Domains

Configure authentication domains for APIs defined in the platform.

Table of Contents

  1. How does the authentication provider configuration process work?
  2. What domain types are supported?
  3. How do I configure a Platform Login (Default) domain?
  4. How do I configure a Facebook Connector domain?
  5. How do I set up and configure an OAuth Provider domain?
  6. How do I configure an OpenID Relying Party domain?
  7. How do I configure an LDAP domain?
  8. How do I configure a CA SiteMinder domain?
  9. How do I configure access permissions for OpenID?
  10. What is an Authorization Server URL?
  11. How do I set up a platform deployment to support a third-party provider?
  12. How do I modify a domain?
  13. How do I delete a domain?
  14. How do I set up a connector domain?
  15. How do I set up the platform to log in with Facebook?
  16. How do I set up the platform to log in with Google?
  17. How do I set up the platform to log in with CA SiteMinder?
  18. How do I set up the platform to log in with LDAP?

How does the authentication provider configuration process work?

The platform provides a series of add-on features that provide authentication support for APIs. The platform currently supports OAuth and OpenID Provider types.

Here's how the provider type configuration process works:

Back to top

What domain types are supported?

The platform domain types can be used to log into the platform, or can be configured with an OAuth Provider. After each domain is installed, entries will show in the platform as follows:

The following domains are supported:

How do I configure a Platform Login (Default) domain?

This login domain type allows users to log in via the default platform login page using Email Address and Password credentials.

Note: The Platform Login (Default) domain is automatically generated, cannot be deleted, and will not display in the Resource Owner Authentication Domain drop-down menu of an OAuth Provider domain.

Installation Method:

The default platform login is automatically added and enabled as part of the platform default installation.

This option can be disabled if another login approach is used by deselecting the "Enable" checkbox for this login line item in the Site Administrator > Config > Logins section.

Documentation:

See the Site Admin > Config > Logins sections of the Community Manager online help for more information.

Back to top

How do I configure a Facebook Connector domain?

The Facebook Connector domain allows users to log into the platform using Facebook credentials.

Installation Method:

A Facebook Connector domain option is installed (by default) to the Site Administration > Domains section of your platform deployment.

Using the Add Domain function, Site Administrators can select the Facebook Connector domain type. This launches the Add Connector Domain Wizard where you can assign an App ID and App Secret, then enable the domain in the Site Administrator > Config > Logins section.

Documentation:

See the Site Admin > Domains and Site Admin > Config sections of the platform online help for more information.

Back to top

How do I set up and configure an OAuth Provider domain?

The SOA Software Community Manager OAuth Provider feature is an SOA Software Community Manager add-on for the OAuth Provider. This domain type allows you to select a Resource Owner Authentication Domain (for the login process), and configure grant types, access tokens, grant properties, and branding.

Installation:

The feature is installed via the SOA Software Administration Console and installs on top of the SOA Software Community Manager feature.

It installs the OAuth Provider domain to the Site Administration > Domains section of your platform deployment.

Using the Add Domain function, Site Administrators can select the OAuth Provider domain type to configure the domain. The domain is then available on the Edit OAuth Details page on the API Details page where you can customize the OAuth configuration for an API.

Note: This domain type adds the OAuth Provider domain option to the "Select Domain Type" menu and is not posted as a Login option in the Site Administration > Config > Logins section.

Configuration:

After defining your access permissions domain, the next step is to configure one or more OAuth Provider domains that represent the OAuth authentication use case types the APIs in your platform deployment will support.

To configure an OAuth Provider domain:
  1. Click the Administration quick filter (wrench icon). The Site Administration page displays.
  2. Click Domains. The Domains Summary page displays.
  3. Click Add Domain. The Select Domain Type drop-down menu displays.
  4. Select OAuth Provider and click Select. The Details page displays.
  5. In the OAuth Provider section, enter the "Name" and "Description" of the domain definition (e.g., Name=OAuth 2-Legged, Description=OAuth 2-Legged Domain).

