Configure ELM Authentication With Third Party OIDC Provider and A Local OIDC Provider

One of the key Authentication and Single Sign On requirement has been redirecting to a Third Party or Corporate IDP using OIDC auth flow to take advantage of Multi Factor Authentication. At the same time there are Service Accounts that Administrators use to log into IBM Engineering Lifecycle Management applications (ELM) or Jazz Authorization Server (JAS) for maintenance purposes and these accounts are disabled to be to logged in via the Corporate Identity. In this scenario the Administrators would need to authenticate to ELM or JAS via an LDAP User account.

Can we configure multiple Authentication methods with IBM Engineering Lifecycle Management Solution?

You can setup ELM to Authenticate via Jazz Authorization Server (JAS) which is an OIDC Provider based on WebSphere Application Server Liberty. And using the SocialLogin feature a Liberty server can be configured to further delegate the user authentication to Third Party OIDC Provider. If multiple OIDC Providers are configured to protect a request, Liberty provides a default selection form that offers you the option to choose between the available OIDC providers configured in the Liberty server. Visit Liberty Social Media Selection Form for additional information.

The focus of this article is to configure multiple Third party OIDC Providers in JAS using the Social Login feature and the Liberty default Social Media selection form where the second OIDC Provider would help authenticate via the configured LDAP server.

The instructions are similar to Configuring ELM with Multiple Third Party OIDC Providers

Configuration Options

There are two Use Cases for configuring JAS with multiple OIDC Providers

• Use Case 1 : Utilize Liberty Social Login config AuthFilters to filter out request for Service accounts. Documentation available at IBM Docs

• Use Case 2 : When you are unable to filter out requests based on Authfilters, configure an additional Liberty server that serves as a Local OIDC Provider
  • The rest of the article targets Use Case 2

Deployment Overview

The high level instructions to configure ELM with a Third Party OIDC Provider and a Local OIDC Provider

• Configure JAS to redirect to a Third Party OIDC Provider
  • Instructions available @ Configure ELM Authentication with a Third Party OIDC provider
• Create a new Liberty server
  • Configure Liberty as an OIDC Provider
  • Configure Liberty to the LDAP Directory server that includes the Service accounts
• Configuring ELM with Multiple Third Party OIDC Providers to include the Local OIDC Provider
• Reconfigure IHS Plugin configuration for JAS and Include the Local OIDC Provider

Create a new Liberty Server as Local OIDC Provider

Create a new Liberty Server using the JAS installation on port 9644 and configure as Local OIDC Provider

Create new Server

The following examples uses JAS to create another server and copy over LDAP and SSL keystore files

• Create a new liberty Server on Jazz Authorization Server
  • cd [JAS_HOME]/wlp/bin
  • ./server create localop
• If JAS is configured with a copy or your Corporate Directory Server where the Service Accounts exists, we can copy the LDAP configuration from jazzop to localop
  • cd [JAS_HOME]/wlp/usr/servers/localop
  • mkdir defaults
  • cp ../jazzop/ldapUserRegistry.xml defaults/
• If the Service Accounts are on a different LDAP Server, skip the above step and configure JAS with the desired LDAP Server
• Copy the ssl keystore from jazzop to localop (As they are running on the same host you dont need to create new certificates)
  • cd [JAS_HOME]/wlp/usr/servers/localop
  • cp ../jazzop/ibm-team.keystore .
• Update JVM Config , create a file jvm.options and set heap to desired valued (2 - 4 GB)
  • cd [JAS_HOME]/wlp/usr/servers/localop
  • vi jvm.options

  • -Xmx2G
    -Xms2G
    -Xmn500m

Update features, Port and SSL configurations

Change directory to [JAS_HOME]/wlp/usr/servers/localop and edit server.xml (delete old content). Enable features, LDAP, SSL configurations and set port to 9644

<?xml version="1.0" encoding="UTF-8"?>
<server description="LOCAL_OP">

    <featureManager>
        <feature>openidConnectServer-1.0</feature>
        <feature>appSecurity-2.0</feature>
        <feature>ldapRegistry-3.0</feature>
        <feature>ssl-1.0</feature>
    </featureManager>

    <httpEndpoint host="*" httpPort="9281" httpsPort="9644" id="defaultHttpEndpoint"/>

    <keyStore
        id="defaultKeyStore"
        location="ibm-team.keystore"
        type="JCEKS"
        password="{xor}Nj0ycis6PjI="/>

    <ssl id="defaultSSLConfig"
     keyStoreRef="defaultKeyStore"
     trustStoreRef="defaultKeyStore"
     serverKeyAlias="sslkey"
     clientAuthenticationSupported="false"/>
  
