Linkedln

It is possible to authenticate users into a federation using their LinkedIn account. Before it even becomes relevant to set up the LinkedIn authentication connection in Safewhere*Identify, we must register Safewhere*Identify as an Application with LinkedIn. The link to do this is:

https://www.linkedin.com/secure/developer

After signing up as a LinkedIn developer, register your Safewhere*Identify installation using the “Add New application” button.

linkedin1

 

This will open a form where you can add info about the app as here shown

linkedin2

Once registered you will be given a number of important information that you will be using to set up the Linked connection in Safewhere*Identify. These are:

linkedin3

  • Client ID: The unique number that your app is given with LinkedIn.
  • Client Secret: A secret code that will be used to ensure that your installation of Safewhere*Identify is the only one that can use the Facebook authentication app setup.
  • Default application permission: please use "r_basicprofile" as default
  • Authorized Redirect URLs: Simply just replace the site tag with your Safewhere*Identify site url; https://[identify site]/runtime/linkedin/consume.idp
  • Default "Cancel" Redirect URL: Simply input your SP site url, e.g https://claimapp.safewhere.com . when user clicks on “Cancel” button, he will be redirected to this URL.

Then choose the "Javascript" tab, update the Identify domain to valid SDK domains:

linkedin4

  • Valid SDK Domains:Simply input your Safewhere*Identify domain. When JavaScript request to logout comes to LinkedIn, they know it come from a valid domain that you allowed.

Now that you have Safewhere*Identify registered with LinkedIn you can continue to set up the LinkedIn authentication connection in Safewhere*Identify. The settings to use are:

  • LinkedIn OAuth request token endpoint: Should always be set to https://api.linkedin.com/uas/oauth/requestToken unless LinkedIn changes their API.
  • LinkedIn OAuth dialog endpoint: Should always be set to https://www.linkedin.com/uas/oauth/authenticate unless LinkedIn changes their API.
  • LinkedIn OAuth dialog for mobile endpoint: Should always be set to https://www.linkedin.com/uas/oauth/authenticate unless LinkedIn changes their API.
  • LinkedIn OAuth access token endpoint: Should always be set to https://api.linkedin.com/uas/oauth/accessToken unless LinkedIn changes their API.
  • LinkedIn user information endpoint: Should always be set to http://api.linkedin.com/v1/people/~unless LinkedIn changes their API.
  • Client id (App id): The API Key automatically generated by LinkedIn.
  • Consumer secret code: The secret code automatically generated by LinkedIn.

Besides the actual LinkedIn specific configuration settings, there are a whole range of fields that will help you set up a two factor authentication process, if so desired. Below each of these are explained.

  • Second factor authentication connection: If you want this Linkedln Authentication Connection to have a second factor, you must choose this second factor among the different Authentication Connections that have been set up in the system. This includes all the One Time Password Connections.
  • Two factor identities condition:When using two different Authentication Connections together (which is basically what you are doing when setting up two-factor authentication, then the two may try to Safewhere*Identify the incoming user based on two different identity bearing claims. This dropdown is activated when a user has chosen, that the connection will have a second factor. Options in the dropdown are:
    • Use the first identity: System will disregard the “Identity bearing claim” value of the second factor and just focus on identifying the user based on the first one.
    • Two identities must be the same: The user will not be allowed to log in unless the identity of the user for the first factor is identical to that of the second factor.
  • Enabled for mobile use: Should be checked if you also want to allow mobile users to authenticate using this connection.
  • IP-based filter for Home Realm Discovery: specifies IP addresses of RPs for the filter.An IP address consists of 4 sections of numbers between 1 and 255. The 4 sections of numbers are seperated by a dot. An IP range consists of two IP addresses separated by a dash. You can enter multiple IP addresses or IP ranges by seperating them with semicolons. E.g.: 192.168.1.1;192.168.1.2;192.168.0.0-192.168.1.255.
  • Perform log out at SLO:Should be checked if you also want to log out your account from Linkedln.

The following are the list of claims that Safewhere*Identify can expect to get returned from LinkedIn. The claim types in italic are only returned if so configured in the setting “The additional permissions that a user should grant to Safewhere*Identify: “.

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

To see how the authentication page looks to the users, please click here.