E
dit
A
ttach
P
rintable
r10 - 2023-11-15 - 09:17:33 -
ShubjitNaik
You are here:
TWiki
>
Deployment Web
>
DeploymentInstallingUpgradingAndMigrating
>
JazzAuthorizationServer
>
JASMultipleIDPs
<div id="header-title" style="padding: 10px 15px; border-width:1px; border-style:solid; border-color:#FFD28C; background-image: url(<nop>https://jazz.net/wiki/pub/Deployment/WebPreferences/TLASE.jpg); background-size: cover; font-size:120%"> ---+!! Configuring ELM Authentication with Multiple Third Party OIDC Providers <img src="https://jazz.net/wiki/pub/Deployment/WebPreferences/new.png" alt="new.png" width="50" height="50" align="right"> %DKGRAY% Authors: Main.ShubjitNaik <br> Build basis: Engineering Lifecycle Management 7.0.2 or higher %ENDCOLOR%</div></sticky> <!-- Page contents top of page on right hand side in box --> <sticky><div style="float:right; border-width:1px; border-style:solid; border-color:#DFDFDF; background-color:#F6F6F6; margin:0 0 15px 15px; padding: 0 15px 0 15px;"> %TOC{title="Page contents"}% </div></sticky> <sticky><div style="margin:15px;"></sticky> <!-- This is not an officially tested or supported configuration for ELM --> There are requirements where ELM has to be deployed in an environment for users from different companies to collaborate. And in this scenario the end users would need to authenticate against different IDPs which could be their respective company owned IDPs. Can we configure multiple Identity Providers with IBM Engineering Lifecycle Management Solution? <br> A general example of this pattern is to configure a Liberty server so that users can authenticate to websites that are hosted on the Liberty server by logging in with their social media account. You can choose from the predefined social media platform configurations, or define your own configuration for any social media platform that is based on the OAuth 2.0 or !OpenID Connect standards. You can setup ELM to authenitcate via [[JazzAuthorizationServer][Jazz Authorization Server]] (JAS) which is based on !WebSphere Application Server Liberty. And using the [[https://www.ibm.com/docs/en/was-liberty/core?topic=liberty-configuring-social-login-in][SocialLogin]] feature a Liberty server can be configured to further delegate the user authentication to Third Party OIDC Provider. *If multiple OIDC Providers are configured to protect a request, Liberty provides a default selection form that offers you the option to choose between the available OIDC providers configured in the Liberty server*. Visit Liberty [[https://www.ibm.com/docs/en/was-liberty/core?topic=liberty-social-media-selection-form][Social Media Selection Form]] for additional information. The focus on this article is on configuring Multiple Third party OIDC Providers in JAS using the Social Login feature and the Liberty default Social Media selection form. ---++ Configure JAS and User Group Role Mapping First step is to configure ELM and JAS. You would need to either configure JAS with multiple LDAPs, one each for a Third Party OIDC Provider, or a consolidated LDAP server which has a copy of all the Users from multiple OIDC Providers. * To configure multiple LDAPs in JAS you would need to enable SCIM. Visit [[JASSCIMFederatedRepositories][Configure Multiple User Registries with JAS and SCIM]] * To configure a single LDAP with JAS Visit [[JASUserRegistryConfig][Configure JAS with an LDAP User Registry]] User Groups to Jazz Roles mappings (!JazzAdmins, !JazzUsers etc) are picked from JTS configuration when configured with JAS. When Users accesses an ELM application URL, they are redirected to JAS for Authentication. Post successful authentication JTS performs one of the following: * When configured with SCIM, JTS does the group lookup via the SCIM URL and groups provided under JTS Admin > Advanced Properties > * =com.ibm.team.repository.service.jts.internal.userregistry.scim.SCIMUserRegistryProvider= for