Domains

Configure Authentication Domains for APIs defined in the platform.

Table of Contents

1. How does the authentication provider configuration process work?
2. What domain types are supported?
3. How do I configure access permissions for OpenID?
4. How do I set up a platform deployment to support OAuth?
5. How do I set up a platform deployment to support a Third Party Provider?
6. How do I modify a domain?
7. How do I delete a domain?
8. How do I set up a connector domain?
9. How do I set up the platform to log in with Facebook?
10. How do I set up the platform to log in with Google?
11. How do I set up the platform to log in with CA SiteMinder?
12. How do I setup the platform to log in with LDAP?

How does the authentication provider configuration process work?

The platform provides a series of add-on features that provide authentication support for APIs. The platform currently supports OAuth and OpenID Provider types.

Here's how the provider type configuration process works:

• The Site Administrator installs the OAuth Provider and Resource Owner Authentication (e.g., Open ID Relying Party) features into the platform container via the SOA Software Administration Console. This process is covered in the installation guide for the platform.
• After the features are installed, the authentication provider options are available as selectable domains via the platform Site Administrator > Domains user interface.
• The Site Administration > Domains section allows Site Administrators and API Administrators to select a domain type that best suits the authentication protocol required for APIs that are part of the platform deployment.
• You then configure custom security provider definitions based on the authentication method and use cases supported by the APIs.
• For example, if your APIs support OAuth, you can select the OAuth Provider domain and configure a separate OAuth Provider for each OAuth version (i.e., 1.0a, and 2.0), then select grant types, and resources relative to the specific OAuth version. You could also define a separate OAuth Provider for each API.
• After the domains are configured in the Site Administration section, they are then available via the OAuth Details section on the API Details page.
• Here an API Provider can select the domain type that best suits the authentication method supported by their API, and they can customize it based on their authentication use case requirements.

Back to top

What domain types are supported?

The platform domain types can be used to log into the platform, or can be configured with an OAuth Provider. After each domain is installed entries will show in the platform as follows:

• In the Site Administration > Domains section, the defined domain will be selectable from the Resource Owner Authentication Domain drop-down when you configure an OAuth Provider domain.
• In the Site Administration > Config > Users section the defined domain will be available on the List of Users page and can be enabled as a login option.

The following table provides a list of the supported domain types, a brief description, and installation method:

Domain Type	Description / Installation Method
Platform Login (Default)	This login domain type allows users to log in using the default platform login page using Email Address and Password credentials. Note: The Platform Login (Default) is system generated, cannot be deleted, and will not display in the Resource Owner Authentication Domain drop-down menu of an OAuth Provider domain. Installation Method: The default platform login is automatically added and enabled as part of the platform default installation. This option can be disabled if another login approach is used by deselecting the "Enable" checkbox for this login line item in the Site Administrator > Config > Logins section. Documentation: See the Site Admin > Config > Logins sections of the Community Manager online help for more information.
Facebook Connector	The Facebook Connector domain allows you to log into the platform using your Facebook credentials. Installation Method: A Facebook Connector domain option is installed (by default) to the Site Administration > Domains section of your platform deployment. Using the Add Domain function, Site Administrators can select the Facebook Connector domain type. This launches the Add Connector Domain Wizard where you can assign an App ID and App Secret, then enable the domain in the Site Administrator > Config > Logins section. Documentation: See the Site Admin > Domains and Site Admin > Config sections of the platform online help for more information.
OAuth Provider	The SOA Software Community Manager OAuth Provider feature is an SOA Software Community Manager add-on for the OAuth Provider. This domain type allows you to select a Resource Owner Authentication Domain (for the login process), and configure grant types, access tokens, grant properties, and branding. Installation Method: The feature is installed via the SOA Software Administration Console and installs on top of the SOA Software Community Manager feature. It installs the OAuth Provider domain to the Site Administration > Domains section of your platform deployment. Using the Add Domain function, Site Administrators can select the OAuth Provider domain type to configure the domain. The domain is then available on the Edit OAuth Details page on the API Details page where you can customize the OAuth configuration for an API. Note: This domain type adds the OAuth Provider domain option to the "Select Domain Type" menu and is not posted as a Login option in the Site Administration > Config > Logins section. Documentation: See the Site Admin > Domains section of the platform online help for more information.
OpenID Relying Party	This SOA Software Community Manager OpenID Provider feature is an SOA Software Community Manager add-on for the OpenID Provider. Installation Method: The feature is installed via the SOA Software Administration Console and installs on top of the SOA Software Community Manager feature. It installs the OpenID Relying Party domain to the Site Administration > Domains section of your platform deployment. Using the Add Domain function, Site Administrators can select the OpenID Relying Party domain type to configure the domain, then enable the domain as a login option in the Site Administrator > Config > Logins section, or select it as a Resource Owner Authentication Domain when defining an OAuth Provider. Documentation: See the Site Admin > Domains and Site Admin > Config sections of the platform online help for more information.
LDAP	The LDAP domain allows you to log into the platform using a LDAP domain defined in the Policy Manager "Management Console." Installation Method: This feature is installed via the Configure > Security > Identity Systems section of the Policy Manager "Management Console." You can then enable the domain in the Site Administrator > Config > Logins section of the platform or select it as a Resource Owner Authentication Domain when defining an OAuth Provider. Documentation: Refer to the Add Identity System (Active Directory) topic in the Policy Manager Online Help for instructions on how to add an LDAP domain.
CA SiteMinder	The CA SiteMinder domain allows you to log into the platform using a CA SiteMinder domain defined in the Policy Manager "Management Console." Installation Method: This feature is installed via the Configure > Security > Identity Systems section of the Policy Manager "Management Console." You can then enable the domain in the Site Administrator > Config > Logins section of the platform or select it as a Resource Owner Authentication Domain when defining an OAuth Provider. Documentation: Add CA SiteMinder Domain - See the Integrating CA SiteMinder with Policy Manager 6.1 Guide available via the SOA Software Support Site (support.soa.com > Downloads > PolicyManager > PM61 > PM61_CASiteMinder_Integration.pdf) for instructions on how to setup CA SiteMinder and install the identity system (domain) in Policy Manager. Configure CA SiteMinder Domain – See the Site Admin > Domains and Site Admin > Config > Logins sections of the Community Manager online help for instructions on how to use the CA SiteMinder domain in an OAuth Provider domain definition, and how to enable the CA SiteMinder login.

