APM as Oauth Authorization server

What I have setup for F5 to work as an OAuth Authorization server with ESRI Portal.  

OAuth Config

1. Access > Federation > JSON Web Token > Key Configuration
   • Type: RSA and Signing Algorithm RS256
   • Make sure you give it a ID other wise it won't show up in Oauth Profile drop down list
   • Certificate:  I created a self signed cert on F5 to use for this step
2. Access > Federation > OAuth Authorization Server > Scope
   • email:  set scope name as email and value as nothing
   • email_verified: set scope name as email_verified and scope value of true
   • profile:  set scope name as profile and value as nothing
     • Please note this is needed or you will not be able to send claims that are part of the profile scope like family_name and given_name.
3. Access > Federation > OAuth Authorization Server > Claim
   • Created these claims to send values I wanted to send
   • 
4. Access > Federation > OAuth Authorization Server > Client Application
   • Grant type: Authorization code / hybrid
   • Redirect URI:  You will get from Service providor 
     • You can add in whatever to create this if you don't have it yet then go back and modify it
   • Support OpenID Connect should be checked 
   • Authentication type: Secret
   • Scopes:  Add all scopes created above email, email_verified, and profile
   • Leave default setting for Token managment as enabled.  
5. Access > Federation > OAuth Authorization Server > Resource Server
   
   • Authentication Type: Secret
6. Create virtual server that will be your issuer in your Oauth profile
   • Virtual server for port 443
   • Client SSL profile that is to 3rd party CA so you can include cert, key and chain for domain that will be used
   • Create external dns entry to point at this VIP using domain chosen.  
7. Access > Federation > OAuth Authorization Server > OAuth Profile
   • Add client application created above to selected
   • Add resrouce server created above to selected
   • Uncheck Support Opaque Token (this caused some issue when on)
   • Check JWT Token and OpenID Connect to enable them
   • Issuer:  Use the domain used for virtual server example:  https://test.domain.com
   • Subject: %{session.ad.last.attr.givenName} %{session.ad.last.attr.sn}
     • I changed this from default so that first and last name would get populated on automatic creation for ESRI Account
   • JWT Primary Key should be set to Key Configuration done in step one (If you don't see anything here make sure your Key has an ID value in it from step one)
   • ID Token Primary Key should also be set to Key configuration done in step one (If you don't see anything here make sure your Key has an ID value in it from step one)
   • Make sure UserInfo Primary Key is set to know
   • ID Token Claims:  Add all Claims created to selected
     • Note this will ensure these are sent when looking at decoded token values
   • UserInfo Claims:  Add all Claims created to selected
     • Note this will ensure that these values are used to create ESRI Account
   • JWT Refresh token secret:  add one
   • Authorization Server Endpoints:  This is where you can get needed uri's to add to ESRI 
     
     • Using my issuer example above it would look like this for endpoint https://test.domain.com/f5-oauth2/v1/authorize
   • any field not listed should be left as default
8. Creat Access Policy (Access > Profiles/Policies > Per Session Policies 
   • Default settings except for add Oauth profile created above to properties config section
   • In VIsual Policy editor
   • Logon Page
   • I used AD Auth 
   • I used AD Query to ensure I gathiered values I wanted from AD
   • 

      

   • Oauth Authorization
     • I chose to disable Prompt for Authoriation to avoide customer from having to click authorize when logging in.
     • Add scopes to this Agent
     • 

        

     • Once complete add this access profile to the virtual server you created above

These are the steps and settings I used to get this working with ESRI using version 14.1.4.4, hope this helps someone else out.