User group to Jazz role mappings * When configured with LDAP, JTS does a group lookup via an ldapsearch Query against the LDAP and group details mentioned under JTS Admin > Advanced Properties > * =com.ibm.team.repository.service.jts.internal.userregistry.ldap.LDAPUserRegistryProvider= for User group to Jazz role mappings. Note: Special Subjects like ALL_AUTHENTICATED_USERS or NESTED_GROUPS would not work with JAS based deployments ---++ Configure Social Login in JAS to Redirect to Third Party OIDC Provider We have the instructions for configuring JAS with a Third Party OIDC Provider documented the the Article [[JASandOIDCProvider][Configure ELM Authentication with a Third Party OIDC provider]]. The high level instructions are : * Create !ClientId and Client Secret for JAS on the Third Party OIDC Provider * Add the redirect URL of format =https://[JAS_HOST]:[Port]/ibm/api/social-login/redirect/[ID]= * Enable the feature =socialLogin-1.0= in JAS =server.xml= * Add =oidcLogin= element to configure the connection to OIDC Provider in =appConfig.xml= * Configure Filters for Non-Web clients * Configure LDAP in JAS and JTS for User to group role mapping Here is a sample configuration for Google OIDC Provider in =[JAS_HOME]\wlp\usr\servers\jazzop\appConfig.xml= <verbatim> <featureManager> <feature>socialLogin-1.0</feature> <feature>appSecurity-2.0</feature> <feature>ssl-1.0</feature> </featureManager> <oidcLogin id="myoidcserver" displayName="Google OIDC Login" clientId="[my_client_Id]" clientSecret="[my_client_password]" authorizationEndpoint="https://accounts.google.com/o/oauth2/v2/auth" tokenEndpoint="https://www.googleapis.com/oauth2/v4/token" jwksUri="https://www.googleapis.com/oauth2/v3/certs" issuer="https://accounts.google.com" scope="openid general profile email" userNameAttribute="email" authFilterRef="myoidcAuthFilter1"> </oidcLogin> <authFilter id="myoidcAuthFilter"> <userAgent id="myoidcUserAgent" agent="Mozilla|Opera" matchType="contains"/> <requestUrl id="myoidcRequestUrl" urlPattern="/authorize" matchType="contains" /> </authFilter></verbatim> * The =clientId= and =clientSecret= are to be generated by your OIDC provider * The redirect URL points to the ID of your configured oidcLogin element and for the sample above the redirect URL is <verbatim> https://JAS_Host:Port/ibm/api/social-login/redirect/myoidcserver</verbatim> <br> ---++ Configure Multiple OIDC Providers in JAS The instructions are similar to the previous step. You add another =oidcLogin= element with a unique =ID=, =displayName= and =Filter=. Here is a sample configuration for multiple OIDC Providers <verbatim> <featureManager> <feature>socialLogin-1.0</feature> <feature>appSecurity-2.0</feature> <feature>ssl-1.0</feature> </featureManager> <oidcLogin id="jas2exampleA" displayName="Example A OIDC Login" clientId="exampleAclientid" clientSecret="exampleAclientpassword" authorizationEndpoint="https://accounts.example_a.com/o/oauth2/v2/auth" tokenEndpoint="https://www.apis.example_a.com/oauth2/v4/token" jwksUri="https://www.apis.example_a.com/oauth2/v3/certs" issuer="https://accounts.example_a.com" scope="openid general profile email" userNameAttribute="email" authFilterRef="ExampleAAuthFilter" > </oidcLogin> <authFilter id="ExampleAAuthFilter"> <userAgent id="ExampleAUserAgent" agent="Mozilla|Opera" matchType="contains"/> <requestUrl id="ExampleARequestUrl" urlPattern="/authorize" matchType="contains" /> </authFilter> <oidcLogin id="jas2exampleB" displayName="Example B OIDC Login" clientId="exampleBclientid" clientSecret="exampleBclientpassword" authorizationEndpoint="https://example_b.com/oidc/endpoint/sample/authorize" tokenEndpoint="https://example_b.com/oidc/endpoint/sample/token" jwksUri="https://example_b.com/oidc/endpoint/sample/jwk" issuer="https://example_b.com/oidc/endpoint/sample" scope="openid profile