Page Comparison

The EmpowerID SSO framework allows you to configure Facebook as an identity provider (IdP) for the EmpowerID Web application. EmpowerID integrates with Facebook using the OAuth protocol to allow your users to log in to EmpowerID using their Facebook accounts.

This topic describes how to configure an Identity Provider connection for Facebook and is divided into the following activities:

• To add the Facebook AppID and AppSecret keys to the Facebook OAuth Connection
• Adding MFA Points to the Facebook OAuth Connection
• Adding a Login Tile for Facebook
• Testing the Facebook Connection

https://FQDN_OF_YOUR_EMPOWERID_SERVER/WebIdPForms/oauth/v2

https://FQDN_OF_YOUR_EMPOWERID_SERVER/WebIdPForms/Login/EmpowerIDWebSitePortal/Facebook?returnUrl=%2FWebIdPForms%2F

To add the App ID and App Secret

1. From the Navigation Sidebar of the EmpowerID Web interface, expand Admin > , then SSO Connections, and click OAuth.
2. From the OAuth Applications management page, click the OAuth Service Provider tab and then search for Facebook.
3. From the OAuth Service Provider grid, click the Facebook link.
   Image Removed
   Image Added
   
   

4. In the External OAuth Provider Details page that appears, in the grid at the bottom, click the Edit button for the specific Facebook connection you want to edit. 
   
   

   Info
   By default, EmpowerID includes one connection. However, you can add as many connections for Facebook as your organization needs.

   Info
   Edit links have the pencil icon.

   
   Image Removed
   Image Added
   
   

5. In the OAuth Connection pane that appears, type in the Consumer Key field, type the APP ID Facebook  Facebook generated for your application, and in the Consumer KeySecret field and the App Secret in the Consumer Secret field.
   Image Removed, type the App Secret.
   
   Image Added
   
   

6. Prepend the value of the Callback Url with the FQDN of your EmpowerID Web server, using the https scheme. For example, the FQDN of the EmpowerID Web server in our environment is "sso.empowersso.com" so the full Callback

   Url

   URL for our site is "https://sso.empowersso.com/webidpforms/oauth/v2."
   
   

   Note
   You must provide the full URL for the Callback URL. Otherwise, this error occurs: "The redirect_uri URL must be absolute."

   
   

7. Click Save to close the OAuth Connection pane.
8. Optionally, add any desired MFA points to the Facebook application by following the below steps.

To add MFA points to the Facebook application

1. From the External OAuth Providers page for Facebook, click the Provider Edit link at the top of the page.
2. In the MFA Point Value field, type the number of MFA points you want to give to users logging in with Facebook.
3. Click Save.
   
   Next, add a login tile for Facebook to the desired IdP Domains. This allows your users to authenticate to EmpowerID with their Facebook credentials. If you have not set up an IdP Domain for your environment, you can do so by following the directions in the below drop-down.
   
   

To add a login tile for Facebook

1. From the Navigation Sidebar, expand Admin > Applications and Directories > SSO , then SSO Connections and click SSO Components.Image Removed
2. Click the IdP Domains link for your domain.
   
   Image Added
   
   
3. In the IdP Domain Details page that appears, click the External OAuth Providers tab and check the box beside Facebook.
   Image Removed
   Image Added
   
   

4. Click Save.
   
   

   Warning
   To give users the ability to log in using their EmpowerID credentials, be sure to select EmpowerID from the SAML Identity Providers tab of the IdP Domain Details page. Image Removed Image Added

   
   
   Now that the IDP Connection is configured, you can test it by following the below procedure.

To test the Facebook IDP Connection

1. From the Navigation Sidebar, expand IT Shop and click Workflows.
2. From the Workflows page, recycle the EmpowerID App Pools by clicking Recycle EmpowerID App Pools.
   Image Removed
   Image Added
   
   
3. Log out of the EmpowerID Web interface and navigate your browser to the domain name you configured for the Facebook IdP connection, e.g. https://sso.empowersso.com.
4. Click the Login using Facebook button.
5. Log in to Facebook as you would normally do so.
6. Click Continue to allow EmpowerID to retrieve the information it needs to link your Facebook account to your EmpowerID identity (Person object).
   
   
   
   

7. Back in the EmpowerID Web application, click Yes to indicate that you have an EmpowerID login.
   
   
   
   
   

   Info

   Users without EmpowerID Persons can request EmpowerID accounts by clicking No. This initiates the Create User Account workflow, which displays a form in the browser to allow the user to fill in the appropriate information. If a user submits the request, EmpowerID routes that request to those individuals in your environment with the ability to approve or deny the request and returns the user to the EmpowerID web login.

   
   

8. Type your EmpowerID Login or Email in the form and click Submit. The EmpowerID Person must have a valid email address as EmpowerID sends a one-time password to that address.
   
   
   
   
   
9. Check your email for the one-time password.

10. Back in the EmpowerID Web interface, type the one-time password into the Password field of the One-Time Password Validation form and click Submit.
    
    
    
    
    

    Info

    Upon successful submission of the one-time password, EmpowerID logs the user in and joins the Facebook account to their EmpowerID Person account. Tip If you have set up the user's Password Manager policy to require the user accumulate a specific number of trust points beyond those granted by the identity provider, EmpowerID will direct the user through any Multi-factor methods you have enabled on the policy until they reach the needed point threshold to log in.