Login via "Госуслуги РФ" OAuth2 Identity Provider
Pages 31
Clone this wiki locally
Register at ESIA
At first, you need go to http://esia.pro/integraciya_esia_kommers pass complete all organizational and technical steps to register account and receive Application ID, Secret Key and Certificate.
Setup OpenAM
System Properties
Setup your system properties.
Property | Value |
---|---|
org.forgerock.openam.authentication.modules.oauth2.service.esia.Signer.keyPath | path to secret key file, for example, /etc/openam/openam.key |
org.forgerock.openam.authentication.modules.oauth2.service.esia.Signer.certPath | path to certificate, for example, /etc/openam/openam.crt |
Legacy UI
Login into console. Goto Access Control then select target realm. Goto Authentication
Create Authentication Module
Under section Module Instances create new Authentication Module. Enter new module instance name, for example esia. Authentication module type is OAuth 2.0 / OpenID Connect
Then select module, you've just created from module list and enter following settings: (for production use https://esia.gosuslugi.ru instead https://esia-portal1.test.gosuslugi.ru):
Setting | Value |
---|---|
Client Id | Your Application Id |
Client Secret | Your Application Id |
Authentication Endpoint URL | https://esia-portal1.test.gosuslugi.ru/aas/oauth2/ac |
Access Token Endpoint URL | https://esia-portal1.test.gosuslugi.ru/aas/oauth2/te |
User Profile Service URL | https://esia-portal1.test.gosuslugi.ru/rs/prns |
Scope | Here you should enter scope, ESIA documentation for example fullname birthdate gender |
OAuth2 Access Token Profile Service Parameter name | access_token |
Proxy URL | [Your OpenAM URL]/oauth2c/OAuthProxy.jsp for example: https://openam.example.com/openam/oauth2c/OAuthProxy.jsp |
Account Provider | org.forgerock.openam.authentication.modules.common.mapping.DefaultAccountProvider |
Account Mapper | org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper |
Account Mapper Configuration | oid=uid |
Attribute Mapper | org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper |
Attribute Mapper Configuration | Attribute configuration that will be used to map the user info obtained from the OAuth 2.0 Provider to the local user data store in the OpenAM. Example: oid=uid remote-json=sn |
Custom Properties | Here you can set settings if you want to get user organization info esia-org-scope - scope for organization org_shortname org_fullname [esia-org-info-url] - endpoint for organization https://esia-portal1.test.gosuslugi.ru/rs/orgs/ |
You can setup remaining attributes on your own, depending your authentication process requirement and press Save and then Back to Authentication
Create Authentication Chain
Under section Authentication Chaining create new Authentication Chain, enter its name, for example, esia and add recently created module esia
Your authentication chain should look like this:
Instance | Criteria | Options |
---|---|---|
esia | Required |
Test your Authentication Chain
Goto [Your OpenAM URL]/UI/Login?org=[your org]&service=[esia auth chain], for example, http://example.openam.com/openam/UI/Login?org=/&service=esia and you should see ESIA authentication dialog