email" userNameAttribute="email" authFilterRef="ExampleBAuthFilter" > </oidcLogin> <authFilter id="ExampleBAuthFilter"> <userAgent id="ExampleBUserAgent" agent="Mozilla|Opera" matchType="contains"/> <requestUrl id="ExampleBRequestUrl" urlPattern="/authorize" matchType="contains" /> </authFilter> <oidcLogin id="jas2exampleC" displayName="Example C OIDC Login" clientId="exampleCclientid" clientSecret="exampleCclientpassword" authorizationEndpoint="https://example_c.com/oidc/endpoint/example/authorize" tokenEndpoint="https://example_c.com/oidc/endpoint/example/token" jwksUri="https://example_c.com/oidc/endpoint/example/jwk" issuer="https://example_c.com/oidc/endpoint/example" scope="openid profile email" userNameAttribute="sub" authFilterRef="ExampleCAuthFilter" > </oidcLogin> <authFilter id="ExampleCAuthFilter"> <userAgent id="ExampleCUserAgent" agent="Mozilla|Opera" matchType="contains"/> <requestUrl id="ExampleCRequestUrl" urlPattern="/authorize" matchType="contains" /> </authFilter></verbatim> * The =clientId= and =clientSecret= are to be generated by each OIDC provider * The redirect URL points to the ID of your configured oidcLogin element and for the sample above the redirect URLs from JAS are <verbatim> 1. https://JAS_Host:Port/ibm/api/social-login/redirect/jas2exampleA 2. https://JAS_Host:Port/ibm/api/social-login/redirect/jas2exampleB 3. https://JAS_Host:Port/ibm/api/social-login/redirect/jas2exampleC</verbatim> ---++ Liberty Default OIDC Providers Selection Form When multiple OIDC Providers are configured to protect a request, Liberty provides a default selection form that offers you the option to choose between the available OIDC providers configured in the Liberty server. Visit Liberty [[https://www.ibm.com/docs/en/was-liberty/core?topic=liberty-social-media-selection-form][Social Media Selection Form]] for additional information. Here is the selection form for the sample provided in the previous step. User can click on the Identity Provider for their Company.<br><br> <img src="%ATTACHURLPATH%/selection_form_v1.png" alt="selection_form_v1.png" width="800" height="220" /> <br><br> ---++ Configure Local Authentication as one of the Providers You can configure [[https://www.ibm.com/docs/en/was-liberty/core?topic=SSD28V_liberty/com.ibm.websphere.liberty.autogen.nd.doc/ae/rwlp_config_socialLoginWebapp.htm][Socal Login Web Application]] to include Local Authentication in the Selection form. Add the following configuration along with all the =oidcLogin= configurations: <verbatim><socialLoginWebapp enableLocalAuthentication="true" /> </verbatim> Here is the updated selection form when Local Authentication is included<br><br> <img src="%ATTACHURLPATH%/OIDC_Local_Auth.png" alt="OIDC_Local_Auth.png" width="800" height="430" /> <br><br> ---+++++!! Related topics: [[JASandOIDCProvider][Configure ELM Authentication with a Third Party OIDC provider]], [[JazzAuthorizationServer][Jazz Authorization Server]] ---+++++!! External links: * [[https://www.ibm.com][IBM]] <sticky></div></sticky>
E
dit
|
A
ttach
|
P
rintable
|
V
iew topic
|
Backlinks:
We
b
,
A
l
l Webs
|
H
istory
: r10
<
r9
<
r8
<
r7
<
r6
|
M
ore topic actions
Deployment
Deployment web
Planning and design
Installing and upgrading
Migrating and evolving
Integrating
Administering
Monitoring
Troubleshooting
Community information and contribution guidelines
Create new topic
Topic list
Search
Advanced search
Notify
RSS
Atom
Changes
Statistics
Web preferences
NOTE: Please use the Sandbox web for testing
Status icon key:
To do
Under construction
New
Updated
Constant change
None - stable page
Smaller versions of status icons for inline text:
Copyright © by IBM and non-IBM contributing authors. All material on this collaboration platform is the property of the contributing authors.
Contributions are governed by our
Terms of Use.
Please read the following
disclaimer
.
Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more
here
.