Configure Yahoo as an Identity Provider

The EmpowerID SSO framework allows you to configure Yahoo as an identity provider for the EmpowerID Web application. EmpowerID integrates with Yahoo using the OAuth protocol to allow your users to log in to EmpowerID using their Yahoo accounts.

This topic describes how to configure an IDP connection for Yahoo and is divided into the following activities:

As a prerequisite to creating an SSO Connection for Yahoo as an Identity Provider, you must have a Yahoo account and create a project for the EmpowerID web application in the Yahoo Developer Network to access Yahoo's OAuth API. Doing so creates a set of values known by Yahoo and the EmpowerID web application that allow the two to enter into a federated trust relationship. These values include the Client ID and the Client Secret (these values are generated by Yahoo), as well as the Callback Domain ( this value is entered by you to tell Yahoo where to post the assertion of a user's identity to the EmpowerID Assertion Consumer Service).

For specific directions on registering EmpowerID as an application in Yahoo, see the information provided by Yahoo at https://developer.yahoo.com.

When registering EmpowerID in Yahoo, use the following URL as the Callback or Return URL, replacing "FQDN_OF_YOUR_EMPOWERID_SERVER" with the FQDN or fully resolvable DNS of the EmpowerID Web server in your environment.

https://"FQDN_OF_YOUR_EMPOWERID_SERVER"/EmpowerIDWebIdPForms/oauth/v2

Once the IDP Connection has been set up for Yahoo, you can create a link similar to the one below to allow users to login to EmpowerID using Yahoo.

Be sure to replace "FQDN_OF_YOUR_EMPOWERID_SERVER" with the FQDN or fully resolvable DNS of the EmpowerID Web server in your environment and "Yahoo" with the name of the IDP connection you create for Yahoo in EmpowerID.

https://FQDN_OF_YOUR_EMPOWERID_SERVER/EmpowerIDWebIdPForms/Login/EmpowerIDWebSite/Yahoo?returnUrl=%2FEmpowerIDWebIdPForms%2F

To add the Yahoo Consumer Key and Secret to the Yahoo OAuth Connection

  1. From the Navigation Sidebar of the EmpowerID Web interface, navigate to the OAuth Connections management page by expanding Admin > SSO Connections and clicking OAuth.
  2. From the OAuth Applications management page, click the OAuth Service Provider tab and then search for Yahoo.
  3. From the OAuth Service Provider grid, click the Yahoo link.
  4. From the OAuth Service Provider Details page that appears, click the Edit button for the specific Yahoo connection you want to edit. By default, EmpowerID includes one connection. However, you can add as many connections for Yahoo as your organization needs.
  5. In the OAuth Connection pane that appears, type the APP ID Yahoo generated for your application in the Consumer Key field and the App Secret in the Consumer Secret field.
  6. Prepend the value of the Callback Url with the FQDN of your EmpowerID Web server, using the https scheme. For example, the FQDN of the EmpowerID Web server in our environment is "sso.empowersso.com" so the full Callback Url for our site is "https://sso.empowersso.com/empoweridwebidpforms/oauth/v2".
  7. Click Save to close the OAuth Connection pane.
  8. Optionally, add any desired MFA points to the Yahoo application by following the below steps.
  9. To add MFA points to the Yahoo application

  10. From the External OAuth Providers page for Yahoo, click the Provider Edit link at the top of the page.
  11. In the MFA Point Value field, type the number of MFA points you want to give to users logging in with Yahoo.
  12. Click Save.
  13. Next, add a login tile for Yahoo to the desired IdP Domains. This allows your users to authenticate to EmpowerID with their Yahoo credentials. If you have not set up an IdP Domain for your environment, you can do so by following the directions in the below drop-down.

    • To create an IdP Domain
      1. From the Navigation Sidebar, navigate to the SSO Components management page by expanding Admin > Applications and Directories > SSO Connections and clicking SSO Components.
      2. Click the IdP Domains tab and then click the Add IdP Domain (+) button.
      3. Type the fully qualified domain name in the Domain Name field and then click Save.

To add a Login Tile for Yahoo

  1. From the Navigation Sidebar, navigate to the SSO Components management page by expanding Admin > Applications and Directories > SSO Connections and clicking SSO Components.
  2. In the IdP Domain Details page that appears, click the External OAuth Providers tab and check the box beside Yahoo.
  3. Click Save.
  4. To give users the ability to log in using their EmpowerID credentials, be sure to select EmpowerID from the SAML Identity Providers tab of the IdP Domain Details page.

    Now that the IDP Connection is configured, you can test it by following the procedure outlined below.

To test the Yahoo connection

  1. From the Navigation Sidebar, navigate to the Workflows page by expanding IT Shop and clicking Workflows.
  2. From the Workflows page, recycle the EmpowerID App Pools by clicking Recycle EmpowerID App Pools.
  3. Log out of the EmpowerID Web interface and navigate your browser to the domain name you configured for the Yahoo IdP connection.
  4. Click the Login using Yahoo button.
  5. In the Sign in to Yahoo! page that appears, enter your Yahoo email address and click Next.
  6. Enter your Yahoo password and click Sign in.
  7. This directs you to the Authorize Access page for your Yahoo account. Click Agree to allow sharing of Yahoo! Info with EmpowerID.
  8. This permissions page only appears the first time you log in to EmpowerID with your Yahoo account. Subsequent logins simply redirect your browser from the Yahoo login page to the EmpowerID Web application.
  9. Back in the EmpowerID Web interface, click Yes to indicate that you have an EmpowerID login.
  10. Users without EmpowerID Persons can request EmpowerID accounts by clicking No. This initiates the Create User Account workflow, which displays a form in the browser to allow the user to fill in the appropriate information. If a user submits the request, EmpowerID routes that request to those individuals in your environment with the ability to approve or deny the request and returns the user to the EmpowerID web login.
  11. Type your EmpowerID Login or Email in the form and click Submit. The EmpowerID Person must have a valid email address as EmpowerID sends a one-time password to that address.
  12. Check your email for the one-time password.
  13. Back in the EmpowerID Web interface, type the one-time password into the Password field of the One-Time Password Validation form and click Submit.
Upon successful submission of your one-time password, EmpowerID logs the user in and joins the Yahoo account to their EmpowerID Person account.
If you have set up the user's Password Manager policy to require the user accumulate a specific number of trust points beyond those granted by the identity provider, EmpowerID will direct the user through any Multi-factor methods you have enabled on the policy until they reach the needed point threshold to log in.