Introduction
Starting with version 9.1.1, IBM Marketing Platform supports federated authentication, which can be configured for single sign-on with external entities such as Google, Salesforce, Amazon, or the customer’s in-house authentication. After integration, IBM Marketing Platform allows users who are authenticated externally to seamlessly access all Omni Channel Marketing products such as IBM Campaign, IBM Interact, and IBM Marketing Operations.A federation consists of an Identity Provider (IdP) server and service providers (SPs), as illustrated below.

Picture

Figure 1 – Single sign-on federation
In addition, to enable SSO between Google and IBM Omni Channel Marketing products, the federation must include IBM Marketing Platform and a custom component that your organization develops.
 
Integration architecture
Figure 3 depicts the overall integration architecture and sequence flow. The custom component initiates and connects the components required for the Google integration.

​All other components are already available and only need to be configured

Picture

Figure 2 – Architectural diagram of federated single sign on integration with Google OAuth server
1. A user who wants to access an IBM Omni Channel Marketing product first accesses the custom component’s home page to choose the authentication mode from available options  (IBM Marketing Platform, Google, etc.). A example custom component home page is shown in figure 3.
2.     When the user chooses to log in with Google’s authentication, the custom component redirects the user to Google’s login page with the required parameters. After the user is authenticated, Google redirects the user request back to the custom component for further processing.
3.     The custom component inspects the request to determine the user’s profile data and calls the IdP server to obtain a federated token.
4.     The custom component redirects the request to IBM Marketing Platform with the required parameters.
5.     Marketing Platform’s federated security filter intercepts the request and calls the IdP server again to validate the requested token and parameters.
6.     If the user is valid, IBM Marketing Platform presents the requested page to the user without prompting again for authentication.

Picture

Figure 3 – A sample implementation of the custom component’s home page
Prerequisites
This integration requires a fully functioning installation of IBM Marketing Platform version 9.1.1 and any Omni Channel Marketing products used by your organization.IBM Marketing Platform version 9.1.1 ships with an Identity Provider (IdP) server that provides token manager services for federated authentication. This server exposes RESTful APIs to create, validate, and delete federated security tokens used for single sign-on. The IdP server and the custom component can be hosted on any supported web server on the public domain.The supported web servers are IBM WebSphere, Oracle WebLogic, and Tomcat.The IdP server requires a supported database server. Supported database servers are SQL Server, Db2, and Oracle.The federation must be installed and configured as described in the IBM Marketing Platform Administrator’s Guide. This guide is available as follows:


​Google accounts authentication

In this integration, users are authenticated with their GMail ID.Set up a client ID for a web application in Google. Create a new or use an existing GMail ID to log in to the Google Developers Console (https://console.developers.google.com/).​When you create the Google client ID, make sure to turn on the Google+ API and Contacts API in the Enabled APIs (https://console.developers.google.com/project/ocm-platform-sso/apiui/api) dashboard, shown in figure 4.

Picture

Figure 4 – Enabled APIs in Google Developer Console
After this setup is done successfully, the Google Developers Console provides all required details to further configure the Google’s OAuth APIs used in the custom component to perform OAuth authentication. Figure 5 shows the Google Developers Console.
See the Google Accounts Authentication and Authorization (https://developers.google.com/accounts/docs/OAuth2) page for API and client utility details.
In addition, see the source code with Javadoc that is attached to this article.

Picture

Figure 5 – Client details in Google Developers Console
Custom component
The custom component is a web application that you develop to consume Google OAuth APIs and provide a call back URL that is exposed to Google. Sample source code is attached to this article.The custom component does not have any database dependency and can be deployed as a web application. After the user is authenticated, Google redirects the request to the call back URL with the user’s profile data and security token. Because of this requirement from Google, the custom component must be hosted on a public URL that is accessible on the Internet by Google server.​Refer to the sample code provided with this article to develop and configure the custom component required for this integration. To develop the custom component, you must download the authentication APIs from Google at this link:https://developers.google.com/api-client-library/java/apis/oauth2/v1Add all required libraries in the class path in order to call Google OAuth APIs.After the GMail ID is resolved, the custom component uses the IdP client facade APIs to obtain the federated token and invoke IBM Marketing Platform with all required parameters to authenticate the single sign-on.The custom component requires two servlet implementations for Google OAuth integration:

  • The first servlet uses Google authentication APIs to construct a request and redirect it to Google’s OAuth server for UI based authentication.
  • If the user’s authentications is successful and consent is granted to access the user’s profile data, Google redirects the request to the second servlet to process the call back response. Google embeds the security token that is used in conjunction with the client ID, client secret, and other attributes shown in the Google Developer’s Console (figure 5). This servlet uses the Google authentication APIs to obtain the user’s credentials, which include the GMail ID used for authentication.

Deployment
You can deploy the IdP-Server.war along with the custom component in the same server, or you can deploy it separately. There is no direct dependency between these two applications.

Picture

        Atul Shinde
        Senior Software Developer
          HCL Products and Platforms – Platform, Campaign, L3

Further Reading