Back to top

How do I configure access permissions for OpenID?

Access permissions for OpenID are established by configuring a domain that represents the login resource. For OpenID, you use the OpenID Relying Party domain. This domain is installed as part of the SOA Software Community Manager OpenID Provider feature in the SOA Software Administration Console and is available via Add Domain feature via Site Administration > Domains.

After you configure the OpenID login resource, entries will show in the platform as follows:

• In the Site Administration > Domains section, the defined domain will be selectable from the Resource Owner Authentication Domain drop-down when you configure an OAuth Provider domain.
• In the Site Administration > Config > Users section the defined domain will be available on the List of Users page and can be enabled as a login option.

To configure an OpenID login resource:

1. Click the Site Administration quick filter. The Site Administration page displays.
2. Click Domains. The Domains Summary page displays.
3. Click Add Domain. The Select Domain Type drop-down menu displays.
4. Select OpenID Relying Party and click Select. The Details page displays.
5. In the OpenID Client section, enter the "Name" and "Description" of the login resource (e.g., Name=Google, Description=Google Login Resource).
   
   Note that the "Name" field cannot be edited after the domain configuration is saved, so it's important to be as descriptive as possible with your domain name. For example, including the name of the OpenID Provider as an identifier is recommended along with other details that reveal something about the configuration.
6. Click Next to continue. The Provider Details page displays. Enter the OpenID "Discovery URL" that represents the location of the Relying Party's OpenID endpoints. See What is a Discovery URL? for more information.
7. Click Next to continue. The Client Details page displays. Enter the "Realm" and "Return URL." See What is a Realm? for more information.
8. To save the domain configuration, click Save. The OpenID login resource domain is saved, displays on the Domains Summary page, and is now available for selection as a resource when you define an OAuth Provider domain.

Back to top

How do I set up a platform deployment to support OAuth?

After defining your access permissions domain, the next step is to configure one or more OAuth Provider domains that represent the OAuth authentication use case types the APIs in your platform deployment will support.

To configure an OAuth Provider domain:

1. Click the Site Administration quick filter. The Site Administration page displays.
2. Click Domains. The Domains Summary page displays.
3. Click Add Domain. The Select Domain Type drop-down menu displays.
4. Select OAuth Provider and click Select. The Details page displays.
5. In the OAuth Provider section, enter the "Name" and "Description" of the domain definition (e.g., Name=OAuth 2-Legged, Description=OAuth 2-Legged Domain).
   
