Identity Provider - Facebook Login Servlet (FLS)

What is it?

Facebook Login Servlet is a supplement for standard Shibboleth Identity Provider which intertwines with IdP and expands it possibilities. It is available in two forms by either reconfiguring your IdP and deploying prepared .jar file or by installing changed version of Shibboleth IdP with all necessary configuration already done. It's recommended to use second option and install whole new IdP. Either way application must be also Registered in Facebook

Why do I need it?

Facebook Login Servlet (FLS for short) provides three way integration among Shibboleth(C) Identity Provider, Facebook and SQL database. With its help, user can perform quick authentication, based on credentials retrieved from Facebook Graph and data received from SQL database. FLS can be used in even more interesting way.
Connecting with a SQL database is completely optional and FLS can change into an IDP which uses Facebook as a database and forwards  User Fields from Facebook as attributes to Service Provider. In this case FLS evolves into Facebook Data Connector.
All necessary configuration can be performed by editing Configuration File and simply deploying Identity Provider. Without changes in code or recompilations.

Use Case - How does it all work

  1. User points an Internet browser to resource protected by a ServiceProvider? (SP).
  2. Browser redirects user to a Discovery service.
  3. User chooses to authenticate via Identity Provider connected with Facebook.
  4. IdP sends attributes to Service Provider. (Sub1 - Facebook Login Servlet)
  5. Service Provider continues to process User's request.

Sub1 - Facebook Login Servlet

  1. FLS reads IdpConfFile.
  2. FLS creates IdpCodeRequest for Facebook, based on Facebook Attributes defined in IdpConfFile.
  3. Facebook asks User for a set of permissions for FLS (i.e. name, email).
  4. User grants permissions.
  5. FLS asks Facebook for Facebook Attributes defined in IdpConfFile.
  6. FLS creates SQL query to a Black List Database defined in IdpConfFile to determine either User is on Black List.
  7. FLS binds Facebook Attributes values (received from Facebook) into SQL query.
  8. FLS executes query.
  9. FLS creates SQL query to a Data Base defined in IdpConfFile.
  10. FLS binds Facebook Attributes values (received from Facebook) into SQL query.
  11. FLS executes query.
  12. FLS maps SQL result set to Parameters defined in IdpConfFile.
  13. FLS checks in IdpConfFile which of Facebook Attributes and Parameters should be returned.
  14. FLS generates Principal, based on Facebook Attributes and Parameters.
  15. IdP maps, using both attribute-resolver.xml and attribute-filter.xml, Principal from FLS to final attributes and returns them to SP

Extensions

  • 3.A User doesn't grant permission to FLS
    • 3.A.1 Error message is displayed.
  • 6.A Black List Database is not defined in IdpConfFile
    • 6.A.1 Continue to 9.
  • 8.A User is on a Black List
    • 8.A.1 FLS redirects User to o web page defined in IdpConfFile.
    • 8.A.2 End of processing.
  • 9.A Database is not defined in IdpConfFile
    • 9.A.1 continue to 13.
  • 11.A User is not in Database and Insert Statement is not specified
    • 11.A.1 FLS reads default values for parameters defined in IdpConfFile.
    • 11.A.2 FLS inserts default values into parameters.
    • 11.A.3 Continue to 13.
  • 11.B User is not in Database and Insert Statement is specified
    • 11.B.1 FLS reads InsertStatement from configuration file
    • 11.B.2 FLS binds Facebook Attributes values (received from Facebook) into SQL insert query
    • 11.B.3 FLS executes query
    • 11.B.4 return to 11
  • 11.C User is not in Database, Insert Statement is specified and was already executed
    • 11.C.1 InsertStatement is missconfigured, return error page
    • 11.C.2 End of Use Case

Downloads

You can download modified Shibboleth IdP binary installation file from  here.
Or download standalone FLS from attachments.
Or use this maven Dependency

<dependency>
   <groupId>pl.psnc.synat</groupId>
   <artifactId>idp-facebook-login</artifactId>
   <version>1.1-SNAPSHOT</version>
</dependency>

From our  Artifactory

<repository>
  <id>apps.man.poznan.pl</id>
  <name>apps.man.poznan.pl-snapshots</name>
  <url>http://apps.man.poznan.pl/artifactory/libs-snapshot-local</url>
</repository>

Don't Forget about configuration file and Schema

Child Pages

Attachments