Environment
NetIQ Social Access 1.x
NetIQ Social Access 2.x
Facebook Identity Source
Facebook Application defined with access to public, email and friend list profiles
NetIQ Social Access 2.x
Facebook Identity Source
Facebook Application defined with access to public, email and friend list profiles
Situation
NetIQ Social Access (NSA) apliance setup to provide SSO to multiple SAML enabled applications from the NSA Identity Provider. Multiple social providers are configured on the appliance (yahoo, linkedin, facebook, google) so that users can login to these sites, retrieve attributes and inject these attributes in SAML assertions sent to SAML enabled applications. These SAML enabled applications require a list of attributes that are mostly available from public profiles eg. first name, last name, email address.
All works fine and users can hit the NSA appliance, get redirected to the social provider and assuming credentials are valid users can SSO to the SAML enabled apps. WIth Facebook however, it was noted that when the users authenticate the first time following a redirect from NSA, Facebook requests approval (normal) from the user for profiles that are unrelated to what is required. Specifically, the message coming back states that:
"NetIQ Test Fb App will receive the following info: your public profile, friend list and email address"
where NetIQ Test Fb App is the Facebook App name that NSA is using for authenitcation. Clearly, we do not need the friend list profile and this raises some concerns about the data being exchanged.
All works fine and users can hit the NSA appliance, get redirected to the social provider and assuming credentials are valid users can SSO to the SAML enabled apps. WIth Facebook however, it was noted that when the users authenticate the first time following a redirect from NSA, Facebook requests approval (normal) from the user for profiles that are unrelated to what is required. Specifically, the message coming back states that:
"NetIQ Test Fb App will receive the following info: your public profile, friend list and email address"
where NetIQ Test Fb App is the Facebook App name that NSA is using for authenitcation. Clearly, we do not need the friend list profile and this raises some concerns about the data being exchanged.
Resolution
The message is cosmetic in nature - Facebook will NOT send the friend list attributes as they are not required by NSA. The OAuth request from NSA will only ask for the attributes required in the AttributeSTatement section of the assertion (defined by SAML connector), none of which need the friend list details in the above case.
Another option to avoid the warning completely would be to disable the sharing of the friend list profile at the application layer. With this complete, the NSA or any Oauth client may try requesting the friend list profile via the appropriate scope but the App will never return the info.
Another option to avoid the warning completely would be to disable the sharing of the friend list profile at the application layer. With this complete, the NSA or any Oauth client may try requesting the friend list profile via the appropriate scope but the App will never return the info.