   Note that the "Name" field cannot be edited after the domain configuration is saved, so it's important to be as descriptive as possible with your domain name. For example, including the name of the OAuth Provider as an identifier is recommended along with other details that reveal something about the configuration (e.g., OAuth version, API Name, Grant Types, etc.)
   
6. Click Next to continue. The Grant Types page displays.
7. In the "Grant Validity Period (days)" text box, specify the number of days the authorization grant will remain active.
8. In the "Grant Types" section, click the checkbox of the authorization grant types that apply to this domain configuration. Grant types are grouped by 2-Legged and 3-Legged scenarios. See What grant types does OAuth support? and How does OAuth 2-Legged and 3-Legged Authorization work? for more information.
   • If you selected the Authorization Code grant, specify the number of seconds the Authorization Code grant is valid in the "Authorization Code Timeout" field.

   • Select a domain from the "Resource Owner Authentication Domain" drop-down menu. If one has not been previously defined, configure one and then return to complete the OAuth Provider domain definition.

     Note: If you select the Client Credentials grant type ONLY, the Resource Owner Authentication Domain is not required. This is because the Client Credentials grant type does not require a Resource Owner.

   • For each grant selected, specify the number of seconds the access token is valid in the "Access Token Timeout" field. See What is an Access Token?
   • Click the "Refresh Tokens" checkbox if refresh tokens are supported by your Authentication Server. See What is a Refresh Token? for more information.
   • Click the radio button of the Access Token Type. See What is an Access Token? for more information.
9. After completing your entries, click Next. The Resources page displays. Here you will specify the operations in your API that require authorization. The resource list should represent the full set of resources you would like assign to the current OAuth Provider domain configuration.
   • For example, if multiple APIs will be using the OAuth Provider domain, each may have a different operation requirement.
   • In this case, when you configure your API with an OAuth Provider using the OAuth Details function on the API Details page, you can simply filter the set of operations by deleting resources that do not apply for the current API.
   • A resource is typically entered using a URL, but can also be a symbol {id}.
   • If you would like to set a specific resource as the default, click the "Default Resource" checkbox.
   • If the resource requires authorization for use (e.g., login screen), click the "User Authorization Required" checkbox.
   • See How does Scope Mapping work? for more information.
   • Note: If you will be using a third party provider, you can use the pre-defined "Third Party Provider" domain via the API Details > OAuth Details function, and specify your resources on the Resource Mapping page. In this scenario, you can bypass creating a domain and go directly to the API Details page.
10. After completing your entries, click Next. The Grant Properties page displays.
11. In the "Properties" section, click +Add to create a grant property instance and specify the "Property Label" and "Property ID." Note that specifying grant properties is optional.
    • The "Property Label" represents the text description of the grant property. It is only visible in the platform.
    • The "Property ID" represents the object ID that references the property file that is stored on the OAuth Provider's site.
    • To delete a grant property, click -Delete under the grant property instance.
    • See What is a Grant Property? for more information.
12. After completing your entries, click Next. The Branding page displays. When a user logs into your application using the OAuth configuration you just defined, they must see a login screen.
    
    If you require a custom branded login screen you can customize the login with a unique logo that represents your organization, footer text (e.g., copyright information), and the URL you want to offer to Resource Owners and applications to access this OAuth provider capabilities.
    • The "Site Logo" option allows you to upload a logo that is 50px high. This logo will display on your login page. See How do I upload and crop icons? for more information.
    • The "Footer Text" field allows you to enter custom text for your login page.
    • The "Authorization Server URL" field allows you to enter a hostname URL.
    • See How does Resource Owner Authentication Page Login Branding work? for more information.
13. To save the domain configuration, click Save. The OAuth Provider domain is saved, displays on the Domains Summary page, and is now available for selection in API OAuth Wizard (via API Details > OAuth Details).

Back to top

How do I set up a platform deployment to support a Third Party Provider?

The OAuth Details function on the API > Details page includes a pre-defined "Third Party Provider" domain that allows you to configure grant for OAuth 2.0 and 1.0a versions and resource mapping. See How do I configure my API with an OAuth Provider? for more information.

Back to top

How do I modify a domain?

To modify a domain:

1. Navigate to Site Administration > Domains. The Domains Summary displays.
2. In the right-hand column of the domain line item, click Modify. The Edit wizard for the specific domain type displays.
3. Follow procedure you used for adding the specific domain type (i.e., OAuth Provider, OpenID Relying Party, Facebook Connector).
4. Note that the "Domain Name" cannot be changed after the domain is initially defined and will not be selectable.

Back to top

How do I delete a domain?

