Skip to content

Login via "Госуслуги РФ" OAuth2 Identity Provider

vharseko edited this page Nov 22, 2018 · 3 revisions
Clone this wiki locally

Register at ESIA

At first, you need go to pass complete all organizational and technical steps to register account and receive Application ID, Secret Key and Certificate.

Setup OpenAM

System Properties

Setup your system properties.

Property Value
org.forgerock.openam.authentication.modules.oauth2.service.esia.Signer.keyPath path to secret key file, for example, /etc/openam/openam.key
org.forgerock.openam.authentication.modules.oauth2.service.esia.Signer.certPath path to certificate, for example, /etc/openam/openam.crt

Legacy UI

Login into console. Goto Access Control then select target realm. Goto Authentication

Create Authentication Module

Under section Module Instances create new Authentication Module. Enter new module instance name, for example esia. Authentication module type is OAuth 2.0 / OpenID Connect

Then select module, you've just created from module list and enter following settings: (for production use instead

Setting Value
Client Id Your Application Id
Client Secret Your Application Id
Authentication Endpoint URL
Access Token Endpoint URL
User Profile Service URL
Scope Here you should enter scope, ESIA documentation for example fullname birthdate gender
OAuth2 Access Token Profile Service Parameter name access_token
Proxy URL [Your OpenAM URL]/oauth2c/OAuthProxy.jsp for example:
Account Provider org.forgerock.openam.authentication.modules.common.mapping.DefaultAccountProvider
Account Mapper org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper
Account Mapper Configuration oid=uid
Attribute Mapper org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper
Attribute Mapper Configuration Attribute configuration that will be used to map the user info obtained from the OAuth 2.0 Provider to the local user data store in the OpenAM. Example:
Custom Properties Here you can set settings if you want to get user organization info
esia-org-scope - scope for organization org_shortname org_fullname [esia-org-info-url] - endpoint for organization

You can setup remaining attributes on your own, depending your authentication process requirement and press Save and then Back to Authentication

Create Authentication Chain

Under section Authentication Chaining create new Authentication Chain, enter its name, for example, esia and add recently created module esia

Your authentication chain should look like this:

Instance Criteria Options
esia Required  

Test your Authentication Chain

Goto [Your OpenAM URL]/UI/Login?org=[your org]&service=[esia auth chain], for example, and you should see ESIA authentication dialog