Use Cases

Connecting PingFederate with Yahoo through OIDC

Learn how to connect PingFederate with your Yahoo developer account using OpenID Connect (OIDC).

Yahoo no longer supports OpenID2 and migrated to OIDC.

Component

PingFederate 10.3

Creating an OIDC app in your Yahoo developer account

Before you begin

About this task

In your Yahoo developer account, create an OIDC app and obtain the Client ID and Client Secret.

Steps

  1. Sign on to your Yahoo developer account and go to Apps → Create an App.

  2. Create an application with OpenID Connect permissions.

  3. Copy the Client ID and Client Secret.

    Screen capture of the Yahoo developer My Apps window showing the Client ID and Client Secret.

Creating an OIDC type IdP connection

Steps

  1. Sign on to PingFederate and go to Authentication → Authorization → IdP Connections. Click Create Connection.

  2. On the Connection Type tab, select the Browser SSO check box, and in the Protocol list, select SAML 2.0. Click Next.

    Screen capture of the Connection Type tab with the Browser SSO Profiles check box selected and the SAML 2.0 option checked from the Protocol list.

  3. On the Connection Options tab, select the Browser SSO check box. Click Next.

  4. On the General Info tab, in the Issuer field, enter https://api.login.yahoo.com.

  5. In the Client ID and Client Secret fields, enter the values copied earlier from your Yahoo OIDC app.

  6. Click Load Metadata. Click Next.

    Screen capture of the General Info tab, showing the completed Issuer, Client ID, and Client Secret fields.

  7. On the Extended Properties tab, click Next.

  8. On the Browser SSO tab, click Configure Browser SSO.

  9. On the User Session Creation tab, click Configure User-Session Creation.

  10. On the Identity Mapping tab, select Account Mapping. Click Next.

  11. On the Attribute Contract tab, leave the default values selected. Click Next.

    Screen capture of the Attribute Contract tab, showing the default values listed.

  12. On the Target Session Mapping tab, click Map New Adapter Instance.

  13. On the Adapter Instance tab, in the Adapter Instance list, select Open Token adapter. Click Next.

    Screen capture of the Adapter Instance tab, showing the Adapter Instance list expanded.

  14. On the Attribute Data Store tab, leave the default values selected. Click Next.

    Screen capture of the Adapter Data Store tab showing the default values listed.

  15. On the Adapter Contract Fulfillment tab, map the values as follows. Click Next.

    Attribute Source Value

    givenName

    Provider Claims

    given_name

    mail

    Provider Claims

    email

    sn

    Provider Claims

    family_name

    subject

    Provider Claims

    sub
    Screen capture of the Adapter Contract Fulfillment tab showing the specified settings.

  16. On the Issuance Criteria tab, click Next.

  17. On the Summary tab, review your entries and click Done.

  18. On the User Session Creation tab, click Next.

  19. On the Protocol Settings tab, click Configure Protocol Settings.

  20. On the OpenID Provider Info tab, review the information and click Next.

    Screen capture of the OpenID Provider Info tab.

  21. On the Overrides tab, enter a Default Target URL. Click Next.

  22. On the Summary tab, review your entries and click Done.

  23. On the Protocol Settings tab, click Next.

  24. On the Summary tab, review your entries and click Done.

  25. On the Activation and Summary tab, click the toggle to activate the connection. Click Save.

Creating a local identity profile

Steps

  1. Go to Authentication → Policies → Local Identity Profiles and click Create New Profile.

  2. On the Profile Info tab, choose an existing policy contract, or create a new one. Click Next.

    Screen capture of the Profile Info tab.

  3. On the Authentication Sources tab, in the empty field next to the Add button, enterYahoo. Click Add.

    Screen capture of the Authentication Sources tab showing Yahoo added as a source.

  4. Click Save.

Creating an HTML form IdP adapter

About this task

Create an HTML form IdP adapter to include the newly created LIP.

Steps

  1. Go to Authentication → Integration → IdP Adapters and click Create New Instance.

  2. On the Type tab, enter a Instance Name and Instance ID, and in the Type list, select HTML From IdP Adapter. Click Next.

    Screen capture of the Type ta showing the completed Instance Name, instance ID, Type, Class Name and Parent Instance fields.

  3. On the IdP Adapter tab, select the Local Identity Profile check box and select the newly-created LIP in the list. Click Next.

    Screen capture of the IdP Adapter tab showing the Local Identity Profile check box selected and the LIP selected from the list.

  4. On the Extended Contract tab, add all desired attributes. Click Next.

    1. To add an attribute, enter the name in the empty field and click Add.

      Screen capture of the Extended Contract tab showing attributes listed.

  5. On the Adapter Attributes tab, in the username row, select the Pseudonym check box. Click Next.

    Screen capture of the Adapter Attributes tab showing the username Pseudonym check box selected.

  6. On the Adapter Contract Fulfillment tab, configure the contract as follows. Click Next.

    Attribute Value

    IsPhoneAvailable

    #this.get("telephoneNumber")== null? false:#this.get("telephoneNumber").toString().equalsIgnoreCase("")?false:true

    telephoneNumber

    telephoneNumber

    mail

    mail

    policy.action

    policy.action

    givenName

    givenName

    objectGUID

    objectGUID

    memberOf

    memberOf

    pi.template

    { "name": "strong_authentication"."variables": { "logourl"."https//www.logosurfer.com/wp-content/uploads/2018/03/kohls-log_0.png"."currency": "USD"."recipient": "Charlie Parker" }}

    sn

    sn

    userPrincipalName

    userPrincipalName

    subjectDN

    subjectDN

    username

    username

  7. On the Summary tab, review your entries. Click Save.

Creating a policy to fulfill the policy contract chosen in the LIP

Steps

  1. Select the HTML form adapter that you created earlier and click Rules.

  2. Add Yahoo as a rule:

    1. From the Attribute Name list, select policy.action.

    2. From the Condition list, select equal to.

    3. In the Value field, enter Yahoo.

    4. In the Result field, enter Yahoo.

    5. Click Done.

    The rest of the values are optional.

  3. Under the Yahoo branch, in the Policy list, select the IdP connection that you created earlier.

  4. In the Success list, select the policy contract that you used in the LIP. Click Contract Mapping.

    Screen capture of the Yahoo branch.

  5. On the Contact Fulfillment tab, configure the following attributes.

    Attribute Value

    UPN

    name

    Email

    email

    Group Membership

    grp

    Object GUID

    objectguid

    subject

    sub

    First Name

    given_name

    DN

    dn

    Last Name

    family_name

  6. On the Summary tab, click Done.

Testing the configuration

Steps

  1. Launch an application that satisfies the newly-created policy.

    Result:

    A sign-on window opens.

    Screen capture of the Sign on window.

  2. In the Sign On With section, click Yahoo to go to the Yahoo sign-on page.

    Screen capture of the Yahoo sign on page

  3. Enter your password and click Next.

Result

After signing on, you are taken to the end application.