To delete a domain:

1. Navigate to Site Administration > Domains. The Domains Summary displays.
2. In the right-hand column of the domain line item, click Delete. The confirmation message "Are you sure you want to delete domain name <name>" displays.
3. Click OK to delete the domain or Cancel to exit the operation.

Back to top

How do I set up a connector domain?

The platform provides support for logging into the platform using a connector domain (e.g., Facebook).

• The process of configuring a connector domain involves adding a Facebook domain using the Add Domain function in the Site Administration > Domains section, configuring the connector in using the Add Connector Domain Wizard, and enabling the domain in the Site Administration > Config > Logins section.
• After the configuration is complete, the connector domain icon will display in the Sign-in using external ID: section of the platform Login page.

To configure a connector domain:

1. Click the Site Administration quick filter. The Site Admins page displays.
2. Click Domains. The Domains Summary page displays.
3. Click Add Domain. The Select Domain Type drop-down menu displays. In this example we will configure a Facebook Connector.
4. Select Facebook Connector and click Select. The Add Connector Domain Wizard launches and the Details page displays.
5. In the Connector Domain section, enter the "Name" and "Description" of the domain definition (e.g., Name=Facebook, Description=Facebook Login).
   
   Note that the "Name" field cannot be edited after the domain configuration is saved, so it's important to be as descriptive as possible with your domain name.
   
6. Click Next to continue. The App Details page displays. Here you will specify the App ID and App Secret for the Facebook Connector.
7. Click Save. The Facebook Connector definition is saved and displays on the summary screen.
8. The next step is to enable and customize the Facebook Connector. See How do I enable and customize a platform login?

Back to top

How do I set up the platform to log in with Facebook?

The platform provides support for logging into the platform using Facebook using a Facebook Connector domain.

• This domain is installed (by default) to your platform deployment.
• The process of configuring a Facebook login involves adding a Facebook domain using the Add Domain function in the Site Administration > Domains section, configuring the connector in using the Add Connector Domain Wizard, and enabling the domain in the Site Administration > Config > Logins section.
• After the configuration is complete, the Facebook icon will display in the Sign-in using external ID: section of the platform Login page.

To configure a Facebook login:

1. Click the Site Administration quick filter. The Site Admins page displays.
2. Click Domains. The Domains Summary page displays.
3. Click Add Domain. The Select Domain Type drop-down menu displays.
4. Select Facebook Connector and click Select. The Add Connector Domain Wizard launches and the Details page displays.
5. In the Connector Domain section, enter the "Name" and "Description" of the domain definition (e.g., Name=Facebook, Description=Facebook Login).
   
   Note that the "Name" field cannot be edited after the domain configuration is saved, so it's important to be as descriptive as possible with your domain name.
   
6. Click Next to continue. The App Details page displays. Here you will specify the App ID and App Secret for the Facebook Connector.
7. Click Save. The Facebook Connector definition is saved and displays on the summary screen.
8. The next step is to enable the Facebook Connector. Still remaining in the Site Administration section, click Config > Logins. The Configure screen displays and the Facebook Connector you just added will display in the listing.
9. To enable the Facebook Connector, click the checkbox in the "Enable" column.
10. If you would like configure a virtual host for the domain, enter it in the "Target Host" text box. See What is a Target Host? for more information.
11. In the Logo/Avatar column, click Upload and select the logo you would like to display for the Login button. See How do I upload and crop icons? for more information. You can upload your own custom button or refer to the following page for information on Facebook login button usage: https://www.facebookbrand.com/.
12. In the Mode column, click the radio button of the identity store integration method (Popup or Main) you would like to use for the current domain. See What login page integration modes are supported? for more information.
13. Click Save to commit your changes.

Back to top

How do I set up the platform to log in with Google?

The platform provides support for logging into the platform using Google using an Open ID Relying Party domain.

• This domain is installed (by default) to your platform deployment.
• The process of configuring a Google login involves adding an OpenID Relying Party domain using the Add Domain function in the Site Administration > Domains section, configuring the connector in using the OpenID Relying Party Wizard, and enabling the domain in the Site Administration > Config > Logins section.
• After the configuration is complete, the Google icon will display in the Sign-in using external ID: section of the platform Login page.

To configure a Google login:

1. Click the Site Administration quick filter. The Site Administration page displays.
2. Click Domains. The Domains Summary page displays.
3. Click Add Domain. The Select Domain Type drop-down menu displays.
4. Select OpenID Relying Party and click Select. The Details page displays.
5. In the OpenID Client section, enter the "Name" and "Description" of the login resource (e.g., Name=Google, Description=Google Login Resource).
   
