SungHoon_Kim

Step by Step: Facebook partnership

Blog Post created by SungHoon_Kim Employee on Oct 31, 2016

We already have a runbook for this at the following URL.

https://support.ca.com/phpdocs/1/8231/runbooks/CASM-FacebookIDPFederationRunbook-ver1.pdf

 

My guide is including a complete step by step instructions to guide anyone to successfully setup the facebook login.

The facebook side layout has changed and may not appear exactly as the ver1 runbook above.

 

There is a prerequisite to this.

You need your SPS to be using publicly trusted SSL certificate.

In this sample, my certificate is issued by COMODO.

 

Secondly, register a developer account at facebook.

https://developers.facebook.com

 

 

You might already have some existing apps, then you can directly go to the app to configure but in this sample I am not having any existing apps.

You can click on “Create App” to start.

Or, if you click “Tools & Support” – “Access Token Tool” it will also ask you to create an app.

 

Select "create a new app"

 

Click on "Create a New App"

 

Enter your preferred Display Name for the app, your email address and select the category of your app. 

 

Facebook does not accept "face" or "book" in the display name.

 

 

Now you have APP ID. This is referred to as the "Client ID", so note it down.

Click on the “Get Started” button for "Facebook Login".

 

At the "Facebook Login" - "Settings" enter the "Valid Oauth redirect URIs" with the following URL.

https://<yourFQHN>/affwebservices/public/oauthtokenconsumer/facebook<APPID>

In my case it is:

https://www.kimlabs.net/affwebservices/public/oauthtokenconsumer/facebook809210785886086

 

Ensure "Client OAuth Login" and "Web OAuth Login" are enabled.

 

Goto "Dashboard" and you will find your "App Secret" which is automatically generated for you.

You can click on the "Show" button to view the "App Secret" value in clear-text.

 

 

 

 

Next, goto "Settings" - "Basic" and review the configuration

 

 

If all the configuration looks good, you need to make this app “public”.

Depending on the App Category, you may need to submit for approval, I did not need to do that.

 

Note down the following info from facebook app.

App ID: 809210785886086

App Secret: *********** ( Your actual App Secret value would be some hexadecimal string)

Valid Oauth redirect URIs: https://www.kimlabs.net/affwebservices/public/oauthtokenconsumer/facebook809210785886086

 

 

Logon to AdminUI and create local entity(OauthClient)

 

 

 

EntityID is "Facebook-" and "<App ID>"

Disambiguation ID is "facebook<AppID>"

 

 

You only need to create the Oauth Client as there is a predefined “FacebookAuthorizationServer” entity.

 

If you look at the “FacebookAuthorizationServer” entity, you will find the predefined URLs and the EntityID is “Facebook”.

 

 

Create Partnership

 

 

Select the respective entities.

Here you will see the “Entity Name” as you will be selecting them from the dropdown menu.

But later it would display the “Entity ID”.

 

Following is after the partnership is saved, it shows the EntityID, not the Name.

Note the “Remote AuthZ Server ID” which is the EntityID.

You will need this to be specified when making a request for this use case.

 

You can request to send more user information.

And from the claims, you will be using email value for user disambiguation.

The runbook displays only https://graph.facebook.com/me?

But you can specify the fields to get more information/claims.

Sample below, I am using "https://graph.facebook.com/me?fields=id,name,first_name,last_name,email".

 

Client Authentication ID is the APP ID 809210785886086.

DO NOT CONFUSE THIS WITH “Client Token” at the facebook.

 

 

Activate the partnership

 

You need to have a matching user in your local userstore.

 

 

Test federation.

There is one requirement to this…

The www.kimlabs.net should be using publicly trusted SSL certificate which I don't have.

