APM as Oauth Authorization server
I am trying to figure out how to setup APM as an Authorization server for ESRI portal. Any ideas you could provide would be appreciated.
Current F5 Setup:
Running version 14.1.4.4
I have configured Oauth using guided configure and OAuth Authorization server
Oauth profile: Is not using Opaque Token as I read that can cause issues but I am using support for JWT and OpenID connect enabled.
Client Application using OpenID Connect and Secret
I have tried different scopes but not exactly sure what I need to define and what should be sent as part of default openID.
Single Virtual server that has Access profile tied to it
Access profile with Login page, AD auth and Oauth_authorization. Profile has Oauth profile tied to it.
ESRI setup:
I have populated Client ID and secret from client application created on F5 side
I am using default scopes (openid email and profile)
Other information:
When I try to connect I get did not receive user profile parameter from the provider
If I connect ESRI to google as the providor I have no issues so it is something I am missing on my APM config.
I have tried a bunch of the configuration guides but not sure what I am missing.
Want to be able to use openid via oauth version 2.0 that will use on prem Active directory idenity to login to a cloud application.
Questions:
- Is there something obvious that I am missing in order for the service providor to be able to get user profile information from apm?
- From what I read you need to defind scopes but do you need to defind scopes for openid or profile?
- If so what do you use for the value on those scopes?
Thanks
Nolan
What I have setup for F5 to work as an OAuth Authorization server with ESRI Portal.
OAuth Config
- Access > Federation > JSON Web Token > Key Configuration
- Type: RSA and Signing Algorithm RS256
- Make sure you give it a ID other wise it won't show up in Oauth Profile drop down list
- Certificate: I created a self signed cert on F5 to use for this step
- Access > Federation > OAuth Authorization Server > Scope
- email: set scope name as email and value as nothing
- email_verified: set scope name as email_verified and scope value of true
- profile: set scope name as profile and value as nothing
- Please note this is needed or you will not be able to send claims that are part of the profile scope like family_name and given_name.
- Access > Federation > OAuth Authorization Server > Claim
- Created these claims to send values I wanted to send
- Access > Federation > OAuth Authorization Server > Client Application
- Grant type: Authorization code / hybrid
- Redirect URI: You will get from Service providor
- You can add in whatever to create this if you don't have it yet then go back and modify it
- Support OpenID Connect should be checked
- Authentication type: Secret
- Scopes: Add all scopes created above email, email_verified, and profile
- Leave default setting for Token managment as enabled.
- Access > Federation > OAuth Authorization Server > Resource Server
- Authentication Type: Secret
- Create virtual server that will be your issuer in your Oauth profile
- Virtual server for port 443
- Client SSL profile that is to 3rd party CA so you can include cert, key and chain for domain that will be used
- Create external dns entry to point at this VIP using domain chosen.
- Access > Federation > OAuth Authorization Server > OAuth Profile
- Add client application created above to selected
- Add resrouce server created above to selected
- Uncheck Support Opaque Token (this caused some issue when on)
- Check JWT Token and OpenID Connect to enable them
- Issuer: Use the domain used for virtual server example: https://test.domain.com
- Subject: %{session.ad.last.attr.givenName} %{session.ad.last.attr.sn}
- I changed this from default so that first and last name would get populated on automatic creation for ESRI Account
- JWT Primary Key should be set to Key Configuration done in step one (If you don't see anything here make sure your Key has an ID value in it from step one)
- ID Token Primary Key should also be set to Key configuration done in step one (If you don't see anything here make sure your Key has an ID value in it from step one)
- Make sure UserInfo Primary Key is set to know
- ID Token Claims: Add all Claims created to selected
- Note this will ensure these are sent when looking at decoded token values
- UserInfo Claims: Add all Claims created to selected
- Note this will ensure that these values are used to create ESRI Account
- JWT Refresh token secret: add one
- Authorization Server Endpoints: This is where you can get needed uri's to add to ESRI
- Using my issuer example above it would look like this for endpoint https://test.domain.com/f5-oauth2/v1/authorize
- any field not listed should be left as default
- Creat Access Policy (Access > Profiles/Policies > Per Session Policies
- Default settings except for add Oauth profile created above to properties config section
- In VIsual Policy editor
- Logon Page
- I used AD Auth
- I used AD Query to ensure I gathiered values I wanted from AD
- Oauth Authorization
- I chose to disable Prompt for Authoriation to avoide customer from having to click authorize when logging in.
- Add scopes to this Agent
- Once complete add this access profile to the virtual server you created above
These are the steps and settings I used to get this working with ESRI using version 14.1.4.4, hope this helps someone else out.
- Access > Federation > JSON Web Token > Key Configuration