Technical Forum
Ask questions. Discover Answers.
cancel
Showing results for 
Search instead for 
Did you mean: 
Custom Alert Banner

APM as Oauth Authorization server

Nolan_Jensen
Cirrostratus
Cirrostratus

I am trying to figure out how to setup APM as an Authorization server for ESRI portal.  Any ideas you could provide would be appreciated.  

Current F5 Setup:

Running version 14.1.4.4
I have configured Oauth using guided configure and OAuth Authorization server
Oauth profile:  Is not using Opaque Token as I read that can cause issues but I am using support for JWT and OpenID connect enabled.  
Client Application using OpenID Connect and Secret
I have tried different scopes but not exactly sure what I need to define and what should be sent as part of default openID. 
Single Virtual server that has Access profile tied to it
Access profile with Login page, AD auth and Oauth_authorization.  Profile has Oauth profile tied to it.  

ESRI setup:

I have populated Client ID and secret from client application created on F5 side
I am using default scopes (openid email and profile)

Other information:

When I try to connect I get did not receive user profile parameter from the provider
If I connect ESRI to google as the providor I have no issues so it is something I am missing on my APM config.  
I have tried a bunch of the configuration guides but not sure what I am missing. 

Want to be able to use openid via oauth version 2.0 that will use on prem Active directory idenity to login to a cloud application.

Questions:

  1. Is there something obvious that I am missing in order for the service providor to be able to get user profile information from apm?
  2. From what I read you need to defind scopes but do you need to defind scopes for openid or profile?
  3. If so what do you use for the value on those scopes?

Thanks

Nolan

1 ACCEPTED SOLUTION

Nolan_Jensen
Cirrostratus
Cirrostratus

What I have setup for F5 to work as an OAuth Authorization server with ESRI Portal.  

OAuth Config

  1. Access > Federation > JSON Web Token > Key Configuration
    • Type: RSA and Signing Algorithm RS256
    • Make sure you give it a ID other wise it won't show up in Oauth Profile drop down list
    • Certificate:  I created a self signed cert on F5 to use for this step
  2. Access > Federation > OAuth Authorization Server > Scope
    • email:  set scope name as email and value as nothing
    • email_verified: set scope name as email_verified and scope value of true
    • profile:  set scope name as profile and value as nothing
      • Please note this is needed or you will not be able to send claims that are part of the profile scope like family_name and given_name.
  3. Access > Federation > OAuth Authorization Server > Claim
    • Created these claims to send values I wanted to send
    • Nolan_Jensen_0-1645638733550.png
  4. Access > Federation > OAuth Authorization Server > Client Application
    • Grant type: Authorization code / hybrid
    • Redirect URI:  You will get from Service providor 
      • You can add in whatever to create this if you don't have it yet then go back and modify it
    • Support OpenID Connect should be checked 
    • Authentication type: Secret
    • Scopes:  Add all scopes created above email, email_verified, and profile
    • Leave default setting for Token managment as enabled.  
  5. Access > Federation > OAuth Authorization Server > Resource Server
    • Authentication Type: Secret
  6. Create virtual server that will be your issuer in your Oauth profile
    • Virtual server for port 443
    • Client SSL profile that is to 3rd party CA so you can include cert, key and chain for domain that will be used
    • Create external dns entry to point at this VIP using domain chosen.  
  7. Access > Federation > OAuth Authorization Server > OAuth Profile
    • Add client application created above to selected
    • Add resrouce server created above to selected
    • Uncheck Support Opaque Token (this caused some issue when on)
    • Check JWT Token and OpenID Connect to enable them
    • Issuer:  Use the domain used for virtual server example:  https://test.domain.com
    • Subject: %{session.ad.last.attr.givenName} %{session.ad.last.attr.sn}
      • I changed this from default so that first and last name would get populated on automatic creation for ESRI Account
    • JWT Primary Key should be set to Key Configuration done in step one (If you don't see anything here make sure your Key has an ID value in it from step one)
    • ID Token Primary Key should also be set to Key configuration done in step one (If you don't see anything here make sure your Key has an ID value in it from step one)
    • Make sure UserInfo Primary Key is set to know
    • ID Token Claims:  Add all Claims created to selected
      • Note this will ensure these are sent when looking at decoded token values
    • UserInfo Claims:  Add all Claims created to selected
      • Note this will ensure that these values are used to create ESRI Account
    • JWT Refresh token secret:  add one
    • Authorization Server Endpoints:  This is where you can get needed uri's to add to ESRI 
    • any field not listed should be left as default
  8. Creat Access Policy (Access > Profiles/Policies > Per Session Policies 
    • Default settings except for add Oauth profile created above to properties config section
    • In VIsual Policy editor
    • Logon Page
    • I used AD Auth 
    • I used AD Query to ensure I gathiered values I wanted from AD
    • Nolan_Jensen_1-1645639994660.png

       

    • Oauth Authorization
      • I chose to disable Prompt for Authoriation to avoide customer from having to click authorize when logging in.
      • Add scopes to this Agent
      • Nolan_Jensen_2-1645640139328.png

         

      • Once complete add this access profile to the virtual server you created above

These are the steps and settings I used to get this working with ESRI using version 14.1.4.4, hope this helps someone else out.  