The test URL format is:

https://<YourFQDN>/affwebservices/public/oauthtokenconsumer/<disambiguationID>?AuthzServerID=<RemoteEntityID>

 

In my case, it would be:

https://www.kimlabs.net/affwebservices/public/oauthtokenconsumer/facebook809210785886086?AuthzServerID=Facebook

 

You will be redirected to https://www.facebook.com/login.php  

 

Actual URL is as below.

https://www.facebook.com/login.php?skip_api_login=1&api_key=809210785886086&signed_next=1&next=https%3A%2F%2Fwww.facebook.com%2Fv2.8%2Fdialog%2Foauth%3Fredirect_uri%3Dhttps%253A%252F%252Fwww.kimlabs.net%252Faffwebservices%252Fpublic%252Foauthtokenconsumer%252Ffacebook809210785886086%26state%3D15fc2397-1106ecfb-98b54ac7-cd315dcc-45d84600-a60%26scope%3Demail%26response_type%3Dcode%26client_id%3D809210785886086%26ret%3Dlogin%26logger_id%3De4c3e8e5-bba5-41a8-a981-1ac358c132aa&cancel_url=https%3A%2F%2Fwww.kimlabs.net%2Faffwebservices%2Fpublic%2Foauthtokenconsumer%2Ffacebook809210785886086%3Ferror%3Daccess_denied%26error_code%3D200%26error_description%3DPermissions%2Berror%26error_reason%3Duser_denied%26state%3D15fc2397-1106ecfb-98b54ac7-cd315dcc-45d84600-a60%23_%3D_&display=page&locale=en_GB&logger_id=e4c3e8e5-bba5-41a8-a981-1ac358c132aa

 

Enter your facebook credentials.

 

If everything was configured correctly, you will be redirected to your TARGET url as below.

 

 

I am attaching sample logs for your reference.

<<Facebook_FWSTrace.log>>

<<Facebook_smtracedefault.log>>

 

 

I am intentionally setting the test user's email to a wrong value so the user would not be found.

 

So, I am getting the following error although I have configured "User Not Found" redirect in the partnership.

 

 

Sample logs below.

<<UserNotFound_FWSTrace.log>>

<<UserNotFound_smtracedefault.log>>

 

   Update: Engineering provided a devfix(tested on R12.52SP1CR5 and CR6) for this and I was able to test to confirm the UserNotFound redirect is working.

                 A fix will be released in future release. Please open a support ticket if you are experiencing this problem and urgently need a devfix.

                 Or, you can proceed with the workaround below.

 

So, if you want to redirect to a more meaningful page when the user is not found in your local userstore, use the “User Provision” option to redirect to a page explaining the situation or to contact the administrator.

 

You have 3 option to create :

Open-format Cookie è There will be a cookie with the specified name and the value is encrypted.

Open-format Cookie Post è There will be a POSTDATA with the specified name and the value is encrypted.

HTTP Headers è This still generates a cookie called SMSAMLDATA and the value is encrypted.

 

If your remote provisioning server has webagent on it, you can select "HTTP Headers" option and you will need to enable the SAMLData plugin in the WebAgent.conf file to decrypt the SAMLDATA cookie and set it as headers.

More info in the next article.

 

If you need to decrypt the OpenFormatCookie, you can install the federation SDK(.net or the java) and it comes with samples.

 

For Java, there is a KB you can refer to.

https://communities.ca.com/community/ca-security/blog/2016/10/04/tech-tip-ca-single-sign-on-policy-serverhow-to-decrypt-federation-open-format-cookie-java

 

For .net, the kit is 32bit only.

https://support.ca.com/irj/portal/solncdndtls?aparNo=RS89893&os=WINDOWS&fc=16&actionID=3

 

Once you install it, goto "<InstallRoot>\sdk\dotnet\testapp" folder and you will find the sample aspx files there.

You can also find web.config file for the configuration.

 

More information is available in the README.txt file in that folder as well.

You need to copy the CA.Federation.FedIdentitySdk.dll file as instructed in the README.txt file to get it working.

 

Refer to the documentation below.

https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/programming/federation-net-sdk-guidance/installation-of-the-net-sdk

 

Good luck!

 

You will find more information in the next article.

Step by Step: Facebook partnership 2 

Outcomes