   Note that the "Name" field cannot be edited after the domain configuration is saved, so it's important to be as descriptive as possible with your domain name. For example, including the name of the OpenID Provider as an identifier is recommended along with other details that reveal something about the configuration.
6. Click Next to continue. The Provider Details page displays. Enter the OpenID "Discovery URL" for the Google domain that represents the location of the Relying Party's OpenID endpoints (e.g., https://www.google.com/accounts/o8/id). See What is a Discovery URL? for more information.
7. Click Next to continue. The Client Details page displays. Enter the "Realm" and "Return URL." See What is a Realm? for more information.
8. To save the domain configuration, click Save. The OpenID login resource domain is saved, displays on the Domains Summary page, and is now available for selection as a resource when you define an OAuth Provider domain.
9. The next step is to enable the Google Domain. Still remaining in the Site Administration section, click Config > Logins. The Configure screen displays and the Google domain you just added will display in the listing.
10. To enable the Google domain, click the checkbox in the "Enable" column.
11. If you would like configure a virtual host for the domain, enter it in the "Target Host" text box. See What is a Target Host? for more information.
12. In the Logo/Avatar column, click Upload and select the logo you would like to display for the Login button. See How do I upload and crop icons? for more information. You can upload your own custom button or refer to the following page for information on Google login button usage: https://developers.google.com/accounts/docs/OpenID.
13. In the Mode column, click the radio button of the identity store integration method (Popup or Main) you would like to use for the current domain. See What login page integration modes are supported? for more information.
14. Click Save to commit your changes.

Back to top

How do I set up the platform to log in with CA SiteMinder?

The platform provides support for logging into the platform using a CA SiteMinder domain.

• Configure the CA SiteMinder domain in the Configure > Security > Identity Systems section of Policy Manager. Refer to the Enterprise API Platform Installation Guide for information on how to install a CA SiteMinder Identity System.
• Enable and customize the domain in the Site Administration > Config > Logins section of the platform.
• After the configuration is complete, the CA SiteMinder icon will display in the Sign-in using external ID: section of the platform Login page.

To configure a CA SiteMinder login:

1. Configure the CA SiteMinder domain in the Configure > Security > Identity Systems section of Policy Manager.
2. The next step is to enable the CA SiteMinder Domain. In the platform, navigate to Site Administration > Config > Logins. The Configure screen displays and the Google domain you just added will display in the listing.
3. To enable the CA SiteMinder domain, click the checkbox in the "Enable" column.
4. If you would like configure a virtual host for the domain, enter it in the "Target Host" text box. See What is a Target Host? for more information.
5. In the Logo/Avatar column, click Upload and select the logo you would like to display for the Login button. See How do I upload and crop icons? for more information. You can upload your own custom button or refer to the CA SiteMinder developer documentation for information on CA SiteMinder login button usage.
6. In the Mode column, click the radio button of the identity store integration method (Popup or Main) you would like to use for the current domain. See What login page integration modes are supported? for more information.
7. Click Save to commit your changes.

Back to top

How do I set up the platform to log in with LDAP?

The platform provides support for logging into the platform using a LDAP domain.

• Configure the LDAP domain in the Configure > Security > Identity Systems section of Policy Manager. Refer to the Enterprise API Platform Installation Guide for information on how to install an LDAP Identity System.
• Enable and customize the domain in the Site Administration > Config > Logins section of the platform.
• After the configuration is complete, the LDAP icon will display in the Sign-in using external ID: section of the platform Login page.

To configure an LDAP login:

1. Configure the LDAP domain in the Configure > Security > Identity Systems section of Policy Manager.
2. The next step is to enable the LDAP Domain. In the platform, navigate to Site Administration > Config > Logins. The Configure screen displays and the LDAP domain you just added will display in the listing.
3. To enable the LDAP domain, click the checkbox in the "Enable" column.
4. If you would like configure a virtual host for the domain, enter it in the "Target Host" text box. See What is a Target Host? for more information.
5. In the Logo/Avatar column, click Upload and select the logo you would like to display for the Login button. See How do I upload and crop icons? for more information. You can upload your own custom button or refer to the LDAP developer documentation for information on LDAP login button usage.
6. In the Mode column, click the radio button of the identity store integration method (Popup or Main) you would like to use for the current domain. See What login page integration modes are supported? for more information.
7. Click Save to commit your changes.

Back to top