(r2) JASOIDCAndLocalOP < Deployment

Engineering Lifecycle Management Wiki - Deployment
Community information and contribution guidelines
~~EditAttach~~Printable
TWiki > Deployment Web > DeploymentInstallingUpgradingAndMigrating > JazzAuthorizationServer > JASOIDCAndLocalOP
Revision 2 - 2023-03-30 - 16:46:15 - ShubjitNaik
<div id="header-title" style="padding: 10px 15px; border-width:1px; border-style:solid; border-color:#FFD28C; background-image: url(<nop>https://jazz.net/wiki/pub/Deployment/WebPreferences/TLASE.jpg); background-size: cover; font-size:120%">
---+!! Configure ELM Authentication With Third Party OIDC Provider and A Local OIDC Provider <img src="https://jazz.net/wiki/pub/Deployment/WebPreferences/uc.png" alt="uc.png" width="50" height="50" align="right"> 
%DKGRAY% Authors: Main.ShubjitNaik <br>
Build basis: Engineering Lifecycle Management and Jazz Authorization Server 7.0.2 SR1 or Higher
%ENDCOLOR%</div></sticky>

<!-- Page contents top of page on right hand side in box -->
<sticky><div style="float:right; border-width:1px; border-style:solid; border-color:#DFDFDF; background-color:#F6F6F6; margin:0 0 15px 15px; padding: 0 15px 0 15px;">
%TOC{title="Page contents"}%
</div></sticky>

<sticky><div style="margin:15px;"></sticky>

One of the key Authentication and Single Sign On requirement has been redirecting to a Third Party or Corporate IDP using OIDC auth flow to take advantage of Multi Factor Authentication. At the same time there are Service Accounts that Administrators use to log into IBM Engineering Lifecycle Management applications (ELM) or Jazz Authorization Server (JAS) for maintenance purposes and these accounts are disabled to be to logged in via the Corporate Identity.  In this scenario the Administrators would need to authenticate to ELM or JAS via an LDAP User account. 

Can we configure multiple Authentication methods with IBM Engineering Lifecycle Management Solution?

You can setup ELM to Authenticate via [[JazzAuthorizationServer][Jazz Authorization Server]] (JAS) which is an OIDC Provider based on !WebSphere Application Server Liberty. And using the [[https://www.ibm.com/docs/en/was-liberty/core?topic=liberty-configuring-social-login-in][SocialLogin]] feature a Liberty server can be configured to further delegate the user authentication to Third Party OIDC Provider. If multiple OIDC Providers are configured to protect a request, Liberty provides a default selection form that offers you the option to choose between the available OIDC providers configured in the Liberty server. Visit Liberty [[https://www.ibm.com/docs/en/was-liberty/core?topic=liberty-social-media-selection-form][Social Media Selection Form]] for additional information.

The focus of this article is to configure multiple Third party OIDC Providers in JAS using the Social Login feature and the Liberty default Social Media selection form where the second OIDC Provider would help authenticate via the configured LDAP server.

The instructions are similar to [[JASMultipleIDPs][Configuring ELM with Multiple Third Party OIDC Providers]]

---++ Configuration Options

There are two Use Cases for configuring JAS with multiple OIDC Providers

   * =Use Case 1= : Utilize Liberty Social Login config !AuthFilters to filter out request for Service accounts. Documentation available at [[https://www.ibm.com/docs/en/was-liberty/core?topic=configuration-authfilter][IBM Docs]]

   * =Use Case 2= : When you are unable to filter out requests based on !Authfilters, configure an additional Liberty server that serves as a Local OIDC Provider
      * The rest of the article targets =Use Case 2=

---++ Deployment Overview

The high level instructions to configure ELM with a Third Party OIDC Provider and a Local OIDC Provider
   * Configure JAS to redirect to a Third Party OIDC Provider
      * Instructions available @ [[JASandOIDCProvider][Configure ELM Authentication with a Third Party OIDC provider]]
   * Create a new Liberty server
      * Configure Liberty as an OIDC Provider
      * Configure Liberty to the LDAP Directory server that includes the Service accounts
   * [[JASMultipleIDPs][Configuring ELM with Multiple Third Party OIDC Providers]] to include the Local OIDC Provider
   * Reconfigure IHS Plugin configuration for JAS and Include the Local OIDC Provider