    Note that the "Name" field cannot be edited after the domain configuration is saved, so it's important to be as descriptive as possible with your domain name. For example, including the name of the OAuth Provider as an identifier is recommended along with other details that reveal something about the configuration (e.g., OAuth version, API Name, Grant Types, etc.)
  6. Click Next to continue. The Grant Types page displays.
  7. In the "Grant Validity Period (days)" text box, specify the number of days the authorization grant will remain active.
  8. In the "Grant Types" section, click the checkbox of the authorization grant types that apply to this domain configuration. Grant types are grouped by 2-Legged and 3-Legged scenarios. See What grant types does OAuth support? and How does OAuth 2-Legged and 3-Legged Authorization work? for more information.
    • If you selected the Authorization Code grant, specify the number of seconds the Authorization Code grant is valid in the "Authorization Code Timeout" field.

    • Select a domain from the "Resource Owner Authentication Domain" drop-down menu. If one has not been previously defined, configure one and then return to complete the OAuth Provider domain definition.

      Note: If you select the Client Credentials grant type ONLY, the Resource Owner Authentication Domain is not required. This is because the Client Credentials grant type does not require a Resource Owner.

    • For each grant selected, specify the number of seconds the access token is valid in the "Access Token Timeout" field. See What is an Access Token?
    • Click the "Refresh Tokens" checkbox if refresh tokens are supported by your Authentication Server. See What is a Refresh Token? for more information.
    • Click the radio button of the Access Token Type. See What is an Access Token? for more information.
  9. Click Next. The Resources page displays. Here you will specify the operations in your API that require authorization. The resource list should represent the full set of resources you would like assign to the current OAuth Provider domain configuration.
    • For example, if multiple APIs will be using the OAuth Provider domain, each may have a different operation requirement.
    • In this case, when you configure your API with an OAuth Provider using the OAuth Details function on the API Details page, you can simply filter the set of operations by deleting resources that do not apply for the current API.
    • A resource is typically entered using a URL, but can also be a symbol {id}.
    • If you would like to set a specific resource as the default, click the "Default Resource" checkbox.
    • If the resource requires authorization for use (e.g., login screen), click the "User Authorization Required" checkbox.
    • See How does Scope Mapping work? for more information.
    • Note: If you will be using a third-party provider, you can use the pre-defined "Third Party Provider" domain via the API Details > OAuth Details function, and specify your resources on the Resource Mapping page. In this scenario, you can bypass creating a domain and go directly to the API Details page.
  10. Click Next. The Grant Properties page displays.
  11. In the "Properties" section, click +Add to create a grant property instance and specify the "Property Label" and "Property ID." Note that specifying grant properties is optional.
    • The "Property Label" represents the text description of the grant property. It is only visible in the platform.
    • The "Property ID" represents the object ID that references the property file that is stored on the OAuth Provider's site.
    • To delete a grant property, click -Delete under the grant property instance.
    • See What is a Grant Property? for more information.
  12. Click Next. The Branding page displays. When a user logs into your application using the OAuth configuration you just defined, they must see a login screen.

    If you want a custom branded login screen, you can customize the login with a unique logo that represents your organization, footer text (e.g., copyright information), and the URL you want to offer to Resource Owners and applications to access this OAuth provider capabilities.
  13. To save the domain configuration, click Save. The OAuth Provider domain is saved, displays on the Domains Summary page, and is now available for selection in API OAuth Wizard (via API Details > OAuth Details).

Back to top

How do I configure an OpenID Relying Party domain?

This SOA Software Community Manager OpenID Provider feature is an SOA Software Community Manager add-on for the OpenID Provider.

Installation Method:

The feature is installed via the SOA Software Administration Console and installs on top of the SOA Software Community Manager feature.

It installs the OpenID Relying Party domain to the Site Administration > Domains section of your platform deployment.

Using the Add Domain function, Site Administrators can select the OpenID Relying Party domain type to configure the domain, then enable the domain as a login option in the Site Administrator > Config > Logins section, or select it as a Resource Owner Authentication Domain when defining an OAuth Provider.

These configurations are then available for selection using the API OAuth function in the APIs that are part of your deployment.

Documentation:

See the Site Admin > Domains and Site Admin > Config sections of the platform online help for more information.

For information about setting up an API to use OpenID, see Open ID Support.

Back to top

How do I set up my deployment to support OpenID?

