Google OpenID 2.0 Migration to OpenID Connect (OAuth2) authentication. Applies to portals with contacts registered through the deprecated OpenID 2.0 identity provider.

A contact migration process must be enabled on applicable portals to allow contacts (registered through Google) to continue to be able to sign-in uninterrupted. Portal reconfiguration details are available for both ACS based portals as well as OpenAuth based portals.

Breaking change for portals with OAuth2 identity providers. Applies to portals upgrading to 7.0.0013 from earlier versions of 7 and portals upgrading to 6.0.0023 from earlier versions of 6.

The Redirect URL path for OAuth2 app settings is changing from the /auth/openauth format to /signin-{provider} where {provider} is the name of the specific identity provider. Example: /signin-microsoft Update each applicable identity provider app settings by adding a new redirect URL to the list of authorized redirect URLs.

Authentication Site Settings

These are the defined site settings for enabling/disabling various authentication features as well as controlling the behaviour of user registration.

User Registration Settings

These settings control the flow of the user registration experience.

Site Setting Name Description
Authentication/Registration/Enabled Enables or disables user registration. Default: true
Authentication/Registration/RequiresInvitation Enables invitation code feature and disables open registration. Default: false
Authentication/Registration/RequiresConfirmation Enables email confirmation feature and disables open registration. Default: false
Authentication/Registration/InvitationCodeDuration

The amount of time that an invitation code generated for email confirmation remains valid.
Format d.hh:mm:ss
Default: 0.01:00:00 (one hour)

Authentication/Registration/GoogleOpenIdMigrationEnabled

Added: 6.0.0023 Added: 7.0.0013

Enables the automatic conversion of contacts with Google OpenID 2.0 accounts to the new Google OpenID Connect (OAuth2) accounts. Includes both ACS based Google configurations as well as OAuth2 based Google configurations.

Authentication/Registration/LoginButtonAuthenticationType

Added: 6.0.0023 Added: 7.0.0013

Allows the Sign-In button of the header nav bar to link directly to an external identity provider login page (instead linking to the local login and identity provider selection page). Only a single identity provider can be selected for this action. Accepted values: ADFS Azure twitter facebook google microsoft yammer linkedin

In order for the new site setting values to take effect it may be necessary to recycle the app pool of the IIS website (to clear any cached settings).

Contact Membership Provider (Local Account) Settings

These settings enable or disable forms based local account features.

Site Setting Name Description
Authentication/Forms/Enabled Enables or disables (forms-based) local authentication. Default: true

ACS (Federated Account) Settings

These settings enable or disable the ACS identity providers for federated authentication. The values for a specific ACS namespace can be obtained by retrieving the WS-Federation Metadata for the namespace or through the ACS management portal.

Site Setting Name Description
Authentication/Claims/Enabled Enables or disables ACS federated authentication. Default: false
Authentication/Claims/Issuer The URL of the ACS WS-Federation token issuer. Example: https://mynamespace.accesscontrol.windows.net/v2/wsfederation
Authentication/Claims/Realm The URL of the relying party. Example: http://portal.contoso.com/
Authentication/Claims/TrustedIssuerThumbprint The thumbprint of the certificate of the trusted issuer. The value can be retrieved by navigating to the Certificates and keys section of the ACS management portal. Next, click the link for the Primary X.509 Certificate (Token Signing) and look for the message containing the thumbprint value (under the Certificate heading). Alternatively, the value can be retrieved using the Get-WifIssuerCertificate cmdlet of the ALM Toolkit.

ACS Relying Party Application Settings

Here are the settings to apply when adding a relying party application to the ACS namespace.

Setting Value
Name My Portal
Realm http://portal.contoso.com
Return URL http://portal.contoso.com/auth/wsfederation
Error URL (options) http://portal.contoso.com/error
Token format SAML 2.0
Token encryption policy None
Token lifetime (secs) 600

Direct ADFS authentication can be substituted in place of ACS authentication.

Google OpenID 2.0 Migration for ACS Applies to 6.0.0023 and later Applies to 7.0.0013 and later

ACS namespaces with the Google identity provider enabled are required to switch over to the new Google OpenID Connect (OAuth2) authentication. This process involves 1) creating a new Google OAuth2 application, 2) configuring the portal to enable contact migration (the deprecated OpenID 2.0 user account IDs are changing to a new OAuth2 format requiring the contact to be updated), and 3) allowing users to sign-in to invoke the automatic contact conversion process.

