Forum Discussion

Nolan_Jensen's avatar
Nolan_Jensen
Icon for Cirrostratus rankCirrostratus
Feb 15, 2022

APM as Oauth Authorization server

I am trying to figure out how to setup APM as an Authorization server for ESRI portal.  Any ideas you could provide would be appreciated.  

Current F5 Setup:

Running version 14.1.4.4
I have configured Oauth using guided configure and OAuth Authorization server
Oauth profile:  Is not using Opaque Token as I read that can cause issues but I am using support for JWT and OpenID connect enabled.  
Client Application using OpenID Connect and Secret
I have tried different scopes but not exactly sure what I need to define and what should be sent as part of default openID. 
Single Virtual server that has Access profile tied to it
Access profile with Login page, AD auth and Oauth_authorization.  Profile has Oauth profile tied to it.  

ESRI setup:

I have populated Client ID and secret from client application created on F5 side
I am using default scopes (openid email and profile)

Other information:

When I try to connect I get did not receive user profile parameter from the provider
If I connect ESRI to google as the providor I have no issues so it is something I am missing on my APM config.  
I have tried a bunch of the configuration guides but not sure what I am missing. 

Want to be able to use openid via oauth version 2.0 that will use on prem Active directory idenity to login to a cloud application.

Questions:

  1. Is there something obvious that I am missing in order for the service providor to be able to get user profile information from apm?
  2. From what I read you need to defind scopes but do you need to defind scopes for openid or profile?
  3. If so what do you use for the value on those scopes?

Thanks

Nolan

  • What I have setup for F5 to work as an OAuth Authorization server with ESRI Portal.  

    OAuth Config

    1. Access > Federation > JSON Web Token > Key Configuration
      • Type: RSA and Signing Algorithm RS256
      • Make sure you give it a ID other wise it won't show up in Oauth Profile drop down list
      • Certificate:  I created a self signed cert on F5 to use for this step
    2. Access > Federation > OAuth Authorization Server > Scope
      • email:  set scope name as email and value as nothing
      • email_verified: set scope name as email_verified and scope value of true
      • profile:  set scope name as profile and value as nothing
        • Please note this is needed or you will not be able to send claims that are part of the profile scope like family_name and given_name.
    3. Access > Federation > OAuth Authorization Server > Claim
      • Created these claims to send values I wanted to send
    4. Access > Federation > OAuth Authorization Server > Client Application
      • Grant type: Authorization code / hybrid
      • Redirect URI:  You will get from Service providor 
        • You can add in whatever to create this if you don't have it yet then go back and modify it
      • Support OpenID Connect should be checked 
      • Authentication type: Secret
      • Scopes:  Add all scopes created above email, email_verified, and profile
      • Leave default setting for Token managment as enabled.  
    5. Access > Federation > OAuth Authorization Server > Resource Server
      • Authentication Type: Secret
    6. Create virtual server that will be your issuer in your Oauth profile
      • Virtual server for port 443
      • Client SSL profile that is to 3rd party CA so you can include cert, key and chain for domain that will be used
      • Create external dns entry to point at this VIP using domain chosen.  
    7. Access > Federation > OAuth Authorization Server > OAuth Profile
      • Add client application created above to selected
      • Add resrouce server created above to selected
      • Uncheck Support Opaque Token (this caused some issue when on)
      • Check JWT Token and OpenID Connect to enable them
      • Issuer:  Use the domain used for virtual server example:  https://test.domain.com
      • Subject: %{session.ad.last.attr.givenName} %{session.ad.last.attr.sn}
        • I changed this from default so that first and last name would get populated on automatic creation for ESRI Account
      • JWT Primary Key should be set to Key Configuration done in step one (If you don't see anything here make sure your Key has an ID value in it from step one)
      • ID Token Primary Key should also be set to Key configuration done in step one (If you don't see anything here make sure your Key has an ID value in it from step one)
      • Make sure UserInfo Primary Key is set to know
      • ID Token Claims:  Add all Claims created to selected
        • Note this will ensure these are sent when looking at decoded token values
      • UserInfo Claims:  Add all Claims created to selected
        • Note this will ensure that these values are used to create ESRI Account
      • JWT Refresh token secret:  add one
      • Authorization Server Endpoints:  This is where you can get needed uri's to add to ESRI 
      • any field not listed should be left as default
    8. Creat Access Policy (Access > Profiles/Policies > Per Session Policies 
      • Default settings except for add Oauth profile created above to properties config section
      • In VIsual Policy editor
      • Logon Page
      • I used AD Auth 
      • I used AD Query to ensure I gathiered values I wanted from AD
      •  

      • Oauth Authorization
        • I chose to disable Prompt for Authoriation to avoide customer from having to click authorize when logging in.
        • Add scopes to this Agent
        •  

        • Once complete add this access profile to the virtual server you created above

    These are the steps and settings I used to get this working with ESRI using version 14.1.4.4, hope this helps someone else out.  