---++ Create a new Liberty Server as Local OIDC Provider

Create a new Liberty Server using the JAS installation on port =9644= and configure as Local OIDC Provider

---+++ Create new Server

The following examples uses JAS to create another server and copy over LDAP and SSL keystore files

   * Create a new liberty Server on Jazz Authorization Server
      * =cd [JAS_HOME]/wlp/bin=
      * =./server create localop=
   * If JAS is configured with a copy or your Corporate Directory Server where the Service Accounts exists, we can copy the LDAP configuration from jazzop to localop
      * =cd [JAS_HOME]/wlp/usr/servers/localop=
      * =mkdir defaults=
      * =cp ../jazzop/ldapUserRegistry.xml defaults/=
   * If the Service Accounts are on a different LDAP Server, skip the above step and configure [[JASUserRegistryConfig][JAS with the desired LDAP Server]]
   * Copy the ssl keystore from jazzop to localop (As they are running on the same host you dont need to create new certificates)
      * =cd [JAS_HOME]/wlp/usr/servers/localop=
      * =cp ../jazzop/ibm-team.keystore .=
   * Update JVM Config , create a file =jvm.options= and set heap to desired valued (2 - 4 GB)
      * =cd [JAS_HOME]/wlp/usr/servers/localop=
      * =vi jvm.options=
      * <verbatim>-Xmx2G
-Xms2G
-Xmn500m</verbatim>

---+++ Update features, Port and SSL configurations

Change directory to =[JAS_HOME]/wlp/usr/servers/localop= and edit =server.xml= (delete old content). Enable features, LDAP, SSL configurations and set port to =9644=

   <verbatim><?xml version="1.0" encoding="UTF-8"?>
<server description="LOCAL_OP">

    <featureManager>
        <feature>openidConnectServer-1.0</feature>
        <feature>appSecurity-2.0</feature>
        <feature>ldapRegistry-3.0</feature>
        <feature>ssl-1.0</feature>
    </featureManager>

    <httpEndpoint host="*" httpPort="9281" httpsPort="9644" id="defaultHttpEndpoint"/>

    <keyStore
        id="defaultKeyStore"
        location="ibm-team.keystore"
        type="JCEKS"
        password="{xor}Nj0ycis6PjI="/>

    <ssl id="defaultSSLConfig"
     keyStoreRef="defaultKeyStore"
     trustStoreRef="defaultKeyStore"
     serverKeyAlias="sslkey"
     clientAuthenticationSupported="false"/>
  
  <include location="ldapUserRegistry.xml" optional="true"/>
  
 <!-- To grant all authenticated users access to the OIDC protected resource, grant them the oauth-role authenticated -->
    <oauth-roles>
        <authenticated>
            <special-subject type="ALL_AUTHENTICATED_USERS"/>
        </authenticated>
        <clientManager>
          <group name="JazzAdmins" />
        </clientManager>
    </oauth-roles>   
</server></verbatim>

---+++ Create openidConnectProvider configurations

Append =server.xml= file, create a =openidConnectProvider= config for Local OP and add client configurations to redirect to JAS. Following is an example

   <verbatim>    <openidConnectProvider id="localop" oauthProviderRef="localoauth" sessionManaged="true" signatureAlgorithm="RS256" />

    <oauthProvider id="localoauth" >
        <localStore>
                <client name="localop_ID" secret="localop_Password" displayname="Local OpenID Provider"
                scope="openid profile email general" preAuthorizedScope="openid profile email general"
				    redirect="https://<Jazz_Auth_server>/ibm/api/social-login/redirect/localrp" 
                />
       </localStore>
    </oauthProvider></verbatim>

   * Client =name=, =secret= and =redirect= URL ID will be used in the Social Login config on JAS

---++ Enable Redirection in JAS to multiple OIDC Providers

Now that a Liberty Server is configured as an additional Local OIDC Provider connecting to an LDAP Directory server, we will redirect JAS to the Local OP by configuring multiple Social Login configurations, creating another =oidcLogin= config for local OP configured in the new liberty server.