For details on the ACS migration process, see Migrating ACS Namespaces to Google OpenID Connect

  • Changes required by June 1, 2015
  • Changes required by January 1, 2017
    • Update the ACS rule group to send the Subject claim
      • Either add a Passthrough "subject" claim from Google as "subject" rule or
      • Use a Passthrough all claims rule
    • Create the site setting to enable contact migration:
      • Set Authentication/Registration/GoogleOpenIdMigrationEnabled to true
    • Contact conversion occurs at the time the contact performs a sign-in
      • The conversion involves replacing the contacts deprecated OpenID 2.0 credential with their OAuth2 credential
      • The conversion process is automatically manged by the portal application and requires no special handling on the part of the contact (the contact experiences a regular sign-in process)
      • Contacts that do not sign-in prior to the 2017 deadline will not be converted after the deadline and will become inaccessible

OpenAuth (Federated Account) Settings

These settings enable or disable the OpenID and OAuth identity providers for federated authentication. The OpenID based providers are enabled by default while the OAuth providers are enabled by supplying the required client-id and client-secret values for Facebook, Twitter, and Microsoft Account.

Site Setting Name Description
Authentication/OpenAuth/Enabled Enables or disables OpenID/OAuth federated authentication. Default: true

Authentication/OpenAuth/Google/Enabled

Deprecated: 6.0.0023 Deprecated: 7.0.0013

Enables or disables Google OpenID authentication. Default: false
Authentication/OpenAuth/Yahoo/Enabled Enables or disables Yahoo! OpenID authentication. Default: false

Authentication/OpenAuth/Google/ClientId

Added: 6.0.0023 Added: 7.0.0013

The Google application client ID.

Authentication/OpenAuth/Google/ClientSecret

Added: 6.0.0023 Added: 7.0.0013

The Google application client secret.

Authentication/OpenAuth/Google/OpenIdRealm

Added: 6.0.0023 Added: 7.0.0013

Optional. The Google OpenID 2.0 realm parameter that is required to enable conversion of OpenID 2.0 contacts to OAuth2 contacts. The realm value is the URL scheme and domain of the portal. The realm is auto-generated when this setting is omitted. Example: http://portal.contoso.com/
Authentication/OpenAuth/Twitter/ConsumerKey The Twitter application consumer key.
Authentication/OpenAuth/Twitter/ConsumerSecret The Twitter application consumer secret.
Authentication/OpenAuth/Facebook/AppId The Facebook application App ID.
Authentication/OpenAuth/Facebook/AppSecret The Facebook application App Secret.
Authentication/OpenAuth/Microsoft/ClientId The Microsoft application client ID.
Authentication/OpenAuth/Microsoft/ClientSecret The Microsoft application client secret.
Authentication/OpenAuth/LinkedIn/ConsumerKey The LinkedIn application consumer key.
Authentication/OpenAuth/LinkedIn/ConsumerSecret The LinkedIn application consumer secret.
Authentication/OpenAuth/Yammer/ClientId The Yammer application client ID.
Authentication/OpenAuth/Yammer/ClientSecret The Yammer application client secret.
Authentication/OpenAuth/OpenIDClient A custom OpenID client. Specify a value in the format [name],[URI]. Example myOpenID,http://myopenid.com/ Additional clients can be added by creating additional site settings with the same site setting name (ie. duplicate names are allowed for this setting).
Changing these authentication settings will require the Application Pool to be recycled in IIS.

OAuth Application Settings

In general, if an OAuth provider uses app settings that require a redirect URI value, specify http://portal.contoso.com/ or http://portal.contoso.com/signin-{provider}  depending on how the provider performs redirect URI validation (some providers require the full URL path to be specified along with the domain name). Substitute the name of the provider in place of {provider} in the redirect URI.

For versions 6.0.0022 and earlier and 7.0.0012 and earlier specify http://portal.contoso.com/auth/openauth as the redirect URI instead. Omit the provider name substitution instruction.

Google OAuth2 API Credentials - Instructions

  • Note: Google OAuth2 is only supported in 6.0.0023 and later and 7.0.0013 and later
  • Open Google Developers Console
  • Create an API project or open an existing project
  • Navigate to APIs & auth > APIs
    • Under Social APIs, click Google+ API then click Enable API
  • Navigate to APIs & auth > Consent screen
    • Specify an Email address
    • Specify a custom Product name
    • Click Save
  • Navigate to APIs & auth > Credentials
    • Create new Client ID
      • Application Type: Web application
      • Authorized JavaScript Origins: http://portal.contoso.com
      • Authorized Redirect URIs: http://portal.contoso.com/signin-google
      • Click Create Client ID

Facebook App Settings

  • Open Facebook Developers App Dashboard
  • Click Add a New App
  • Select Website
  • Click Skip and Create App ID
    • Specify a Display Name
    • Select a Category
    • Click Create App ID
  • While on the Dashboard for the new app, navigate to Settings > Basic (tab)
    • (Optional) App Domains: portal.contoso.com 
    • Contact Email: <contact email address>
    • Click Add Platform and select Website
    • Site URL: http://portal.contoso.com/ or http://portal.contoso.com/signin-facebook
      • For 6.0.0022 and earlier and 7.0.0012 and earlier specify http://portal.contoso.com/auth/openauth instead
    • Click Save Changes
  • Navigate to Status & Review > Status (tab)
    • Do you want to make this app an all its features available to the general public? YES
      • The Contact Email field is required to enable this setting

