||
Skip to end of metadata
Go to start of metadata

This page provides instructions on how to configure the LinkedIn authenticator and the WSO2 Identity Server using a sample app to demonstrate authentication.You can find more information in the following sections.

This is tested for the LinkedIn API version 1.0. LinkedIn Authenticator is supported by Identity Server 5.1.0 upwards.

Authenticator version 2.0.0 upwards support LinkedIn API version 2.0

 

Step 1 - Configure the LinkedIn App

  1. Place the authenticator .jar file into the <IS_HOME>/repository/components/dropins directory. You can download the .jar file (org.wso2.carbon.extension.identity.authenticator.linkedin.connector-x.x.x) from the WSO2 Store. Next restart the WSO2 IS server.

    If you want to upgrade the LinkedIn (.jar) in your existing IS pack, please refer upgrade instructions.

  2. Create a new app as described in the LinkedIn Services documentation
    1. Navigate to the following URL:
      https://www.linkedin.com/developer/apps/new
    2. Enter the required details.
      • Enter your company details.
      • Upload an image that you wish to use at the company logo.
      • Select the checkbox to agree to the LinkedIn terms and conditions. 
    3. Click Submit. You will redirect to a page with Client ID and Client Secret as shown in point 5.
  3. Enter the Authorized Redirect URL in the following format and click Add.
    https://{hostname}:{port}/commonauth
    The default redirect URL in WSO2 Identity Server is - https://localhost:9443/commonauth  
  4. Click Update.
    You have now finished configuring LinkedIn. Copy the Client ID and Client Secret from the resulting page.

Step 2 - Deploy the travelocity.com sample app

The next step is to deploy the travelocity.com sample app in order to use it in this scenario.

To configure this, see deploying travelocity.com sample app.

Step 3 - Configure the identity provider (IdP)

Now you have to configure WSO2 Identity Server by adding a new identity provider.

  1. Download the WSO2 Identity Server from here and run it.
  2. Log in to the Management Console as an administrator.
  3. In the Identity Providers section under the Main tab of the management console, click Add.
  4. Enter a suitable name as the Identity Provider Name (e.g., LinkedIn).
    As our resident Identity Provider is WSO2 IS, the Alias will appear as follows - https://(host-name):(port)/oauth2/token
  5. Optionally, you can add the LinkedIn public certificate by uploading it.  
    You can do this by clicking the Browse button next to the Identity Provider Public Certificate field, and uploading the file from your local directory. Some browsers let us download the public certificate. If not you can skip this step.

    In cryptography, a public key certificate, also known as a digital certificate or identity certificate, is an electronic document used to prove the ownership of a public key.

  6. Navigate to the LinkedIn Authenticator  Configurations under Federated Authenticators.

  7. Enter the IdP related details as follows:

    FieldDescriptionSample Value
    EnableSelecting this option enables LinkedIn to be used as an authenticator for users provisioned to the Identity Server.Selected
    DefaultSelecting the Default checkbox signifies that LinkedIn is the main/default form of authentication. This removes the selection made for any other Default checkboxes for other authenticators.Selected
    Client IdThis is a unique public identifier for apps which is usually given as a 32-character hex string. Enter the client ID of the app that you created in LinkedIn.81b05d91toz66e
    Client SecretThis is a secret known only to the application and the authorization server. Enter the  client ID  of the app that you created in LinkedIn.otYR21HMW1PchfwZ
    Callback URLThis is the URL to which the browser should be redirected after the authentication is successful. It should have this format: 
    https://(host-name):(port)/commonauth
    https://localhost:9443/commonauth
  8. Click Register.

You have now added the identity provider.

Step 4 - Configure the service provider

The next step is to configure the service provider based on the WSO2 Identity Server version that you are working on.

Configuring a service provider with IS 5.3.0 upwards

  1. Return to the management console.
  2. In the Service Providers section under the Main tab, click Add.
  3. As you are using travelocity as the sample, enter travelocity.com in the Service Provider Name text box and click Register.
  4. In the Inbound Authentication Configuration section, click SAML2 Web SSO Configuration, and then click Configure.
  5. Add the service provider details as follows:
    1. Select Mode: Manual Configuration
      For more information on the SAML2 Web Single-Sign-On Configuration methods, see Configuring SAML2 Web Single-Sign-On in the WSO2 IS 5.3.0 guide.
    2. Issuer: travelocity.com
    3. Assertion Consumer URL: Enter  http://localhost:8080/travelocity.com/home.jsp  and click Add.
    4. Select the following check-boxes:
      • Enable Response Signing.
      • Enable Single Logout.
      • Enable Attribute Profile.
      • Include Attributes in the Response Always.
  6. Click Register to save the changes. Now you will be sent back to the Service Providers page.
  7. Go to the Local and Outbound Authentication Configuration section.
  8. Configure the Local and Outbound Authentication for LinkedIn.
    For more information, see Configuring Local and Outbound Authentication for a Service Provider in the WSO2 IS 5.3.0 guide.
    1. Click on the Federated Authentication radio button.
    2. Select the identity provider you created from the drop-down list under Federated Authentication.
    3. Select the following options:
      • Use tenant domain in local subject identifier.

      • Use user store domain in local subject identifier.

