Configuring your application in Baidu

To use Baidu as an identity provider, you must configure your application in Baidu.

Before you begin

Follow the steps in Adding a social identity provider. You must have an account on the Baidu developer website.

About this task

Note: Some Chinese providers do not provide email ID attributes. Nor do they require an email ID for account sign-up and registration.

Therefore, such providers do not necessarily return an email address as a profile data element, which affects 2FA with these providers.

Adding a Baidu or a Baidu mobile identity provider

You can configure Baidu to use either the web flow, or the mobile flow, or both, but you must configure at least one of the flows.

Before you begin

Configure your application at Baidu. See Configuring your application in Baidu. Provide the social identity provider with certain data about your application. After you register the application, copy the information that is assigned by the social identity provider. You must provide the information to Verify.
Note: Some Chinese providers do not provide email ID attributes. Nor do they require an email ID for account sign-up and registration.

Therefore, such providers do not necessarily return an email address as a profile data element, which affects 2FA with these providers.

Procedure

  1. Log in to the Baidu developers site at https://developers.baidu.com/.
  2. Select Authentication > Identity providers. Select Add Identity Provider.
  3. Select Baidu from the list social identity providers and select Next.
  4. Specify the basic information.
    Table 1. Basic information
    Information Descriptions
    Name

    The name that you assign to represent the user registry that is used by identity providers such as Microsoft Active Directory, Microsoft Azure Active Directory, or others.

    If there is more than one identity provider that is configured and enabled, the identity provider name is displayed in the Verify Sign In page.

    This information is also displayed in the Directory > Users & Groups > Users tab, Add User dialog box, when you select an Identity Provider.
    Realm

    It is an identity provider attribute that helps distinguish users from multiple identity providers that have the same username.

    For Baidu, the realm value is www.baidu.com.
    Enabled

    Indicates whether the identity provider is active and available.

    If turned Off, the identity provider is not configured as a sign-in option. The users cannot use the configured identity provider to sign in to the target application.

    If turned On, it is partially enabled. This setting does not automatically enable this source for all application. You must select this source for the individual applications.
    ID An ID is generated for the identity provider when you select Save.
  5. Click Settings and add the redirect URL.
    The URL for Baidu is https://<tenant_name>/idaas/mtfim/sps/idaas/login/baidu/callback.
    For example, https://<tenant_name>.verify.ibm.com/idaas/mtfim/sps/idaas/login/baidu/callback
  6. Click Next to continue, or Back to change your configuration
  7. To identity provider. Proceed to configure your application in WeChat website registering for single sign-on. You must provide Baidu with information about your application and provide the authorized callback domain provided on your tenant.
  8. Click Next to continue, or Back to change your configuration
  9. From identity provider. Select the configuration type.
    You can choose one or both of the configurations.
    Note: Each flow is a separate registration.
    • Web configuration
      1. Turn the switch to On to enable Baidu web configuration.
      2. Provide the AppID and the AppSecret that you received at registration on the required fields.
    • Mobile configuration
      1. Turn the switch to On to enable Baidu mobile configuration.
      2. Provide the Issuer of the social JWT that is received by Verify. The issuer that you specify must match the issuer that is received for verification to occur.
      3. Select the Verification certificate that is used to verify the social JWT from the menu.
      4. Configure the tokens that the Baidu mobile application receives.
        Access token expiry (secs)
        It sets the length of time in seconds after which, the access token is expired.

        Set an access token expiry to limit the time that an attacker can access the resource with the stolen token when the Client application is compromised.

        Only positive integers are allowed.

        The default value is 7200 seconds. The minimum allowed value is 1 and the maximum is 2147483647 seconds.

        Access token format
        Indicates whether the access token is produced as an opaque string, which is the Default setting, or in JWT (JSON Web Token) format.
        Generate refresh token
        Indicates whether the client application can request and use a refresh token to obtain a new access token from the authorization server of the OpenID Connect identity provider.

        Use this option only if the application intends to use the access token to perform operations by using Verify APIs.

        It is only necessary to obtain a new access token if the previous one expired.

        Refresh token lifetime
        It sets the length of how often the user can re-authenticate after token expiration.

        Set the refresh token expiry to require the user to perform a full single sign-on operation against Verify after some time elapsed. Expiry time is based on total elapsed time and includes idle time.

        This option is displayed but disabled, unless you enabled Generate refresh token.

        A refresh token is used to get a new access token to continue access to the protected resource.

        Only positive integers are allowed.

        The default value is 7200 seconds. The minimum value must be equal to or greater than the Access token expiry value and the maximum value is 2147483647 seconds.

      5. Map attributes that you want to include in the introspection endpoint and the JWT access token payload.
        Attribute Name
        Name of the attribute that the relying party uses and requires from Verify.
        Source attribute

        Lists all of the attribute sources that you defined for each type in Configuration > Attributes.

        The value of your selected attribute source is assigned as the attribute value for the defined relying party attribute name in the ID token.

      6. Select Configure the API access to specify the API accesses that are granted to the access token. You can select specific API accesses or set the Select All toggle to On to select all the accesses.
  10. Optional: Add or remove scopes to control how the application is used.
    Remember to press Enter after each scope that you add.
  11. Click Next to continue, or Back to change your configuration.
  12. To enable identity linking, turn the switch to On and provide the following information.
    Unique User Identifier
    The user attribute that acts as the identifier for the linked account.
    Just-in-time Provisioning
    Turn the switch to On to create a shadow account in the primary realm if the user account is not found in the primary identity source.
    External ID
    The identifier that is used to uniquely identify users in the Baidu user repository.
  13. Select Save.