This article is currently a work in progress, March 2018.
We had a recent customer case with the following scenario and requirements:
Users are logging in to a SAML Service Provider (target application).
A) Allow CustomerID username and password to be used for logging in.
B) If the user forgets their username and password, allow Finnish bank TUPAS authentication to be used instead. If the matching social security number is not found, present the user with the chance to register, using a registration workflow from Ubisecure CustomerID according to their own selection.
C) Allow Facebook to the used for login. If the Facebook account has not been used before, ask the user to link the account to their existing user account by completing the login process with username and password. This is what we call User Driven Federation. If they don't have have an account, they should have the option at this point also to register, using a registration workflow from Ubisecure CustomerID according to their own selection. If the Facebook account has been before, the user should just be logged in to their account.
A) is standard login. B) and C) are both possible if done separately, but when combined, the user experience suffered, as by default it is impossible to give specific guidance for each situation. All three options are required on the same login page.
This article describes how to configure this scenario in a more user friendly manner.
The solution to the problem requires some creative configuration as follows:
For C), create an application of type OAuth2, using a unique user interface template, for example federation2. The redirect_uris value should be set to the target application, which is a SAML Service Provider. This OAuth2 application configuration will be used solely as a way to initiate a login process using only Facebook and to redirect the user to the target application after successful login. The authorization code will not be used.
Facebook authentication method configuration:
In order to allow explicit selection, add the word facebook to the OpenID Connect Authentication Context field:
The link to put on the login page will look like this
All target applications must be whitelisted in the Stored Metadata section of the application configuration:
Multiple target services could be listed - different links could be used in different templates as required. Add as many as required.
An authorization policy must be created and attached to the application. The authorization policy should be blank.
The permitted methods tab should have both CustomerID password and Facebook enabled. Both are required to be enabled for User Driven Federation to work. The username and password fields will be hidden by using acr_values=facebook in the authorization code request link.
The Allowed To tab should be configured to allow only Facebook users.
Make a second User Driven Federation configuration and attach it to the Facebook authentication method. A sample LDIF file is provided below:
Modify the template above to match your environment and import to the Ubisecure Directory using import.cmd or import.sh