If you are a Site or API Administrator you can set up OAuth Provider definitions in the Site Administration > Domains section. You create a domain for each OpenID Provider scenario and these configurations are then available for selection using the API OAuth function in the APIs that are part of your deployment.

Back to top

How do I configure an LDAP domain?

The LDAP domain allows you to log into the platform using an LDAP domain defined in the Policy Manager Management Console.

Installation Method:

This feature is installed via the Configure > Security > Identity Systems section of the Policy Manager Management Console.

You can then enable the domain in the Site Administrator > Config > Logins section of the platform or select it as a Resource Owner Authentication Domain when defining an OAuth Provider.

Documentation:

Refer to the Add Identity System (Active Directory) topic in the Policy Manager Online Help for instructions on how to add an LDAP domain.

Back to top

How do I configure a CA SiteMinder domain?

The CA SiteMinder domain allows you to log into the platform using a CA SiteMinder domain defined in the Policy Manager "Management Console."

Installation Method:

This feature is installed via the Configure > Security > Identity Systems section of the Policy Manager "Management Console."

You can then enable the domain in the Site Administrator > Config > Logins section of the platform or select it as a Resource Owner Authentication Domain when defining an OAuth Provider.

Documentation:

Add CA SiteMinder Domain—See the Integrating CA SiteMinder with Policy Manager 6.1 Guide available via the SOA Software Support Site (support.soa.com > Downloads > PolicyManager > PM61 > PM61_CASiteMinder_Integration.pdf) for instructions on how to set up CA SiteMinder and install the identity system (domain) in Policy Manager.

Configure CA SiteMinder Domain – See the Site Admin > Domains and Site Admin > Config > Logins sections of the Community Manager online help for instructions on how to use the CA SiteMinder domain in an OAuth Provider domain definition, and how to enable the CA SiteMinder login.

Back to top

How do I configure access permissions for OpenID?

Access permissions for OpenID are established by configuring a domain that represents the login resource. For OpenID, you use the OpenID Relying Party domain. This domain is installed as part of the SOA Software Community Manager OpenID Provider feature in the SOA Software Administration Console and is available via Add Domain feature via Site Administration > Domains.

After you configure the OpenID login resource, entries will show in the platform as follows:

To configure an OpenID login resource:
  1. Click the Administration quick filter (wrench icon). The Site Administration page displays.
  2. Click Domains. The Domains Summary page displays.
  3. Click Add Domain. The Select Domain Type drop-down menu displays.
  4. Select OpenID Relying Party and click Select. The Details page displays.
  5. In the OpenID Client section, enter the "Name" and "Description" of the login resource (e.g., Name=Google, Description=Google Login Resource).

    Note that the "Name" field cannot be edited after the domain configuration is saved, so it's important to be as descriptive as possible with your domain name. For example, including the name of the OpenID Provider as an identifier is recommended along with other details that reveal something about the configuration.
  6. Click Next to continue. The Provider Details page displays. Enter the OpenID "Discovery URL" that represents the location of the Relying Party's OpenID endpoints. See What is a Discovery URL? for more information.
  7. Click Next to continue. The Client Details page displays. Enter the "Realm" and "Return URL." See What is a Realm? for more information.
  8. To save the domain configuration, click Save. The OpenID login resource domain is saved, displays on the Domains Summary page, and is now available for selection as a resource when you define an OAuth Provider domain.

Back to top

What is an Authorization Server URL?

As part of setting up the OAuth domain, the Site Admin must specify the Authorization Server URL. This is the URL that the browser for the resource owner (app user) will be accessing for the OAuth grant.

It is the URL at which the OAuth Provider accesses the requests, for both Authorization Endpoint and Token Endpoint.

Note: One deployment can support more than one OAuth Provider. If there is more than one, it is important that each OAuth Provider has a different Authorization Server URL, for both Authorization Endpoint and Token Endpoint.

For a full definition of Authorization Endpoint and Token Endpoint, refer to the OAuth specification.

When setting up the OAuth domain, once you have specified the Authorization Server URL it is important to make sure that requests are directed to this URL where either OAuth Provider or OAuth Provider Agent features are installed. This might include additional actions; for example, adding a DNS entry or configuring the load balancer if the URL is a virtual endpoint on F5.

