If you have already configured identity provider (IdP) connections or IdP adapters to connect with third-party identity providers, you can enhance the HTML Form Adapter sign-on page with the option to authenticate with these providers.
Consider the following setup that you have already made.
- An HTML Form Adapter instance to validate local user credentials.
- An authentication policy contract.
- An IdP authentication policy that chains the HTML Form Adapter instance and an authentication policy contract so that the policy contract can harness attribute values returned by the HTML Form Adapter instance for multiple browser-based single sign-on (SSO) use cases via service provider (SP) connections, OAuth authorization code flow, and OAuth implicit flow. The following window capture illustrates your existing policy.
- IdP connections or IdP adapter instances configured to connect with your third-party identity providers
- An authentication policy contract
- A local identity profile
- An HTML Form Adapter instance
- An IdP authentication policy
You need to enhance the sign-on experience by giving users the option to authenticate using their existing accounts at ACME, a major social network. It happens that you have already established an IdP connection to this social network.
Verify the IdP connection returns the attributes required to complete the
browser-based SSO use cases.
As needed, you can also deploy and configure Cloud Identity Connectors to support identities from Facebook, Google, LinkedIn, or Twitter.
- Make a note of which authentication policy contract is currently being used in your policy.
Create a local identity profile using the Create New
configuration wizard. Click
- On the Profile Info tab, enter a name in the Local Identity Profile Name field and from the Authentication Policy Contract, select the authentication policy from step 2. Click Next.
On the Authentication Sources tab, enter
ACMEunder Authentication Source, and then click Add. Click Done to exit the configuration window.Note:
To support additional third-party identity providers, enter a value for each. At runtime, the sign-on page displays them in the order defined on this window.
Configure the HTML Form Adapter instance for customer identities.
- Go to .
- On the IdP Adapters window, from the Instance Name list, click the HTMLFormAdapter instance.
- On the IdP Adapter tab, from the Local Identity Profile list, select a local identity profile.
- Complete the rest of the configuration and save all changes.
Modify your existing IdP authentication policy.
- Go to .
- On the Policies tab, under the Policy section, click the existing IdP policy.
- Click Rules under the Success path of the HTML Form Adapter instance.
In the Rules dialog, create a policy path for users who
choose to authenticate with ACME. For this sample use case, configure the
fields as in the following table.
Defining authentication policy rules fields and entries Attribute Name Condition Value Result policy.action equal to ACMEImportant:
The value here must match the value defined on the Authentication Sources window. See step 3b.
The Result field controls the label shown for the policy path of this rule. The value does not need to match the value defined on the Authentication Sources window.Important:
If you have defined multiple third-party identity providers on the Authentication Sources tab, you must repeat these steps to add a policy.action rule to create a policy path for each.
In addition, ensure the Default to Success check box is selected. When selected, the Success path remains, which is important for this sample use case where users can also authenticate using their local accounts.
- When finished, click Done. This will bring you back to the Authentication Policies window.
For the ACME users path, select the IdP connection to
ACME under Action.
Generally speaking, any IdP adapter instance or IdP connection that connects to the third-party identity provider can be used here.
The following screen capture illustrates your new policy.
- For its Fail path, select
If you have defined multiple third-party identity providers and added rules to create a policy path for each, you can select Restart. The Restart policy action provides users the opportunity to do over. When triggered, the policy engine routes the requests back to the first checkpoint of the invoked authentication policy.
By selecting Restart for the Fail path, you give users the opportunity to choose another third-party identity provider when they fail to authenticate through ACME.
its Success path, select the local identity
profile created in step 3 and then
complete the Local Identity Mapping
Because this use case does not involve registration, the source of fulfillment is limited to the preceding IdP connection or IdP adapter instance, dynamic text, and attribute mapping expression, if enabled.
- For its Fail path, select Done.
- Click Save to keep your changes.
You have now successfully added the option to authentication via ACME without enabling registration. When users sign on through this HTML Form Adapter instance, the following sign-on page is presented.
If you have added Facebook, Google, LinkedIn, and Twitter as the authentication sources, the following sign-on page is presented.
Users can sign on using their local accounts or third-party identity provider accounts.