<div id="header-title" style="padding: 10px 15px; border-width:1px; border-style:solid; border-color:#FFD28C; background-image: url(<nop>https://jazz.net/wiki/pub/Deployment/WebPreferences/TLASE.jpg); background-size: cover; font-size:120%"> ---+!! Enable Applications Passwords for Non-Web Clients on JAS Configured with Third Party SAML/OIDC Providers <img src="https://jazz.net/wiki/pub/Deployment/WebPreferences/todo.png" alt="todo.png" width="50" height="50" align="right"> %DKGRAY% Authors: Main.ShubjitNaik <br> Build basis: Engineering Lifecycle Management Solution 7.0.2 and Higher %ENDCOLOR%</div></sticky> <!-- Page contents top of page on right hand side in box --> <sticky><div style="float:right; border-width:1px; border-style:solid; border-color:#DFDFDF; background-color:#F6F6F6; margin:0 0 15px 15px; padding: 0 15px 0 15px;"> %TOC{title="Page contents"}% </div></sticky> <sticky><div style="margin:15px;"></sticky> Configuring Engineering Lifecycle Management (ELM) to authenticate via corporate SAML IDP or OIDC Provider is a common request from our clients as it allows for Multi-factor authentication. Until version 7.0.1 this authentication flow was possible via Jazz Authorization Server (JAS) and it worked only for Web Clients and the Non-web clients authenticated directly via JAS. Starting ELM and JAS version 7.0.2, a new type of authentication flow is being provided for Non-web (native) clients connecting to ELM applications that are configured with Jazz Authorization Server delegated to a third party Identity provider via SAML or OIDC. Details about the feature is available on [[https://openliberty.io/blog/2019/09/13/microprofile-reactive-messaging-19009.html#oidc][Liberty application password feature]] and our [[https://jazz.net/wiki/bin/view/Main/ApplicationPasswordsForNativeClients][Development Wiki Article]]. The focus on this article is to provide simple instructions on enabling App Passwords on Jazz Authorization Server configured to delegate authentication to third party identity Providers via SAML or OIDC, without changing the configuration on the ELM Applications. ---++ High Level Instructions Pre-Req: Jazz Authorization Server is configured to delegate authentication to a third party Identity Provider Via SAML or OIDC * Register a new Client for Application password configuration * Configure Jazz Authorization Server to enable Application passwords * Allow Application password and Password grant type for ELM Applications registered in JAS * Generate Application password as a User ---++ Register a new Client for Application Password configuration To enable Application password in JAS, the configurations needs a !ClientId and a Secret. We can reset the Client Secret of one of the ELM application, example JTS and use those credentials in the JAS config. But to minimize changes to the ELM application configurations, we will create a new !ClientId and Secret which will solely be used for the Application password configurations. Here is a sample app.json file to create a new Client in JAS. <verbatim> { "registration_client_uri" : "https://<JASURI>/oidc/endpoint/jazzop/registration/AppPasswordClientId", "client_id" : "AppPasswordClientId", "client_secret" : "AppPasswordClientPassword", "publicClient" : false, "application_type" : "web", "appPasswordAllowed" : true, "appTokenAllowed" : true, "allow_regexp_redirects" : false, "token_endpoint_auth_method" : "client_secret_basic", "scope" : "openid profile email general", "client_name" : "Enable App Password", "preauthorized_scope" : "openid profile email general", "trusted_uri_prefixes" : [ "https://<JASURI>/" ], "grant_types" : [ "password", "authorization_code", "client_credentials", "implicit", "urn:ietf:params:oauth:grant-type:jwt-bearer", "refresh_token" ], "redirect_uris" : [ "https://<JASURI>/jazzop" ], "introspect_tokens" : true, "proofKeyForCodeExchange" : false, "response_types" : [ "code", "token","id_token token" ] } </verbatim> <br> In the above example replace/update the following variables: * =JASURI= - Your Jazz Authorization Server URI * =client_name= - Name to uniquely