The URL you provide for the Authorization Server is the base of the URL for the Request Token URL, Access Token URL, and Authorize URL, with additional parts of the paths as shown below. The Callback URL is the Redirect URL that an app developer would provide in the App details page.

The URLs for both supported OAuth versions are shown below.

OAuth 1.0a:

OAuth 2.0:

Note: App developers need to know the Authorization Server URL in order to set up their apps to use the OAuth domain. This information must be made available to API Admins, who must make sure it is included in API documentation.

Back to top

How do I set up a platform deployment to support a third-party provider?

The OAuth Details function on the API > Details page includes a pre-defined "third-party provider" domain that allows you to configure grant for OAuth 2.0 and 1.0a versions and resource mapping. See How do I configure my API with an OAuth Provider? for more information.

Back to top

How do I modify a domain?

To modify a domain:
  1. Navigate to Site Administration > Domains. The Domains Summary displays.
  2. In the right-hand column of the domain line item, click Modify. The Edit wizard for the specific domain type displays.
  3. Follow procedure you used for adding the specific domain type (i.e., OAuth Provider, OpenID Relying Party, Facebook Connector).
  4. Note that the "Domain Name" cannot be changed after the domain is initially defined and will not be selectable.

Back to top

How do I delete a domain?

To delete a domain:
  1. Navigate to Site Administration > Domains. The Domains Summary displays.
  2. In the right-hand column of the domain line item, click Delete. At the confirmation message, click OK.

Back to top

How do I set up a connector domain?

The platform provides support for logging into the platform using a connector domain (e.g., Facebook).

To configure a connector domain:
  1. Click the Site Administration quick filter. The Site Admins page displays.
  2. Click Domains. The Domains Summary page displays.
  3. Click Add Domain. The Select Domain Type drop-down menu displays. In this example we will configure a Facebook Connector.
  4. Select Facebook Connector and click Select. The Add Connector Domain Wizard launches and the Details page displays.
  5. In the Connector Domain section, enter the "Name" and "Description" of the domain definition (e.g., Name=Facebook, Description=Facebook Login).

    Note that the "Name" field cannot be edited after the domain configuration is saved, so it's important to be as descriptive as possible with your domain name.
  6. Click Next to continue. The App Details page displays. Here you will specify the App ID and App Secret for the Facebook Connector.
  7. Click Save. The Facebook Connector definition is saved and displays on the summary screen.
  8. The next step is to enable and customize the Facebook Connector. See How do I enable and customize a platform login?

Back to top

How do I set up the platform to log in with Facebook?

The platform provides support for logging into the platform using Facebook using a Facebook Connector domain.

To configure a Facebook login:
  1. Click the Administration quick filter (wrench icon). The Site Admins page displays.
  2. Click Domains. The Domains Summary page displays.
  3. Click Add Domain. The Select Domain Type drop-down menu displays.
  4. Select Facebook Connector and click Select. The Add Connector Domain Wizard launches and the Details page displays.
  5. In the Connector Domain section, enter the "Name" and "Description" of the domain definition (e.g., Name=Facebook, Description=Facebook Login).

    Note that the "Name" field cannot be edited after the domain configuration is saved, so it's important to be as descriptive as possible with your domain name.
  6. Click Next to continue. The App Details page displays. Here you will specify the App ID and App Secret for the Facebook Connector.
  7. Click Save. The Facebook Connector definition is saved and displays on the summary screen.
  8. The next step is to enable the Facebook Connector. Still remaining in the Site Administration section, click Config > Logins. The Configure screen displays and the Facebook Connector you just added will display in the listing.
  9. To enable the Facebook Connector, click the checkbox in the "Enable" column.
  10. If you would like configure a virtual host for the domain, enter it in the "Target Host" text box. See What is a Target Host? for more information.
  11. In the Logo/Avatar column, click Upload and select the logo you would like to display for the Login button. See How do I upload and crop icons? for more information. You can upload your own custom button or refer to the following page for information on Facebook login button usage: https://www.facebookbrand.com/.
  12. In the Mode column, click the radio button of the identity store integration method (Popup or Main) you would like to use for the current domain. See What login page integration modes are supported? for more information.
  13. Click Save to commit your changes.

Back to top

How do I set up the platform to log in with Google?

