15-Feb-2022 10:33
I am trying to figure out how to setup APM as an Authorization server for ESRI portal. Any ideas you could provide would be appreciated.
Current F5 Setup:
Running version 14.1.4.4
I have configured Oauth using guided configure and OAuth Authorization server
Oauth profile: Is not using Opaque Token as I read that can cause issues but I am using support for JWT and OpenID connect enabled.
Client Application using OpenID Connect and Secret
I have tried different scopes but not exactly sure what I need to define and what should be sent as part of default openID.
Single Virtual server that has Access profile tied to it
Access profile with Login page, AD auth and Oauth_authorization. Profile has Oauth profile tied to it.
ESRI setup:
I have populated Client ID and secret from client application created on F5 side
I am using default scopes (openid email and profile)
Other information:
When I try to connect I get did not receive user profile parameter from the provider
If I connect ESRI to google as the providor I have no issues so it is something I am missing on my APM config.
I have tried a bunch of the configuration guides but not sure what I am missing.
Want to be able to use openid via oauth version 2.0 that will use on prem Active directory idenity to login to a cloud application.
Questions:
Thanks
Nolan
Solved! Go to Solution.
23-Feb-2022 10:25
What I have setup for F5 to work as an OAuth Authorization server with ESRI Portal.
OAuth Config
These are the steps and settings I used to get this working with ESRI using version 14.1.4.4, hope this helps someone else out.
16-Feb-2022 14:27
I got this working but the claims it is sending are not being populated on the ESRI side correctly and I am not sure why.
My main issue was my client ssl profile tied to my virtuial server didn't have a intermediate cert configured so was failing to send user profile.
In order for this to work I am using automatically create account on login which I see is setting the username to what looks like the openID unquie identifier.
Does anyone know how I can force this to username instead of this value?
From what I read username should be included in the profile scope but onlything that seems to be going by default is sub from openID scopes which is set to the value I have in the Oauth profile Subject (so for me it happens to be first and lastname)
I have tried creating email and username scopes and claims, which I can see get sent in the token but not able to populate needed values on the esri side.
Anythoughts?
Thanks
18-Feb-2022 08:19
Thanks for the response. So are you saying that you think the OpenID unique identifier that is being set as my ESRI username is the authorization code?
I have the authentication working since my original post just not sure how to get all the claims I want to pass to correct fields when creating my esri profile.
Example:
email claim will populate Email Address on user profile
preferred_username claim will populate Username on user profile.
Only ones I can get to work is First and Last Name which are getting populated via the Oauth profile subject that I have set to these variables %{session.ad.last.attr.givenName} %{session.ad.last.attr.sn}.
18-Feb-2022 09:49
I got this working and when time allows I will post more detail for the next person.
23-Feb-2022 10:25
What I have setup for F5 to work as an OAuth Authorization server with ESRI Portal.
OAuth Config
These are the steps and settings I used to get this working with ESRI using version 14.1.4.4, hope this helps someone else out.