  • What I have setup for F5 to work as an OAuth Authorization server with ESRI Portal.  

    OAuth Config

    1. Access > Federation > JSON Web Token > Key Configuration
      • Type: RSA and Signing Algorithm RS256
      • Make sure you give it a ID other wise it won't show up in Oauth Profile drop down list
      • Certificate:  I created a self signed cert on F5 to use for this step
    2. Access > Federation > OAuth Authorization Server > Scope
      • email:  set scope name as email and value as nothing
      • email_verified: set scope name as email_verified and scope value of true
      • profile:  set scope name as profile and value as nothing
        • Please note this is needed or you will not be able to send claims that are part of the profile scope like family_name and given_name.
    3. Access > Federation > OAuth Authorization Server > Claim
      • Created these claims to send values I wanted to send
    4. Access > Federation > OAuth Authorization Server > Client Application
      • Grant type: Authorization code / hybrid
      • Redirect URI:  You will get from Service providor 
        • You can add in whatever to create this if you don't have it yet then go back and modify it
      • Support OpenID Connect should be checked 
      • Authentication type: Secret
      • Scopes:  Add all scopes created above email, email_verified, and profile
      • Leave default setting for Token managment as enabled.  
    5. Access > Federation > OAuth Authorization Server > Resource Server
      • Authentication Type: Secret
    6. Create virtual server that will be your issuer in your Oauth profile
      • Virtual server for port 443
      • Client SSL profile that is to 3rd party CA so you can include cert, key and chain for domain that will be used
      • Create external dns entry to point at this VIP using domain chosen.  
    7. Access > Federation > OAuth Authorization Server > OAuth Profile
      • Add client application created above to selected
      • Add resrouce server created above to selected
      • Uncheck Support Opaque Token (this caused some issue when on)
      • Check JWT Token and OpenID Connect to enable them
      • Issuer:  Use the domain used for virtual server example:  https://test.domain.com
      • Subject: %{session.ad.last.attr.givenName} %{session.ad.last.attr.sn}
        • I changed this from default so that first and last name would get populated on automatic creation for ESRI Account
      • JWT Primary Key should be set to Key Configuration done in step one (If you don't see anything here make sure your Key has an ID value in it from step one)
      • ID Token Primary Key should also be set to Key configuration done in step one (If you don't see anything here make sure your Key has an ID value in it from step one)
      • Make sure UserInfo Primary Key is set to know
      • ID Token Claims:  Add all Claims created to selected
        • Note this will ensure these are sent when looking at decoded token values
      • UserInfo Claims:  Add all Claims created to selected
        • Note this will ensure that these values are used to create ESRI Account
      • JWT Refresh token secret:  add one
      • Authorization Server Endpoints:  This is where you can get needed uri's to add to ESRI 
      • any field not listed should be left as default
    8. Creat Access Policy (Access > Profiles/Policies > Per Session Policies 
      • Default settings except for add Oauth profile created above to properties config section
      • In VIsual Policy editor
      • Logon Page
      • I used AD Auth 
      • I used AD Query to ensure I gathiered values I wanted from AD
      •  

      • Oauth Authorization
        • I chose to disable Prompt for Authoriation to avoide customer from having to click authorize when logging in.
        • Add scopes to this Agent
        •  

        • Once complete add this access profile to the virtual server you created above

    These are the steps and settings I used to get this working with ESRI using version 14.1.4.4, hope this helps someone else out.  

  • I got this working and when time allows I will post more detail for the next person.  

  • I got this working but the claims it is sending are not being populated on the ESRI side correctly and I am not sure why.  

    My main issue was my client ssl profile tied to my virtuial server didn't have a intermediate cert configured so was failing to send user profile.  

    In order for this to work I am using automatically create account on login which I see is setting the username to what looks like the openID unquie identifier.  

    Does anyone know how I can force this to username instead of this value?

    From what I read username should be included in the profile scope but onlything that seems to be going by default is sub from openID scopes which is set to the value I have in the Oauth profile Subject (so for me it happens to be first and lastname)

    I have tried creating email and username scopes and claims, which I can see get sent in the token but not able to populate needed values on the esri side.

    Anythoughts?  

    Thanks