Versions Compared

Old Version 2

changes.mady.by.user Phillip Hanegan

Saved on

compared with

New Version Current

changes.mady.by.user Kim Landis

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Div
classbreadcrumbs

/wiki/spaces/E2D/pages/29982926  /  Single Sign-On and MFA  /  Configuring SSO Connections  /  Identity Provider Connections  /  Current: Configuring Box as an Identity Provider

The EmpowerID SSO framework allows you to configure LinkedIn as an identity provider for the EmpowerID Web application. EmpowerID integrates with LinkedIn using the OAuth protocol to allow your users to log in to EmpowerID using their LinkedIn accounts.


Info

As a prerequisite to creating an SSO Connection for LinkedIn as an Identity Provider, you must have a LinkedIn account and register the EmpowerID web application for your organization under "My Applications" in the LinkedIn Developer Network. This creates a set of values known by theAPI Keyand theAPI Secret(these values are generated by LinkedIn), as well as theOAuth 1.0 Accept Redirect URLs(this value is entered by you to tell LinkedIn where to post the assertion of a user's identity to the EmpowerID Assertion Consumer Service).

For specific directions on registering EmpowerID as an application in LinkedIn, see the information provided by LinkedIn

at

at https://linkedin.com/secure/developer.

Once the IDP Connection has been set up for LinkedIn, you can create a link similar to the one below to allow users to login to EmpowerID using LinkedIn.


Code Block
languagexml
themeDJango
https://FQDN_OF_YOUR_EMPOWERID_SERVER/WebIdPForms/Login/EmpowerIDWebSitePortal/LinkedIn?returnUrl=%2FWebIdPForms%2F


Warning

Be sure to replace "FQDN_OF_YOUR_EMPOWERID_SERVER" with the FQDN of the EmpowerID Web server in your environment and "LinkedIn" with the name of the IDP connection you create for LinkedIn in EmpowerID.



This topic describes how to configure an IDP connection for LinkedIn and is divided into the following activities:

  • Adding the Consumer Key and Consumer Secret to the LinkedIn OAuth Connection
  • Adding MFA Points to the LinkedIn OAuth Connection
  • Adding a Login tile for LinkedIn
  • Testing the LinkedIn Connection

To add the API Key and API Secret and to the LinkedIn OAuth Connection

  1. From the Navigation Sidebar of the EmpowerID Web interface, expand Admin > SSO Connections and click OAuth.
  2. From the OAuth page, click the OAuth Service Provider tab and then search for LinkedIn.
  3. From the OAuth Service Provider grid, click the LinkedIn link.

    Image Modified


  4. In the External OAuth Provider Details page that appears, click the Edit button for the specific LinkedIn connection you want to edit. By default, EmpowerID includes one connection. However, you can add as many connections for LinkedIn as your organization needs.

    Image Modified


  5. In the OAuth Connection pane that appears, type the Client ID LinkIn generated for your application in the Consumer Key field and the Client Secret in the Consumer Secret field.

    Image Modified


  6. Prepend the value of the Callback Url with the FQDN of your EmpowerID Web server, using the https scheme. For example, the FQDN of the EmpowerID Web server in our environment is "sso.empowersso.com" so the full Callback Url for our site is "https://sso.empowersso.com/webidpforms/oauth/v2".
  7. Click Save to close the OAuth Connection pane.
  8. Optionally, add any desired MFA points to the LinkedIn application by following the below steps.


To add MFA points to the LinkedIn application

  1. From the External OAuth Providers page for LinkedIn, click the Provider Edit link at the top of the page.

    Image Modified


  2. In the MFA Point Value field, type the number of MFA points you want to give to users logging in with LinkedIn.

    Image Modified


  3. Click Save.


Next, add a login tile for LinkedIn to the desired IdP Domains. This allows your users to authenticate to EmpowerID with their LinkedIn credentials. If you have not set up an IdP Domain for your environment, you can do so by following the directions in the below drop-down.


Rw ui expands macro


Rw ui expand macro
titleTo create an IdP Domain


  1. From the Navigation Sidebar, expand Admin > Applications and Directories and click SSO Components.
  2. Click the IdP Domains tab and then click the Add IdP Domain button.



  3. Type the fully qualified domain name in the Domain Name field and then click Save.





To add a login tile for LinkedIn

  1. From the Navigation Sidebar, expand Admin > Applications and Directories > SSO Connections and click SSO Components.
  2. In the IdP Domain Details page that appears, click the External OAuth Providers tab and check the box beside LinkedIn.

    Image Modified


  3. Click Save.

    Warning

    To give users the ability to log in using their EmpowerID credentials, be sure to select EmpowerID from the SAML Identity Providers tab of the IdP Domain Details page.

    Image Modified


    Now that the IDP Connection is configured, you can test it by following the below procedure.


To test the LinkedIn IdP Connection

  1. From the Navigation Sidebar, expand IT Shop and click Workflows.
  2. From the Workflows page, recycle the EmpowerID App Pools by clicking Recycle EmpowerID App Pools.

    Image Modified


  3. Log out of the EmpowerID Web interface and navigate your browser to the domain name you configured for the LinkedIn IdP connection.
  4. Click the Login using LinkedIn button.

    Image Modified


  5. In the Authorize page for LinkedIn that appears, enter your LinkedIn credentials (if you are not already signed in) and then click Allow access to allow EmpowerID to retrieve the necessary information to link the LinkedIn account to your EmpowerID identity (Person object).




    Tip

    The Authorize page only appears the first time you log in to EmpowerID with the third-party account. Subsequent logins simply redirect your browser from the login page for the application to the EmpowerID web application.


  6. Back in the EmpowerID Web interface, click Yes to indicate that you have an EmpowerID login.

    Image Modified


    Info

    Users without EmpowerID Persons can request EmpowerID accounts by clicking No. This initiates the Create User Account workflow, which displays a form in the browser to allow the user to fill in the appropriate information. If a user submits the request, EmpowerID routes that request to those individuals in your environment with the ability to approve or deny the request and returns the user to the EmpowerID web login.


  7. Type your EmpowerID Login or Email in the form and click Submit. The EmpowerID Person must have a valid email address as EmpowerID sends a one-time password to that address.

    Image Modified


  8. Check your email for the one-time password.
  9. Back in the EmpowerID Web interface, type the one-time password into the Password field of the One-Time Password Validation form and click Submit.

    Image Modified


Info

Upon successful submission of your one-time password, EmpowerID logs the user in and joins the LinkedIn account to their EmpowerID Person account.

Tip

If you have set up the user's Password Manager policy to require the user accumulate a specific number of trust points beyond those granted by the identity provider, EmpowerID will direct the user through any Multi-factor methods you have enabled on the policy until they reach the needed point threshold to log in.




Div
stylemargin-top: 25px;
classrelatedContent


Rw ui expands macro


Rw ui expand macro
titleRelated Content





Div
stylefloat: left; position: fixed; top: 105px; padding: 5px;
idtoc
classtopicTOC


Div
stylemargin-left: 40px; margin-bottom: 40px;

Live Search
spaceKeyE2D
placeholderSearch the documentation
typepage


Div
stylefont-size: 1rem; margin-bottom: -65px; margin-left: 40px;text-transform: uppercase;

On this page



Table of Contents
maxLevel2
stylenone