identify your client * =client_id= and =client_secret= - Unique !ClientId and Secret (Update the !ClientId on the registration_client_uri as well) *Import the app.json file to JAS* <verbatim> # cd /<JAS_Home>\cli # ./ldclient -a https://<JASURI>/oidc/endpoint/jazzop -u UserName:Password -c app.json </verbatim> <br> ---++ Configure JAS to enable App Passwords There are a few sections to edit in [JAS_HOME]/wlp/usr/servers/jazzop/appConfig.xml file. * Specify the new !ClientId and Secret in the =oauthProvider= element * The attributes to update are =internalClientId= and =internalClientSecret= along with setting the attribute =passwordGrantRequiresAppPassword= to true. Here is an example: <verbatim> <openidConnectProvider id="jazzop" oauthProviderRef="JazzOP" sessionManaged="true"/> <oauthProvider id="JazzOP" httpsRequired="true" autoAuthorize="true" customLoginURL="/jazzop/form/login" accessTokenLifetime="7201" authorizationGrantLifetime="604801" passwordGrantRequiresAppPassword="true" internalClientId="AppPasswordClientId" internalClientSecret="AppPasswordClientPassword" trackOAuthClients="true"> <databaseStore dataSourceRef="OAUTH2DBDS" /> </oauthProvider> </verbatim> * Optional: Add the =appPasswordLifetime= attribute to the =oauthProvider= element to change how long the Application password will remain active. The default value is 90 days (90d). See [[https://www.ibm.com/docs/en/was-liberty/core?topic=configuration-oauthprovider][oauthProvider]] definition in Liberty documentation. * Update the OIDC or SAML *filters* for the personal token management UI to require delegated authentication: <verbatim> <requestUrl id="samlRequestUrl" urlPattern="/authorize|/personalTokenManagement" matchType="contains" /> <userAgent id="samlUserAgent" agent="Mozilla|Opera|app-password-enabled" matchType="contains"/> </verbatim> * Define Administrators for token management UI, under =tokenManager= element shown below <verbatim> <oauth-roles> <authenticated> <special-subject type="ALL_AUTHENTICATED_USERS" /> </authenticated> <clientManager> <group name="JazzAdmins" /> </clientManager> <tokenManager> <group name="JazzAdmins" /> </tokenManager> </oauth-roles> </verbatim> <br> ---++ Enable Application password and Password grant type for ELM Applications registered in JAS First verify the attributes for already registered ELM applications by accessing the URL <verbatim>https://jas.example.com/oidc/endpoint/jazzop/registration </verbatim> Following are the attributes to look out for <verbatim> "appPasswordAllowed" : false, "grant_types" : [ "authorization_code", "client_credentials", "implicit", "urn:ietf:params:oauth:grant-type:jwt-bearer", "refresh_token" ], </verbatim> The value for =appPasswordAllowed= should be =true= and ="password"= should be present in the =grant_types=. Here are the steps to update the attribute values: * Export the Application registrations from JAS <verbatim>./lsclient -a https://jas.example.com/oidc/endpoint/jazzop -u UserName:Password > jas_export.json </verbatim> * Edit the =jas_export.json= file and for each application: * Update =appPasswordAllowed= to =true= * Add =password= to the list of grant types * Here is an extract of the updated values <verbatim> { .... "appPasswordAllowed" : true, "grant_types" : [ "password", "authorization_code", "client_credentials", "implicit", "urn:ietf:params:oauth:grant-type:jwt-bearer", "refresh_token" ], .... } </verbatim> * Import the updated json file to change the desired values <verbatim>./ldclient -a https://jas.example.com/oidc/endpoint/jazzop -u UserName:Password jas_export.json </verbatim> <br> ---++ Generate Application Passwords as a User Once JAS is configured for Application passwords, users will be able to generate app passwords for their userId via the following URL. This will follow the SAML/OIDC authenticaion flow =https://jas.example.com/oidc/endpoint/jazzop/personalTokenManagement= * Click on Add New <br><br> <img src="https://jazz.net/wiki/pub/Deployment/EnableJASAppPasswords/app_pass1.png" alt="app-pass1.png" width="600" height="250" /> <br><br> * Select app-password and click