View solution in original post

4 REPLIES 4

Nolan_Jensen
Cirrostratus
Cirrostratus

I got this working but the claims it is sending are not being populated on the ESRI side correctly and I am not sure why.  

My main issue was my client ssl profile tied to my virtuial server didn't have a intermediate cert configured so was failing to send user profile.  

In order for this to work I am using automatically create account on login which I see is setting the username to what looks like the openID unquie identifier.  

Does anyone know how I can force this to username instead of this value?

From what I read username should be included in the profile scope but onlything that seems to be going by default is sub from openID scopes which is set to the value I have in the Oauth profile Subject (so for me it happens to be first and lastname)

I have tried creating email and username scopes and claims, which I can see get sent in the token but not able to populate needed values on the esri side.

Anythoughts?  

Thanks

 

Thanks for the response. So are you saying that you think the OpenID unique identifier that is being set as my ESRI username is the authorization code?

I have the authentication working since my original post just not sure how to get all the claims I want to pass to correct fields when creating my esri profile.

Example:
email claim will populate Email Address on user profile
preferred_username claim will populate Username on user profile.

Only ones I can get to work is First and Last Name which are getting populated via the Oauth profile subject that I have set to these variables %{session.ad.last.attr.givenName} %{session.ad.last.attr.sn}.

Nolan_Jensen
Cirrostratus
Cirrostratus

I got this working and when time allows I will post more detail for the next person.  

Nolan_Jensen
Cirrostratus
Cirrostratus

What I have setup for F5 to work as an OAuth Authorization server with ESRI Portal.  

OAuth Config

  1. Access > Federation > JSON Web Token > Key Configuration
    • Type: RSA and Signing Algorithm RS256
    • Make sure you give it a ID other wise it won't show up in Oauth Profile drop down list
    • Certificate:  I created a self signed cert on F5 to use for this step
  2. Access > Federation > OAuth Authorization Server > Scope
    • email:  set scope name as email and value as nothing
    • email_verified: set scope name as email_verified and scope value of true
    • profile:  set scope name as profile and value as nothing
      • Please note this is needed or you will not be able to send claims that are part of the profile scope like family_name and given_name.
  3. Access > Federation > OAuth Authorization Server > Claim
    • Created these claims to send values I wanted to send
    • Nolan_Jensen_0-1645638733550.png
  4. Access > Federation > OAuth Authorization Server > Client Application
    • Grant type: Authorization code / hybrid
    • Redirect URI:  You will get from Service providor 
      • You can add in whatever to create this if you don't have it yet then go back and modify it
    • Support OpenID Connect should be checked 
    • Authentication type: Secret
    • Scopes:  Add all scopes created above email, email_verified, and profile
    • Leave default setting for Token managment as enabled.  
  5. Access > Federation > OAuth Authorization Server > Resource Server
    • Authentication Type: Secret
  6. Create virtual server that will be your issuer in your Oauth profile
    • Virtual server for port 443
    • Client SSL profile that is to 3rd party CA so you can include cert, key and chain for domain that will be used
    • Create external dns entry to point at this VIP using domain chosen.  
  7. Access > Federation > OAuth Authorization Server > OAuth Profile
    • Add client application created above to selected
    • Add resrouce server created above to selected
    • Uncheck Support Opaque Token (this caused some issue when on)
    • Check JWT Token and OpenID Connect to enable them
    • Issuer:  Use the domain used for virtual server example:  https://test.domain.com
    • Subject: %{session.ad.last.attr.givenName} %{session.ad.last.attr.sn}
      • I changed this from default so that first and last name would get populated on automatic creation for ESRI Account
    • JWT Primary Key should be set to Key Configuration done in step one (If you don't see anything here make sure your Key has an ID value in it from step one)
    • ID Token Primary Key should also be set to Key configuration done in step one (If you don't see anything here make sure your Key has an ID value in it from step one)
    • Make sure UserInfo Primary Key is set to know
    • ID Token Claims:  Add all Claims created to selected
      • Note this will ensure these are sent when looking at decoded token values
    • UserInfo Claims:  Add all Claims created to selected
      • Note this will ensure that these values are used to create ESRI Account
    • JWT Refresh token secret:  add one
    • Authorization Server Endpoints:  This is where you can get needed uri's to add to ESRI 
    • any field not listed should be left as default
  8. Creat Access Policy (Access > Profiles/Policies > Per Session Policies 
    • Default settings except for add Oauth profile created above to properties config section
    • In VIsual Policy editor
    • Logon Page
    • I used AD Auth 
    • I used AD Query to ensure I gathiered values I wanted from AD
    • Nolan_Jensen_1-1645639994660.png

       

    • Oauth Authorization
      • I chose to disable Prompt for Authoriation to avoide customer from having to click authorize when logging in.
      • Add scopes to this Agent
      • Nolan_Jensen_2-1645640139328.png

         

      • Once complete add this access profile to the virtual server you created above

These are the steps and settings I used to get this working with ESRI using version 14.1.4.4, hope this helps someone else out.