Change directory to =[JAS_HOME]/wlp/usr/servers/jazzop= and edit appConfig.xml and add another oidcLogin following configurations. 
      <verbatim><!-- Existing Social Login Configuration to redirect to Third Party OIDC Provider (Google Example)-->

	<oidcLogin id="jasrp" displayName="Google OIDC Provider" clientId="<My_ClientID>" clientSecret="<My_ClientSecret>"
		authorizationEndpoint="https://accounts.google.com/o/oauth2/v2/auth"
      		tokenEndpoint="https://www.googleapis.com/oauth2/v4/token"
     		jwksUri="https://www.googleapis.com/oauth2/v3/certs"          
      		issuer="https://accounts.google.com"
                scope="openid profile email general"
                userNameAttribute="sub"
                trustStoreRef="defaultKeyStore"
                authFilterRef="OPAuthFilter"
                mapToUserRegistry="true"
                >
	</oidcLogin>

	<authFilter id="OPAuthFilter">
                <requestUrl id="OPRequestUrl" urlPattern="/authorize|/personalTokenManagement" matchType="contains" />
                <userAgent id="OPUserAgent" agent="Mozilla|Opera|app-password-enabled" matchType="contains"/>
	</authFilter>
	
	
	<!-- Add New Social Login Configuration to redirect to Liberty server configured as Local OP -->

	<oidcLogin id="localrp" displayName="Local OIDC Provider" clientId="localop_ID" clientSecret="localop_Password"
		discoveryEndpoint="https://IHS_URL/oidc/endpoint/localop/.well-known/openid-configuration"
                scope="openid profile email general"
                userNameAttribute="sub"
                trustStoreRef="defaultKeyStore"
                authFilterRef="LocalOPAuthFilter"
                mapToUserRegistry="true"
                >
	</oidcLogin>

	<authFilter id="LocalOPAuthFilter">
                <requestUrl id="LocalOPRequestUrl" urlPattern="/authorize|/personalTokenManagement" matchType="contains" />
                <userAgent id="LocalOPUserAgent" agent="Mozilla|Opera" matchType="contains"/>
	</authFilter></verbatim>


For the Local OIDC Provider Configuration
   * =id= is used in the OP =redirect= URL configured in Liberty server, example /localrp
   * =clientId= and =clientSecret= is picked from =name= and =secret= parameters from =oauthProvider= on the Liberty Server 
   * =displayName= is the name shown on the Liberty Social Media Selection form
   * If you have enabled [[EnableJASAppPasswords][Application Passwords for Non-Web clients]] , do not include =app-password-enabled= in the userAgent filter for the second =oidcLogin= configuration

---++ Reconfigure IHS Plugin configuration for JAS and Inlcude the Local OIDC Provider

Here is an example of a merged plugin config for =jazzop= and =localop= for IBM HTTP Server

<verbatim><!-- Jazz Authorization Server - jazzop -->

   <VirtualHostGroup Name="default_host_jazzop">
      <VirtualHost Name="*:80"/>
      <VirtualHost Name="*:443"/>
   </VirtualHostGroup>
   
   <ServerCluster CloneSeparatorChange="false" GetDWLMTable="false" IgnoreAffinityRequests="true" LoadBalance="Round Robin" Name="jazzop_default_node_Cluster" PostBufferSize="0" PostSizeLimit="-1" RemoveSpecialHeaders="true" RetryInterval="60" ServerIOTimeoutRetry="-1">
      <Server CloneID="609d6ec4-46b5-4652-a377-76e8a1d0743c" ConnectTimeout="5" ExtendedHandshake="false" LoadBalanceWeight="20" MaxConnections="-1" Name="default_node_jazzop" ServerIOTimeout="900" WaitForContinue="false">
         <Transport Hostname="[JAS_IP]" Port="9280" Protocol="http"/>
         <Transport Hostname="[JAS_IP]" Port="9643" Protocol="https">
            <Property Name="keyring" Value="/opt/IBM/WebSphere/Plugins/config/webserver1/plugin-key.kdb"/>
            <Property Name="stashfile" Value="/opt/IBM/WebSphere/Plugins/config/webserver1/plugin-key.sth"/>
         </Transport>
      </Server>
      <PrimaryServers>
         <Server Name="default_node_jazzop"/>
      </PrimaryServers>
   </ServerCluster>
   
