Edit
Attach
P
rintable
r7 - 2021-05-05 - 06:57:52 -
ShubjitNaik
You are here:
TWiki
>
Deployment Web
>
DeploymentInstallingUpgradingAndMigrating
>
JazzAuthorizationServer
>
EnableJASAppPasswords
<div id="header-title" style="padding: 10px 15px; border-width:1px; border-style:solid; border-color:#FFD28C; background-image: url(<nop>https://jazz.net/wiki/pub/Deployment/WebPreferences/TLASE.jpg); background-size: cover; font-size:120%"> ---+!! Enable Applications Passwords for Non-Web Clients on JAS Configured with Third Party SAML/OIDC Providers <img src="https://jazz.net/wiki/pub/Deployment/WebPreferences/todo.png" alt="todo.png" width="50" height="50" align="right"> %DKGRAY% Authors: Main.ShubjitNaik <br> Build basis: Engineering Lifecycle Management Solution 7.0.2 and Higher %ENDCOLOR%</div></sticky> <!-- Page contents top of page on right hand side in box --> <sticky><div style="float:right; border-width:1px; border-style:solid; border-color:#DFDFDF; background-color:#F6F6F6; margin:0 0 15px 15px; padding: 0 15px 0 15px;"> %TOC{title="Page contents"}% </div></sticky> <sticky><div style="margin:15px;"></sticky> Configuring Engineering Lifecycle Management (ELM) to authenticate via corporate SAML IDP or OIDC Provider is a common request from our clients as it allows for Multi-factor authentication. Until version 7.0.1 this authentication flow was possible via Jazz Authorization Server (JAS) and it worked only for Web Clients and the Non-web clients authenticated directly via JAS. Starting ELM and JAS version 7.0.2, a new type of authentication flow is being provided for Non-web (native) clients connecting to ELM applications that are configured with Jazz Authorization Server delegated to a third party Identity provider via SAML or OIDC. Details about the feature is available on [[https://openliberty.io/blog/2019/09/13/microprofile-reactive-messaging-19009.html#oidc][Liberty application password feature]] and our [[https://jazz.net/wiki/bin/view/Main/ApplicationPasswordsForNativeClients][Development Wiki Article]]. The focus on this article is to provide simple instructions on enabling App Passwords on Jazz Authorization Server configured to delegate authentication to third party identity Providers via SAML or OIDC, without changing the configuration on the ELM Applications. ---++ High Level Instructions Pre-Req: Jazz Authorization Server is configured to delegate authentication to a third party Identity Provider Via SAML or OIDC * Register a new Client for Application password configuration * Configure Jazz Authorization Server to enable Application passwords * Allow Application password and Password grant type for ELM Applications registered in JAS * Generate Application password as a User ---++ Register a new Client for Application Password configuration To enable Application password in JAS, the configurations needs a !ClientId and a Secret. We can reset the Client Secret of one of the ELM application, example JTS and use those credentials in the JAS config. But to minimize changes to the ELM application configurations, we will create a new !ClientId and Secret which will solely be used for the Application password configurations. Here is a sample app.json file to create a new Client in JAS. <verbatim> { "registration_client_uri" : "https://<JASURI>/oidc/endpoint/jazzop/registration/AppPasswordClientId", "client_id" : "AppPasswordClientId", "client_secret" : "AppPasswordClientPassword", "publicClient" : false, "application_type" : "web", "appPasswordAllowed" : true, "appTokenAllowed" : true, "allow_regexp_redirects" : false, "token_endpoint_auth_method" : "client_secret_basic", "scope" : "openid profile email general", "functional_user_id" : "[JazzAdmin User]", "client_name" : "Enable App Password", "preauthorized_scope" : "openid profile email general", "trusted_uri_prefixes" : [ "https://<JASURI>/" ], "grant_types" : [ "password", "authorization_code", "client_credentials", "implicit", "urn:ietf:params:oauth:grant-type:jwt-bearer", "refresh_token" ], "redirect_uris" : [ "https://<JASURI>/jazzop" ], "introspect_tokens" : true, "proofKeyForCodeExchange" : false, "response_types" : [ "code", "token","id_token token" ] } </verbatim> <br> In the above example replace/update the following variables: * =JASURI= - Your Jazz Authorization Server URI * =functional_user_id= - A !JazzAdmin user * =client_name= - Name to uniquely identify your client * =client_id= and =client_secret= - Unique !ClientId and Secret (Update the !ClientId on the registration_client_uri as well) *Import the app.json file to JAS* <verbatim> # cd /<JAS_Home>\cli # ./ldclient -a https://<JASURI>/oidc/endpoint/jazzop -u [UserName]:[Password] -c app.json </verbatim> <br> ---++ Configure JAS to enable App Passwords There are a few sections to edit in [JAS_HOME]/wlp/usr/servers/jazzop/appConfig.xml file. * Specify the new !ClientId and Secret in the =oauthProvider= element * The attributes to update are =internalClientId= and =internalClientSecret= along with setting the attribute =passwordGrantRequiresAppPassword= to true. Here is an example: <verbatim> <openidConnectProvider id="jazzop" oauthProviderRef="JazzOP" sessionManaged="true"/> <oauthProvider