If you have already configured IdP connections or IdP adapters to connect with third-party identity providers, you can enhance the HTML Form Adapter sign-on page with the option to authenticate via these providers. This setup involves the following components.
- IdP connections or IdP adapter instances configured to connect with your third-party identity providers
- An authentication policy contract
- A local identity profile
- An HTML Form Adapter instance
- An IdP authentication policy
To illustrate the configuration steps, consider the following setup that you have already made.
- An HTML Form Adapter instance to validate local user credentials.
- An authentication policy contract.
- An IdP authentication policy that chains the HTML Form Adapter instance and an authentication policy contract so that the policy contract can harness attribute values returned by the HTML Form Adapter instance for multiple browser-based SSO use cases via SP connections, OAuth authorization code flow, and OAuth implicit flow. The following screen capture illustrates your existing policy.
You are now tasked to enhance the sign-on experience by giving users the option to authenticate using their existing accounts at ACME (a major social network). It happens that you have already established an IdP connection to this social network.
Verify the IdP connection returns the attributes required to complete the
browser-based SSO use cases.
As needed, you may also deploy and configure Cloud Identity Connectors to support identities from Facebook, Google, LinkedIn, or Twitter.
- Make a note of which authentication policy contract is currently being used in your policy.
Create a local identity profile using the
- On the Profile Info screen, enter a name of the local identity profile and select the authentication policy (from step 2).
On the Authentication Sources screen, enter
ACMEunder Authentication Source and then click Add.Note:
To support additional third-party identity providers, enter a value for each. At runtime, the sign-on page displays them in the order defined on this screen.
Configure the HTML Form Adapter instance for customer identities.
- On the IdP Adapter screen, select a local identity profile from the Local Identity Profile list.
- Complete the rest of the configuration and save all changes.
Modify your existing IdP authentication policy.
- Click Rules underneath the Success path of the HTML Form Adapter instance.
On the Rules dialog, create a policy path for users who choose to authenticate via ACME. For this sample use
case, configure as follows:
Attribute Name Condition Value Result policy.action equal to ACMEImportant:
The value here must match the value defined on the Authentication Sources screen (see step 3b).
The Result field controls the label shown for the policy path of this rule. The value does not need to match the value defined on the Authentication Sources screen.Important:
If you have defined multiple third-party identity providers on the Authentication Sources screen, you must repeat these steps to add a policy.action rule to create a policy path for each.
In addition, ensure the Default to Success check box is selected. When selected, the Success path remains, which is important for this sample use case where users can also authenticate using their local accounts.
When finished, click Done, which brings you back to the Manage Authentication Policies screen.
For the ACME users
path, select the IdP connection to ACME under
Generally speaking, any IdP adapter instance or IdP connection that connects to the third-party identity provider can be used here.
The following screen capture illustrates your new policy.
- For its Fail
If you have defined multiple third-party identity providers and added rules to create a policy path for each, you may select Restart. The Restart policy action provides users the opportunity to do over. When triggered, the policy engine routes the requests back to the first checkpoint of the invoked authentication policy.
By selecting Restart for the Fail path, you give users the opportunity to choose another third-party identity provider when they fail to authenticate through ACME.
- For its Success
path, select the local
identity profile (created in step 3) and then
completes its Local Identity Mapping
Because this use case does not involve registration, the source of fulfillment is limited to the preceding IdP connection or IdP adapter instance, dynamic text, and attribute mapping expression (if enabled).
- For its Fail path, select Done.
- Click Save to keep your changes.
You have now successfully added the option to authentication via ACME without enabling registration. When users sign on through this HTML Form Adapter instance, the following sign-on page is presented.
If you have added Facebook, Google, LinkedIn, and Twitter as the authentication sources, the following sign-on page is presented.
Users can sign on using their local accounts or third-party identity provider accounts.