It is possible to authenticate users into a federation using their LinkedIn account. Before it even becomes relevant to set up the LinkedIn authentication connection in Safewhere*Identify, we must register Safewhere*Identify as an Application with LinkedIn. The link to do this is:
After signing up as a LinkedIn developer, register your Safewhere*Identify installation using the “Add New application” button.
This will open a form where you can add info about the app as here shown
Once registered you will be given a number of important information that you will be using to set up the Linked connection in Safewhere*Identify. These are:
- Client ID: The unique number that your app is given with LinkedIn.
- Client Secret: A secret code that will be used to ensure that your installation of Safewhere*Identify is the only one that can use the Facebook authentication app setup.
- Default application permission: please use "r_basicprofile" as default
- Authorized Redirect URLs: Simply just replace the site tag with your Safewhere*Identify site url; https://[identify site]/runtime/linkedin/consume.idp
- Default "Cancel" Redirect URL: Simply input your SP site url, e.g https://claimapp.safewhere.com . when user clicks on “Cancel” button, he will be redirected to this URL.
- LinkedIn OAuth request token endpoint: Should always be set to https://api.linkedin.com/uas/oauth/requestToken unless LinkedIn changes their API.
- LinkedIn OAuth dialog endpoint: Should always be set to https://www.linkedin.com/uas/oauth/authenticate unless LinkedIn changes their API.
- LinkedIn OAuth dialog for mobile endpoint: Should always be set to https://www.linkedin.com/uas/oauth/authenticate unless LinkedIn changes their API.
- LinkedIn OAuth access token endpoint: Should always be set to https://api.linkedin.com/uas/oauth/accessToken unless LinkedIn changes their API.
- LinkedIn user information endpoint: Should always be set to http://api.linkedin.com/v1/people/~unless LinkedIn changes their API.
- Client id (App id): The API Key automatically generated by LinkedIn.
- Consumer secret code: The secret code automatically generated by LinkedIn.
Besides the actual LinkedIn specific configuration settings, there are a whole range of fields that will help you set up a two factor authentication process, if so desired. Below each of these are explained.
- Second factor authentication connection: If you want this Linkedln Authentication Connection to have a second factor, you must choose this second factor among the different Authentication Connections that have been set up in the system. This includes all the One Time Password Connections.
- Two factor identities condition:When using two different Authentication Connections together (which is basically what you are doing when setting up two-factor authentication, then the two may try to Safewhere*Identify the incoming user based on two different identity bearing claims. This dropdown is activated when a user has chosen, that the connection will have a second factor. Options in the dropdown are:
- Use the first identity: System will disregard the “Identity bearing claim” value of the second factor and just focus on identifying the user based on the first one.
- Two identities must be the same: The user will not be allowed to log in unless the identity of the user for the first factor is identical to that of the second factor.
- Enabled for mobile use: Should be checked if you also want to allow mobile users to authenticate using this connection.
- IP-based filter for Home Realm Discovery: specifies IP addresses of RPs for the filter.An IP address consists of 4 sections of numbers between 1 and 255. The 4 sections of numbers are seperated by a dot. An IP range consists of two IP addresses separated by a dash. You can enter multiple IP addresses or IP ranges by seperating them with semicolons. E.g.: 192.168.1.1;192.168.1.2;192.168.0.0-192.168.1.255.
- Perform log out at SLO:Should be checked if you also want to log out your account from Linkedln.
The following are the list of claims that Safewhere*Identify can expect to get returned from LinkedIn. The claim types in italic are only returned if so configured in the setting “The additional permissions that a user should grant to Safewhere*Identify: “.
To see how the authentication page looks to the users, please click here.