Configuring Twitter as an Identity Provider

The EmpowerID SSO framework allows you to configure Twitter as an identity provider for the EmpowerID Web application. EmpowerID integrates with Twitter using the OAuth protocol to allow your users to log in to EmpowerID with their Twitter accounts.

This topic describes how to configure an Identity Provider connection for Twitter and is divided into the following activities:

As a prerequisite to creating an IDP Connection for Twitter as an Identity Provider, you must have a Twitter account and register the EmpowerID Web application for your organization in the Twitter Application Management Console. This creates a set of values known by Twitter and the EmpowerID Web application that allow the two to trust one another. These values include the API Key and the API Secret (these values are generated by Twitter), as well as the Callback URL (this value is entered by you to tell Twitter where to post the assertion of a user's identity to the EmpowerID Assertion Consumer Service).

For specific directions on registering EmpowerID as an application in Twitter, see the information provided by Twitter at https://apps.twitter.com.

When registering EmpowerID in Twitter, use the following URL as the Callback or Return URL, replacing "FQDN_OF_YOUR_EMPOWERID_SERVER" with the FQDN or fully resolvable DNS of the EmpowerID Web server in your environment.

https://FQDN_OF_YOUR_EMPOWERID_SERVER/EmpowerIDWebIdPForms/oauth/v1

Once the IDP Connection has been set up for Twitter, you can create a link similar to the one below to allow users to login to EmpowerID using Twitter. Be sure to replace "FQDN_OF_YOUR_EMPOWERID_SERVER" with the FQDN or fully resolvable DNS of the EmpowerID Web server in your environment and "Twitter" with the name of the SSO connection you create for Twitter in EmpowerID.
https://FQDN_OF_YOUR_EMPOWERID_SERVER/EmpowerIDWebIdPForms/Login/EmpowerIDWebSite/Twitter?returnUrl=%2FEmpowerIDWebIdPForms%2F

To add the Consumer Key and Consumer Secret to the Twitter OAuth Connection

  1. From the Navigation Sidebar of the EmpowerID Web interface, navigate to the OAuth Application management page by expanding Admin > SSO Connections and clicking OAuth.
  2. From the OAuth Applications management page, click the OAuth Service Provider tab and then search for Twitter.
  3. From the OAuth Service Provider grid, click the Twitter link.
  4. In the External OAuth Provider Details page that appears, click the Edit button for the specific Twitter connection you want to edit. By default, EmpowerID includes one connection. However, you can add as many connections for Twitter as your organization needs.
  5. Edit links have the pencil icon

  6. In the OAuth Connection pane that appears, type the Consumer Key Twitter generated for your application in the Consumer Key field and the Consumer Secret in the Consumer Secret field.
  7. Click Save to close the OAuth Connection pane.
  8. Optionally, add any desired MFA points to the Twitter application by following the below steps.
  9. To add MFA points to the Twitter application

  10. From the External OAuth Providers page for Twitter, click the Provider Edit link at the top of the page.
  11. In the MFA Point Value field, type the number of MFA points you want to give to users logging in with Twitter.
  12. Click Save.
  13. Next, add a login tile for Twitter to the desired IdP Domains. This allows your users to authenticate to EmpowerID with their Twitter credentials. If you have not set up an IdP Domain for your environment, you can do so by following the directions in the below drop-down.

    • To create an IdP Domain
      1. From the Navigation Sidebar, navigate to the SSO Components management page by expanding Admin > Applications and Directories > SSO Connections and clicking SSO Components.
      2. Click the IdP Domains tab and then click the Add IdP Domain (+) button.
      3. In the IdP Domain Details page that appears, type the fully qualified domain name in the Domain Name field and then click Save.

To add a Login Tile for Twitter

  1. From the Navigation Sidebar, navigate to the SSO Components management page by expanding Admin > Applications and Directories > SSO Connections and clicking SSO Components.
  2. From the IdP Domains tab of the SSO Components management page, click the IdP Domains link for the domain in which you want the login tile to appear.
  3. In the IdP Domain Details page that appears, click the External OAuth Providers tab and check the box beside Twitter.
  4. Click Save.
  5. To give users the ability to log in using their EmpowerID credentials, be sure to select EmpowerID from the SAML Identity Providers tab of the IdP Domain Details page. Otherwise, users will only have the option to use their Twitter credentials to access their EmpowerID accounts.

    Now that the IDP Connection is configured, you can test it by following the procedure outlined below.

To test the Twitter IDP connection

  1. From the Navigation Sidebar, navigate to the Workflows page by expanding IT Shop and clicking Workflows.
  2. From the Workflows page, recycle the EmpowerID App Pools by clicking Recycle EmpowerID App Pools.
  3. Log out of the EmpowerID Web interface and navigate your browser to the domain name you configured for the Twitter IdP connection.
  4. Click the Login using Twitter button.
  5. Log in to Twitter as you normally would and then click Allow. This allows EmpowerID to retrieve the information it needs from Twitter to link your Twitter account to your EmpowerID identity (Person object).
  6. Back in the EmpowerID Web interface, click Yes to indicate that you have an EmpowerID login.
  7. Users without EmpowerID Persons can request EmpowerID accounts by clicking No. This initiates the Create User Account workflow, which displays a form in the browser to allow the user to fill in the appropriate information. If a user submits the request, EmpowerID routes that request to those individuals in your environment with the ability to approve or deny the request and returns the user to the EmpowerID web login.
  8. Type your EmpowerID Login or Email in the form and click Submit. The EmpowerID Person must have a valid email address as EmpowerID sends a one-time password to that address.
  9. Check your email for the one-time password.
  10. Copy the security code in the email message and then return to the EmpowerID Web application.
  11. Paste the password in to the One-Time Password Validation field, and then click Submit.
Upon successful submission of your one-time password, EmpowerID logs you in to the Web application. Your Twitter account is now linked to your EmpowerID Person.