rd
COOKIE_DOMAIN=idp.acme.org
ACCEPT_LICENSES=true
DATA_STORE=embedded
DIRECTORY_SSL=SIMPLE
DIRECTORY_SERVER=idp.acme.org
DIRECTORY_PORT=50389
DIRECTORY_ADMIN_PORT=4444
DIRECTORY_JMX_PORT=1689
ROOT_SUFFIX=dc=openam,dc=example,dc=org
DS_DIRMGRDN=cn=Directory Manager
DS_DIRMGRPASSWD=passw0rd" > conf.file && java -jar openam-configurator-tool*.jar --file conf.file'

OpenAM SP Installation

Run OpenAM Docker Container

docker run -h sp.mycompany.org -p 8081:8080  --network openam-oauth --name openam-sp openidentityplatform/openam

Once the OpenAM server is running, perform the initial configuration by running the following command and wait for the configuration to complete.

docker exec -w '/usr/openam/ssoconfiguratortools' openam-sp bash -c \
'echo "ACCEPT_LICENSES=true
SERVER_URL=http://sp.mycompany.org:8080
DEPLOYMENT_URI=/$OPENAM_PATH
BASE_DIR=$OPENAM_DATA_DIR
locale=en_US
PLATFORM_LOCALE=en_US
AM_ENC_KEY=
ADMIN_PWD=passw0rd
AMLDAPUSERPASSWD=p@passw0rd
COOKIE_DOMAIN=sp.mycompany.org
ACCEPT_LICENSES=true
DATA_STORE=embedded
DIRECTORY_SSL=SIMPLE
DIRECTORY_SERVER=sp.mycompany.org
DIRECTORY_PORT=50389
DIRECTORY_ADMIN_PORT=4444
DIRECTORY_JMX_PORT=1689
ROOT_SUFFIX=dc=openam,dc=example,dc=org
DS_DIRMGRDN=cn=Directory Manager
DS_DIRMGRPASSWD=passw0rd" > conf.file && java -jar openam-configurator-tool*.jar --file conf.file'

OAuth2/OIDC Server Setup

Open the OpenAM console, which will be in the role of the OAuth2/OIDC server at http://idp.acme.org:8080/openam. In the login field enter the amadmin value. In the password field enter the value from ADMIN_PWD option, in this case passw0rd.

Go to the root realm and in the Dashboard select Configure OAuth Provider.

Next, Configure OpenID Connect.

Leave the settings unchanged and click the Create button.

Create a Client Application

Open the OAuth2/OIDC server admin console, navigate to the desired realm and select Applications → OAuth 2.0 from the left menu

In the list, click the New button.

Fill the Name (client_id) and Password (client_secret) fields. Repeat the password and press the Create button.

Open the created application and fill the settings. |Setting|Value| | — | — | | Redirection URIs | http://sp.mycompany.org:8081/openam/oauth2c/OAuthProxy.jsp | | Scope | openid | | Token Endpoint Authentication Method | client_secret_post | | ID Token Signing Algorithm | RS256 |

OAuth2/OIDC Client Setup

Create OAuth2/OIDC Authentication Module

Open the console of OpenAM, which will be in the role of OAuth2/OIDC client at http://openam-sp.example.org:8081/openam. In the login field enter the value amadmin, in the password field enter the value specified in the ADMIN_PWD setting, in this case passw0rd.

Open the realm and select Authentication → Modules from the left menu. Click the Add Module button.

Тип модуля выберите OAuth2/OpenID Connect, имя модуля может быть любым, путь оно будет oauth.

Press the Create button.

In the list, open the settings of the created module and fill in the settings:

Setup OAuth2/OIDC Authentication Chain

Open the OpenAM Service Provider administrator console. Select the realm and in the left menu go to Authentication → Chains.

Create a new authentication chain

Click the Add a Module button and add the oauth module. Set the Criteria to Requisite. Click OK and then Save Changes.

Realm Setup

Go to the OpenAM SP administrator console. In the left menu, go to Authentication → Settings. On the User Profile tab, select Ignore. Save the changes.

Test the Solution

Go to the OpenAM OAuth2/OIDC Server admin console, select realm, under Dashboard in the left menu select Subjects.

This will open a list of users. Create a new testIdp account

Log out of the OpenAM OAuth2/OIDC Server administration console and the OpenAM OAuth2/OIDC Client administration console or open a browser in incognito mode.

Open the OAuth2/OIDC Client authentication URL of the oauth chain http://sp.mycompany.org:8081/openam/XUI/?service=oauth

You will be redirected to authenticate to the OAuth2/OIDC Server. Enter the users testIdP credentials.

Confirm consent to access the test_client application user data

After accepting the consent, you well be redirected to OpenAM OAuth2/OIDC Client console with the OpenAM OAuth2/OIDC Server user credentials.