It is possible to authenticate users into a federation using their Live ID account. Before it even becomes relevant to set up the Live ID authentication connection in Safewhere*Identify, we must register Safewhere*Identify as an Application with Live ID. The link to do this is:
After signing up as a Live ID developer, register your Safewhere*Identify installation using the “Add an app” button at “My applications”.
After the new application is creating, click "Generate New password" button under "Application secrets" (Please copy this code because it displays only once)
Then Under "Platforms", select "Add Platform" and choose "Web"
Enter the following information:
- Redirect domain:Insert the following URIs using the following format: https://[Identify site URL]/runtime/liveid/consume.idp & https://[Identify site URL]/runtime/liveid/signoff.idp that will point to your Safewhere*Identify installation. (Note: for the Identify version 5.1.1 ++, we will use: https://[Identify site URL]/runtime/microsoft/consume.idp , not https://[Identify site URL]/runtime/liveid/consume.idp)
Please ensure the checkbox "Live SDK support" is True at the "Advanced Options"
Once registered you will be given a number of important information that you will be using to set up the Live ID connection in Safewhere*Identify. These are:
- Client ID: The unique number that your app is given with Live ID.
- Client Secret: A secret code that will be used to ensure that your installation of Safewhere*Identify is the only one that can use the Live ID authentication app setup.
Now that you have Safewhere*Identify registered with Live ID you can continue to set up the Live ID authentication connection in Safewhere*Identify. The settings to use are:
- Live ID OAuth dialog endpoint: Should always be set to https://oauth.live.com/authorize unless Live ID changes their API.
- Live ID OAuth dialog for mobile endpoint: Should always be set to https://oauth.live.com/authorize unless Live ID changes their API.
- Live ID OAuth access token endpoint: Should always be set to https://oauth.live.com/token unless Live ID changes their API.
- Live ID user information endpoint: Should always be set to https://apis.live.net/v5.0/me unless Live ID changes their API.
- Client id (App id): The Client Id automatically generated by Live ID .
- Client secret code: The secret code automatically generated by Live ID .
Besides the actual Live ID specific configuration settings, there are a whole range of fields that will help you set up a two factor authentication process, if so desired. Below each of these are explained.
- Second factor authentication connection: If you want this Facebook Authentication Connection to have a second factor, you must choose this second factor among the different Authentication Connections that have been set up in the system. This includes all the One Time Password Connections.
- Two factor identities condition:When using two different Authentication Connections together (which is basically what you are doing when setting up two-factor authentication, then the two may try to Safewhere*Identify the incoming user based on two different identity bearing claims. This dropdown is activated when a user has chosen, that the connection will have a second factor. Options in the dropdown are:
- Use the first identity: System will disregard the “Identity bearing claim” value of the second factor and just focus on identifying the user based on the first one.
- Two identities must be the same: The user will not be allowed to log in unless the identity of the user for the first factor is identical to that of the second factor.
- Enabled for mobile use: Should be checked if you also want to allow mobile users to authenticate using this connection.
- IP-based filter for Home Realm Discovery: specifies IP addresses of RPs for the filter.An IP address consists of 4 sections of numbers between 1 and 255. The 4 sections of numbers are seperated by a dot. An IP range consists of two IP addresses separated by a dash. You can enter multiple IP addresses or IP ranges by seperating them with semicolons. E.g.: 192.168.1.1;192.168.1.2;192.168.0.0-192.168.1.255.
- Perform log out at SLO:Should be checked if you also want to log out your account from Live ID
The following are the list of claims that Safewhere*Identify can expect to get returned from Live ID. The claim types in italic are only returned if so configured in the setting “The additional permissions that a user should grant to Safewhere*Identify: “.
To see how the authentication page looks to the users, please click here.