The platform provides support for logging into the platform using Google using an Open ID Relying Party domain.

To configure a Google login:
  1. Click the Administration quick filter (wrrnch icon). The Site Administration page displays.
  2. Click Domains. The Domains Summary page displays.
  3. Click Add Domain. The Select Domain Type drop-down menu displays.
  4. Select OpenID Relying Party and click Select. The Details page displays.
  5. In the OpenID Client section, enter the "Name" and "Description" of the login resource (e.g., Name=Google, Description=Google Login Resource).

    Note that the "Name" field cannot be edited after the domain configuration is saved, so it's important to be as descriptive as possible with your domain name. For example, including the name of the OpenID Provider as an identifier is recommended along with other details that reveal something about the configuration.
  6. Click Next to continue. The Provider Details page displays. Enter the OpenID "Discovery URL" for the Google domain that represents the location of the Relying Party's OpenID endpoints (e.g., https://www.google.com/accounts/o8/id). See What is a Discovery URL? for more information.
  7. Click Next to continue. The Client Details page displays. Enter the "Realm" and "Return URL." See What is a Realm? for more information.
  8. To save the domain configuration, click Save. The OpenID login resource domain is saved, displays on the Domains Summary page, and is now available for selection as a resource when you define an OAuth Provider domain.
  9. The next step is to enable the Google Domain. Still remaining in the Site Administration section, click Config > Logins. The Configure screen displays and the Google domain you just added will display in the listing.
  10. To enable the Google domain, click the checkbox in the "Enable" column.
  11. If you would like configure a virtual host for the domain, enter it in the "Target Host" text box. See What is a Target Host? for more information.
  12. In the Logo/Avatar column, click Upload and select the logo you would like to display for the Login button. See How do I upload and crop icons? for more information. You can upload your own custom button or refer to the following page for information on Google login button usage: https://developers.google.com/accounts/docs/OpenID.
  13. In the Mode column, click the radio button of the identity store integration method (Popup or Main) you would like to use for the current domain. See What login page integration modes are supported? for more information.
  14. Click Save to commit your changes.

Back to top

How do I set up the platform to log in with CA SiteMinder?

The platform provides support for logging into the platform using a CA SiteMinder domain.

To configure a CA SiteMinder login:
  1. Configure the CA SiteMinder domain in the Configure > Security > Identity Systems section of Policy Manager.
  2. The next step is to enable the CA SiteMinder Domain. In the platform, navigate to Site Administration > Config > Logins. The Configure screen displays and the Google domain you just added will display in the listing.
  3. To enable the CA SiteMinder domain, click the checkbox in the "Enable" column.
  4. If you would like configure a virtual host for the domain, enter it in the "Target Host" text box. See What is a Target Host? for more information.
  5. In the Logo/Avatar column, click Upload and select the logo you would like to display for the Login button. See How do I upload and crop icons? for more information. You can upload your own custom button or refer to the CA SiteMinder developer documentation for information on CA SiteMinder login button usage.
  6. In the Mode column, click the radio button of the identity store integration method (Popup or Main) you would like to use for the current domain. See What login page integration modes are supported? for more information.
  7. Click Save to commit your changes.

Back to top

How do I set up the platform to log in with LDAP?

The platform provides support for logging into the platform using an LDAP domain.

To configure an LDAP login:
  1. Configure the LDAP domain in the Configure > Security > Identity Systems section of Policy Manager.
  2. The next step is to enable the LDAP Domain. In the platform, navigate to Site Administration > Config > Logins. The Configure screen displays and the LDAP domain you just added will display in the listing.
  3. To enable the LDAP domain, click the checkbox in the "Enable" column.
  4. If you would like configure a virtual host for the domain, enter it in the "Target Host" text box. See What is a Target Host? for more information.
  5. In the Logo/Avatar column, click Upload and select the logo you would like to display for the Login button. See How do I upload and crop icons? for more information. You can upload your own custom button or refer to the LDAP developer documentation for information on LDAP login button usage.
  6. In the Mode column, click the radio button of the identity store integration method (Popup or Main) you would like to use for the current domain. See What login page integration modes are supported? for more information.
  7. Click Save to commit your changes.

Back to top