  9. Click Update to save the changes.

Configuring a service provider with IS 5.1.0 or IS 5.2.0

  1. Return to the management console.
  2. In the Service Providers section under the Main tab, click Add.
  3. Since you are using travelocity as the sample, enter travelocity.com in the Service Provider Name text box and click Register.
  4. In the Inbound Authentication Configuration section, click Configure under the SAML2 Web SSO Configuration section.
  5. Now set the configuration as follows:
    • Issuer: travelocity.com
    • Assertion Consumer URL: http://localhost:8080/travelocity.com/home.jsp
  6. Select the following check-boxes:
    • Enable Response Signing.
    • Enable Single Logout.
    • Enable Attribute Profile.
    • Include Attributes in the Response Always.
  7. Click Update to save the changes. Now you will be sent back to the Service Providers page.
  8. Go to the Local and Outbound Authentication Configuration section.
  9. Select the identity provider you created from the dropdown list under Federated Authentication.
  10. Ensure that the Federated Authentication radio button is selected and click Update to save the changes.

Step 5 - Configure claims

Add a new claim mapping for various user attributes related to LinkedIn based on the WSO2 Identity Server version that you are working on.

Configuring claims with IS 5.3.0 upwards

For more information, see Adding Claim Mapping in WSO2 IS guide.

  1. Sign in to the Management Console by entering your username and password.
  2. In the Main menu, click Add under Claims.
  3. Click Add Claim Dialect to create the LinkedIn authenticator specific claim dialect.
  4. Specify the Dialect URI as follows:  http://wso2.org/linkedin/claims  
  5. Click Add to create the claim dialect.
  6. Map a new external claim to an existing local claim dialect.
    You need to map at least one claim under this new dialect. Therefore, let's map the claim for last name.
    1. In the Main menu, click Add under Claims.
    2. Click Add External Claim to add a new claim to the LinkedIn claim dialect.
    3. Select the Dialect URI as - http://wso2.org/linkedin/claims
    4. Enter the External Claim URI based on the following claim mapping information.
    5. Select the Mapped Local Claim based on the following claim mapping information.
      Claim mapping for last name

      Dialect URIhttp://wso2.org/linkedin/claims
      External Claim URI

      http://wso2.org/linkedin/claims/lastName

      Mapped Local Claimhttp://wso2.org/claims/lastname
    6. Click Add to add the new external claim.

  7. Similarly, you can create claims for all the public information of the LinkedIn user by repeating step 6 with the following claim mapping information. 

    • Claim mapping for first name

      Dialect URIhttp://wso2.org/linkedin/claims
      External Claim URI

      http://wso2.org/linkedin/claims/firstName

      Mapped Local Claimhttp://wso2.org/claims/givenname
    • Claim mapping for email

      Dialect URIhttp://wso2.org/linkedin/claims
      External Claim URI

      http://wso2.org/linkedin/claims/emailAddress

      Mapped Local Claimhttp://wso2.org/claims/emailaddress
    • Claim mapping for industry

      Dialect URIhttp://wso2.org/linkedin/claims
      External Claim URI

      http://wso2.org/linkedin/claims/industry

      Mapped Local Claimhttp://wso2.org/claims/organization
    • Claim mapping for headline

      Dialect URIhttp://wso2.org/linkedin/claims
      External Claim URI

      http://wso2.org/linkedin/claims/headline

      Mapped Local Claimhttp://wso2.org/claims/title
  8. Click Update.

Configuring claims with IS 5.1.0 or IS 5.2.0

  1. Sign into the Management Console by entering your username and password.
  2. In the Main menu, click Add under Claims.
  3. Click Add New Claim Dialect to create the Linkedin authenticator specific claim dialect.

    Use the Dialect Uri as follows:  http://wso2.org/linkedin/claims

  4. Click Add New Claim.
  5. Select the Dialect from the dropdown provided and enter the required information. You must add the following claims under the dialect http://wso2.org/linkedin/claims

    Display NameLastName
    DescriptionClaim to the last name    
    Mapped Attributesn
    Claim URLhttp://wso2.org/linkedin/claims/lastName
    Supported by Defaultselected
    Display NameFirst Name
    DescriptionClaim to the first name
    Mapped Attribute

    givenName

    Claim URL

    http://wso2.org/linkedin/claims/firstName

    Supported by Defaultselected
     Display NameEmail Address
    DescriptionClaim to email address            
    Mapped Attribute

    mail

    Claim URL

    http://wso2.org/linkedin/claims/emailAddress

    Supported by Defaultselected
     Display NameIndustry
    DescriptionClaim to industry         
    Mapped Attribute

    organizationName

    Claim URL

    http://wso2.org/linkedin/claims/industry

    Supported by Defaultselected
     Display Name

    Headline

    DescriptionClaim to the headline of the user
    Mapped Attribute

    title

    Claim URL

    http://wso2.org/linkedin/claims/headline

    Supported by Defaultselected

    Likewise, you can create the claims for all the public information of the LinkedIn user.

Step 6 - Configure requested claims for travelocity.com

  1. In the Identity section under the Main tab, click List under Service Providers.
  2. Click Edit to edit the travelocity.com service provider.
  3. Go to Claim Configuration.
  4. Click on Add Claim URI under Requested Claims to add the requested claims as follows. 

    Select the Mandatory Claim checkbox for all the claim URIs that you added.

    You should add the claims you mapped in the Identity Provider claim configuration and select the Claim URI.

  5. Select the Subject Claim URI as  http://wso2.org/claims/emailaddress to define the authenticated user identifier that will return with the authentication response to the service provider.

  6. Click Update to save your service provider changes.

Step 7 - Test the sample

  1. To test the sample, go to the following URL: 
    http://<TOMCAT_HOST>:<TOMCAT_PORT>/travelocity.com/index.jsp
    E.g., http://localhost:8080/travelocity.com
  2. Click the link to log in with SAML from WSO2 Identity Server. You can use either the Rediect Biniding or the Post Binding option.
  3. You are redirected to the LinkedIn sign in page. Enter your LinkedIn credentials.
  4. Authenticate the user by clicking Allow access.
    You are taken to the home page of the travelocity.com app
30
850
516
517
963
1524
1778
1782
  • No labels