   <UriGroup Name="default_host_jazzop_default_node_Cluster_URIs">
      <Uri AffinityCookie="JSESSIONID" AffinityURLIdentifier="jsessionid" Name="/jazzop/*"/>
      <Uri AffinityCookie="JSESSIONID" AffinityURLIdentifier="jsessionid" Name="/oidc/endpoint/jazzop/*"/>
      <Uri AffinityCookie="JSESSIONID" AffinityURLIdentifier="jsessionid" Name="/ibm/api/social-login/*"/>
   </UriGroup>
   
   <Route ServerCluster="jazzop_default_node_Cluster" UriGroup="default_host_jazzop_default_node_Cluster_URIs" VirtualHostGroup="default_host_jazzop"/>


<!-- Jazz Authorization Server - New Liberty Server /locallop -->

<VirtualHostGroup Name="default_host_localop">
      <VirtualHost Name="*:80"/>
      <VirtualHost Name="*:443"/>
   </VirtualHostGroup>
   <ServerCluster CloneSeparatorChange="false" GetDWLMTable="false" IgnoreAffinityRequests="true" LoadBalance="Round Robin" Name="localop_default_node_Cluster" PostBufferSize="0" PostSizeLimit="-1" RemoveSpecialHeaders="true" RetryInterval="60" ServerIOTimeoutRetry="-1">
      <Server CloneID="26d51d70-2025-4aed-8822-cdff0f1d93bd" ConnectTimeout="5" ExtendedHandshake="false" LoadBalanceWeight="20" MaxConnections="-1" Name="default_node_localop" ServerIOTimeout="900" WaitForContinue="false">
         <Transport Hostname="[JAS_IP]" Port="9281" Protocol="http"/>
         <Transport Hostname="[JAS_IP]" Port="9644" Protocol="https">
            <Property Name="keyring" Value="/opt/IBM/WebSphere/Plugins/config/webserver1/plugin-key.kdb"/>
            <Property Name="stashfile" Value="/opt/IBM/WebSphere/Plugins/config/webserver1/plugin-key.sth"/>
         </Transport>
      </Server>
      <PrimaryServers>
         <Server Name="default_node_localop"/>
      </PrimaryServers>
   </ServerCluster>
   <UriGroup Name="default_host_localop_default_node_Cluster_URIs">
      <Uri AffinityCookie="JSESSIONID" AffinityURLIdentifier="jsessionid" Name="/localop/*"/>
      <Uri AffinityCookie="JSESSIONID" AffinityURLIdentifier="jsessionid" Name="/oidc/endpoint/localop/*"/>
   </UriGroup>
   <Route ServerCluster="localop_default_node_Cluster" UriGroup="default_host_localop_default_node_Cluster_URIs" VirtualHostGroup="default_host_localop"/></verbatim>

---++ Testing the configuration

When multiple OIDC Providers are configured to protect a request, Liberty provides a default selection form that offers you the option to choose between the available OIDC providers configured in the Liberty server. Visit Liberty [[https://www.ibm.com/docs/en/was-liberty/core?topic=liberty-social-media-selection-form][Social Media Selection Form]] for additional information.

Here is the selection form for the sample provided in the previous step. User can click on the OIDC Provider of interest <br><br>
<img src="%ATTACHURLPATH%/selection.png" alt="selection.png" width="600" height="170" /> 
<br><br>

---+++++!! Related topics: [[JazzAuthorizationServer][Jazz Authorization Server Landing Page]]

---+++++!! External links:          

   * [[https://www.ibm.com][IBM]]

<sticky></div></sticky>
Copyright © by IBM and non-IBM contributing authors. All material on this collaboration platform is the property of the contributing authors.
Contributions are governed by our Terms of Use. Please read the following disclaimer.
Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.