Microsoft Application Settings

  • Open Microsoft account Developer Center
  • Click Create application
    • Specify an Application name
    • Click I accept
  • Navigate to Settings > API Settings
    • Redirect URLs: http://portal.contoso.com/signin-microsoft
      • For 6.0.0022 and earlier and 7.0.0012 and earlier specify http://portal.contoso.com/auth/openauth instead

Yammer Application Settings

  • Open Registered applications
  • Click Register New App
  • Specify an Application Name, Organization, Support e-mail
    • Website: http://portal.contoso.com
    • Redirect URI: http://portal.contoso.com or http://portal.contoso.com/signin-yammer
      • For 6.0.0022 and earlier and 7.0.0012 and earlier specify http://portal.contoso.com/auth/openauth instead
    • Click Continue
  • To return to the app settings for future changes, navigate to My Apps > [App Name] > Basic Info

Twitter Apps Settings

  • Open Twitter Application Management
  • Click Create New App
    • Specify a Name and Description
    • Website: http://portal.contoso.com
    • Callback URLhttp://portal.contoso.com or http://portal.contoso.com/signin-twitter
      • For 6.0.0022 and earlier and 7.0.0012 and earlier specify http://portal.contoso.com/auth/openauth instead
    • Click Create your Twitter application

LinkedIn Application Settings

  • Open LinkedIn Developer Network
  • Click Add New Application
    • Specify an Application Name, Description, etc.
    • Website URL: http://portal.contoso.com
    • OAuth User Agreement/Default Scope: r_basicprofie and r_emailaddress
    • OAuth 2.0 Redirect Urls: http://portal.contoso.com/signin-linkedin
      • For 6.0.0022 and earlier and 7.0.0012 and earlier specify http://portal.contoso.com/auth/openauth instead
    • Click Add Application

Google OpenID 2.0 Migration for OpenAuth Applies to 6.0.0023 and later Applies to 7.0.0013 and later

Portals that currently have Google (OpenID 2.0) authentication enabled (through the Authentication/OpenAuth/Google/Enabled setting) are required to switch over to the new Google OpenID Connect (OAuth2) authentication. This process involves 1) creating a new Google OAuth2 application, 2) configuring the portal to enable contact migration (the deprecated OpenID 2.0 user account IDs are changing to a new OAuth2 format requiring the contact to be updated), and 3) allowing users to sign-in to invoke the automatic contact conversion process.

  • Create a new Google OAuth2 application
  • Create or update four portal site settings:
    • Set Authentication/OpenAuth/Google/Enabled to false
    • Set Authentication/OpenAuth/Google/ClientId to the client ID of the new OAuth2 application
    • Set Authentication/OpenAuth/Google/ClientSecret to the client secret of the new OAuth2 application
    • Set Authentication/Registration/GoogleOpenIdMigrationEnabled to true
  • Contact conversion occurs at the time the contact performs a sign-in
    • The conversion involves replacing the contacts deprecated OpenID 2.0 credential with their OAuth2 credential
    • The conversion process is automatically manged by the portal application and requires no special handling on the part of the contact (the contact experiences a regular sign-in process)
    • Contacts that do not sign-in prior to the January 1, 2017 deadline will not be converted after the deadline and will become inaccessible

Workflows

There are two workflows that send emails to users that can be customized. These workflows are included in the Adxstudio Portals Workflows solution package that is to be used when you have imported the Adxstudio Portals Base solution or alternatively in the Adxstudio Portals Complete Workflows solution package when you have imported the Adxstudio Portals Complete solution.

Ensure that the workflows are in the activated state. For email based workflows, check that the sender (from) field of the email content is assigned to a user with a valid primary email address specified. Review the body of the email and customize as necessary.

ADX Sign Up Email Confirmation

The following worklfow is triggered by the framework when a user signs up for an account. An email is sent to the user's email address with a link that includes a code that will be used to confirm their email and complete the registration. You will want to modify the email and edit the body message to be appropriate for your site. You must also assign a From email or the workflow will not be able to deliver the email. Save your changes and Activate the Workflow.

ADX Sign In Password Recovery

This workflow is only used for the Contact Membership Provider (Local Account). When a user submits the Forgot Password form, this workflow is triggered to send the user an email containing their new reset password. You will want to modify the email and edit the body message to be appropriate for your site. You must also assign a From email or the workflow will not be able to deliver the email. Save your changes and Activate the Workflow.