Generate and copy the generated password <br><br> <img src="https://jazz.net/wiki/pub/Deployment/EnableJASAppPasswords/app_pass2.png" alt="app-pass2.png" width="850" height="300" /> <br> * By default the password is valid for 90 days. You can configure the validity by adding =appPasswordLifetime= attribute <br><br> <img src="https://jazz.net/wiki/pub/Deployment/EnableJASAppPasswords/app_pass3.png" alt="app-pass3.png" width="600" height="220" /> <br> =Note= : An Application password is locked to the first Application it is used against. For example, an Application password generated and used with Workflow Management Clients cannot be reused with Test Management clients. <br> ---++ Use Application Password with a non-web client Use the generated Application Password from previous step with any Native client. Here is an example of for SCM Tools <br> <verbatim> # ./scm login -r https://ewm.example.co/ccm -u clmadmin -P L8ePXlZsUN848mXCO25t757E524U7z5pLC1H4vbbZe </verbatim> <br> ---++ Redirect usersTokenManagement authentication to SAML !IdP or Third Party OIDC Provider The =usersTokenManagement= url on JAS allows Administrators to search for specific users and review/delete their Application Passwords. <verbatim>https://jas.example.com/oidc/endpoint/jazzop/usersTokenManagement </verbatim> By default the authentication is based on the backing userRegistry configured with JAS. To redirect the page to SAML IdP for authentication edit the filters as follows: <verbatim> <requestUrl id="samlRequestUrl" urlPattern="/authorize|/personalTokenManagement|/usersTokenManagement" matchType="contains" /> <userAgent id="samlUserAgent" agent="Mozilla|Opera|app-password-enabled" matchType="contains"/> </verbatim> The authentication fails with 403 forbidden. The reason is, the access is restricted to specific users who have been defined under =tokenManager= as shown below. <verbatim> <oauth-roles> <authenticated> <special-subject type="ALL_AUTHENTICATED_USERS" /> </authenticated> <clientManager> <group name="JazzAdmins" /> </clientManager> <tokenManager> <group name="JazzAdmins" /> </tokenManager> </oauth-roles> </verbatim> <br> While the user is authenticated via SAML !IdP or Third Party OIDC Provider, mapping the user to a group on the backing userRegistry on JAS does not happen with the default configurations and hence the access is denied. <br> To overcome this error add =mapToUserRegistry="user"= within the =samlWebSso20= configuration or =mapToUserRegistry="true"= within the =oidcLogin= configuration. Sample SAML configuration shown below <verbatim><samlWebSso20 id="defaultSP" spCookieName="jazzop_sso_cookie_idp" forceAuthn="false" authFilterRef="samlAuthFilter" keyStoreRef="defaultKeyStore" mapToUserRegistry="user" > </samlWebSso20> </verbatim> =Note: These steps apply for /ClientManagement and/or /registration URLs as well= ---++ Encrypting internalClientSecret in appConfig.xml file In the current version of IBM !WebSphere Liberty until version 23.0.0.2, encrypted values for =internalClientSecret= is not accepted and there is an error accessing the =personalTokenManagement= UI page. This is planned to be implemented in one of the upcoming releases. Please visit the [[https://www.ibm.com/support/pages/fix-list-ibm-websphere-application-server-liberty][Fix list for IBM WebSphere Liberty]] to review new releases when this is implemented. <br><br> ---+++++!! Related topics: [[https://openliberty.io/blog/2019/09/13/microprofile-reactive-messaging-19009.html#oidc][Liberty application password feature]], [[ApplicationPasswordsForNativeClients][Development Wiki - App Password]] <sticky></div></sticky>
This topic: Deployment
>
WebHome
>
DeploymentInstallingUpgradingAndMigrating
>
JazzAuthorizationServer
>
EnableJASAppPasswords
History: r14 - 2023-04-07 - 07:19:40 -
ShubjitNaik
Copyright © by IBM and non-IBM contributing authors. All material on this collaboration platform is the property of the contributing authors.
Contributions are governed by our
Terms of Use.
Please read the following
disclaimer
.
Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more
here
.