id="JazzOP" httpsRequired="true" autoAuthorize="true" customLoginURL="/jazzop/form/login" accessTokenLifetime="7201" authorizationGrantLifetime="604801" passwordGrantRequiresAppPassword="true" internalClientId="AppPasswordClientId" internalClientSecret="AppPasswordClientPassword" trackOAuthClients="true"> <databaseStore dataSourceRef="OAUTH2DBDS" /> </oauthProvider> </verbatim> * Optional: Add the =appPasswordLifetime= attribute to the =oauthProvider= element to change how long the Application password will remain active. The default value is 90 days (90d). See [[https://www.ibm.com/docs/en/was-liberty/core?topic=configuration-oauthprovider][oauthProvider]] definition in Liberty documentation. * Update the OIDC or SAML *filters* for the personal token management UI to require delegated authentication: <verbatim> <requestUrl id="samlRequestUrl" urlPattern="/authorize|/personalTokenManagement/usersTokenManagement" matchType="contains" /> <userAgent id="samlUserAgent" agent="Mozilla|Opera|app-password-enabled" matchType="contains"/> </verbatim> * Define Administrators for token management UI, under =tokenManager= element shown below <verbatim> <oauth-roles> <authenticated> <special-subject type="ALL_AUTHENTICATED_USERS" /> </authenticated> <clientManager> <group name="JazzAdmins" /> </clientManager> <tokenManager> <group name="JazzAdmins" /> </tokenManager> </oauth-roles> </verbatim> <br> ---++ Enable Application password and Password grant type for ELM Applications registered in JAS First verify the attributes for already registered ELM applications by accessing the URL <verbatim>https://jas.example.com/oidc/endpoint/jazzop/registration </verbatim> Following are the attributes to look out for <verbatim> "appPasswordAllowed" : false, "grant_types" : [ "authorization_code", "client_credentials", "implicit", "urn:ietf:params:oauth:grant-type:jwt-bearer", "refresh_token" ], </verbatim> The value for =appPasswordAllowed= should be =true= and ="password"= should be present in the =grant_types=. Here are the steps to update the attribute values: * Export the Application registrations from JAS <verbatim>./lsclient -a https://jas.example.com/oidc/endpoint/jazzop -u username:pasword > jas_export.json </verbatim> * Edit the =jas_export.json= file and for each application: * Update =appPasswordAllowed= to =true= * Add =password= to the list of grant types * Here is an extract of the updated values <verbatim> { .... "appPasswordAllowed" : true, "grant_types" : [ "password", "authorization_code", "client_credentials", "implicit", "urn:ietf:params:oauth:grant-type:jwt-bearer", "refresh_token" ], .... } </verbatim> * Import the updated json file to change the desired values <verbatim>./ldclient -a https://jas.example.com/oidc/endpoint/jazzop -u username:pasword jas_export.json </verbatim> <br> ---++ Generate Application Passwords as a User Once JAS is configured for Application passwords, users will be able to generate app passwords for their userId via the following URL. This will follow the SAML/OIDC authenticaion flow =https://jas.example.com/oidc/endpoint/jazzop/personalTokenManagement= * Click on Add New <br><br> <img src="https://jazz.net/wiki/pub/Deployment/EnableJASAppPasswords/app_pass1.png" alt="app-pass1.png" width="600" height="250" /> <br><br> * Select app-password and click Generate and copy the generated password <br><br> <img src="https://jazz.net/wiki/pub/Deployment/EnableJASAppPasswords/app_pass2.png" alt="app-pass2.png" width="850" height="300" /> <br> * By default the password is valid for 90 days. You can configure the validity by adding =appPasswordLifetime= attribute <br><br> <img src="https://jazz.net/wiki/pub/Deployment/EnableJASAppPasswords/app_pass3.png" alt="app-pass3.png" width="600" height="220" /> <br> =Note= : An Application password is locked to the first Application it is used against. For example, an Application password generated and used with Workflow Management Clients cannot be reused with Test Management clients. <br> ---++ Use Application Password with a non-web client Use the generated Application Password from previous step with any Native client. Here is an example of for SCM Tools <br> <verbatim> # ./scm login -r https://ewm.example.co/ccm -u clmadmin -P L8ePXlZsUN848mXCO25t757E524U7z5pLC1H4vbbZe </verbatim> <br> ---+++++!! Related topics: [[https://openliberty.io/blog/2019/09/13/microprofile-reactive-messaging-19009.html#oidc][Liberty application password feature]], [[ApplicationPasswordsForNativeClients][Development Wiki - App Password]] <sticky></div></sticky>
Edit
|
Attach
|
P
rintable
|
V
iew topic
|
Backlinks:
We
b
,
A
l
l Webs
|
H
istory
:
r14
|
r9
<
r8
<
r7
<
r6
|
More topic actions...
Deployment
Deployment web
Planning and design
Installing and upgrading
Migrating and evolving
Integrating
Administering
Monitoring
Troubleshooting
Community information and contribution guidelines
Create new topic
Topic list
Search
Advanced search
Notify
RSS
Atom
Changes
Statistics
Web preferences
NOTE: Please use the Sandbox web for testing
Status icon key:
To do
Under construction
New
Updated
Constant change
None - stable page
Smaller versions of status icons for inline text:
Copyright © by IBM and non-IBM contributing authors. All material on this collaboration platform is the property of the contributing authors.
Contributions are governed by our
Terms of Use.
Please read the following
disclaimer
.
Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more
here
.