Skip to content

Login via "Госуслуги РФ" OAuth2 Identity Provider

vharseko edited this page Nov 22, 2018 · 3 revisions

Register at ESIA

At first, you need go to http://esia.pro/integraciya_esia_kommers pass complete all organizational and technical steps to register account and receive Application ID, Secret Key and Certificate.

Setup OpenAM

System Properties

Setup your system properties.

Property Value
org.forgerock.openam.authentication.modules.oauth2.service.esia.Signer.keyPath path to secret key file, for example, /etc/openam/openam.key
org.forgerock.openam.authentication.modules.oauth2.service.esia.Signer.certPath path to certificate, for example, /etc/openam/openam.crt

Legacy UI

Login into console. Goto Access Control then select target realm. Goto Authentication

Create Authentication Module

Under section Module Instances create new Authentication Module. Enter new module instance name, for example esia. Authentication module type is OAuth 2.0 / OpenID Connect

Then select module, you've just created from module list and enter following settings: (for production use https://esia.gosuslugi.ru instead https://esia-portal1.test.gosuslugi.ru):

Setting Value
Client Id Your Application Id
Client Secret Your Application Id
Authentication Endpoint URL https://esia-portal1.test.gosuslugi.ru/aas/oauth2/ac
Access Token Endpoint URL https://esia-portal1.test.gosuslugi.ru/aas/oauth2/te
User Profile Service URL https://esia-portal1.test.gosuslugi.ru/rs/prns
Scope Here you should enter scope, ESIA documentation for example fullname birthdate gender
OAuth2 Access Token Profile Service Parameter name access_token
Proxy URL [Your OpenAM URL]/oauth2c/OAuthProxy.jsp for example: https://openam.example.com/openam/oauth2c/OAuthProxy.jsp
Account Provider org.forgerock.openam.authentication.modules.common.mapping.DefaultAccountProvider
Account Mapper org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper
Account Mapper Configuration oid=uid
Attribute Mapper org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper
Attribute Mapper Configuration Attribute configuration that will be used to map the user info obtained from the OAuth 2.0 Provider to the local user data store in the OpenAM. Example:
oid=uid
remote-json=sn
Custom Properties Here you can set settings if you want to get user organization info
esia-org-scope - scope for organization org_shortname org_fullname [esia-org-info-url] - endpoint for organization https://esia-portal1.test.gosuslugi.ru/rs/orgs/

You can setup remaining attributes on your own, depending your authentication process requirement and press Save and then Back to Authentication

Create Authentication Chain

Under section Authentication Chaining create new Authentication Chain, enter its name, for example, esia and add recently created module esia

Your authentication chain should look like this:

Instance Criteria Options
esia Required  

Test your Authentication Chain

Goto [Your OpenAM URL]/UI/Login?org=[your org]&service=[esia auth chain], for example, http://example.openam.com/openam/UI/Login?org=/&service=esia and you should see ESIA authentication dialog

You can’t perform that action at this time.