  <include location="ldapUserRegistry.xml" optional="true"/>
  
 <!-- To grant all authenticated users access to the OIDC protected resource, grant them the oauth-role authenticated -->
    <oauth-roles>
        <authenticated>
            <special-subject type="ALL_AUTHENTICATED_USERS"/>
        </authenticated>
        <clientManager>
          <group name="JazzAdmins" />
        </clientManager>
    </oauth-roles>   
</server>

Create openidConnectProvider configurations

Append server.xml file, create a openidConnectProvider config for Local OP and add client configurations to redirect to JAS. Following is an example

    <openidConnectProvider id="localop" oauthProviderRef="localoauth" sessionManaged="true" signatureAlgorithm="RS256" />

    <oauthProvider id="localoauth" >
        <localStore>
                <client name="localop_ID" secret="localop_Password" displayname="Local OpenID Provider"
                scope="openid profile email general" preAuthorizedScope="openid profile email general"
                redirect="https://<Jazz_Auth_server>/ibm/api/social-login/redirect/localrp" 
                />
       </localStore>
    </oauthProvider>

• Client name, secret and redirect URL ID will be used in the Social Login config on JAS

Enable Redirection in JAS to multiple OIDC Providers

Now that a Liberty Server is configured as an additional Local OIDC Provider connecting to an LDAP Directory server, we will redirect JAS to the Local OP by configuring multiple Social Login configurations, creating another oidcLogin config for local OP configured in the new liberty server.

Change directory to [JAS_HOME]/wlp/usr/servers/jazzop and edit appConfig.xml and add another oidcLogin following configurations.

<!-- Existing Social Login Configuration to redirect to Third Party OIDC Provider (Google Example)-->

   <oidcLogin id="jasrp" displayName="Google OIDC Provider" clientId="<My_ClientID>" clientSecret="<My_ClientSecret>"
      authorizationEndpoint="https://accounts.google.com/o/oauth2/v2/auth"
            tokenEndpoint="https://www.googleapis.com/oauth2/v4/token"
           jwksUri="https://www.googleapis.com/oauth2/v3/certs"          
            issuer="https://accounts.google.com"
                scope="openid profile email general"
                userNameAttribute="sub"
                trustStoreRef="defaultKeyStore"
                authFilterRef="OPAuthFilter"
                mapToUserRegistry="true"
                >
   </oidcLogin>

   <authFilter id="OPAuthFilter">
                <requestUrl id="OPRequestUrl" urlPattern="/authorize|/personalTokenManagement" matchType="contains" />
                <userAgent id="OPUserAgent" agent="Mozilla|Opera|app-password-enabled" matchType="contains"/>
   </authFilter>
   
   
   <!-- Add New Social Login Configuration to redirect to Liberty server configured as Local OP -->

   <oidcLogin id="localrp" displayName="Local OIDC Provider" clientId="localop_ID" clientSecret="localop_Password"
      discoveryEndpoint="https://IHS_URL/oidc/endpoint/localop/.well-known/openid-configuration"
                scope="openid profile email general"
                userNameAttribute="sub"
                trustStoreRef="defaultKeyStore"
                authFilterRef="LocalOPAuthFilter"
                mapToUserRegistry="true"
                >
   </oidcLogin>

   <authFilter id="LocalOPAuthFilter">
                <requestUrl id="LocalOPRequestUrl" urlPattern="/authorize|/personalTokenManagement" matchType="contains" />
                <userAgent id="LocalOPUserAgent" agent="Mozilla|Opera" matchType="contains"/>
   </authFilter>

For the Local OIDC Provider Configuration

• id is used in the OP redirect URL configured in Liberty server, example /localrp
• clientId and clientSecret is picked from name and secret parameters from oauthProvider on the Liberty Server
• displayName is the name shown on the Liberty Social Media Selection form
• If you have enabled Application Passwords for Non-Web clients , do not include app-password-enabled in the userAgent filter for the second oidcLogin configuration

Reconfigure IHS Plugin configuration for JAS and Inlcude the Local OIDC Provider

Here is an example of a merged plugin config for jazzop and localop for IBM HTTP Server

<!-- Jazz Authorization Server - jazzop -->

   <VirtualHostGroup Name="default_host_jazzop">
      <VirtualHost Name="*:80"/>
      <VirtualHost Name="*:443"/>
   </VirtualHostGroup>
   
   <ServerCluster CloneSeparatorChange="false" GetDWLMTable="false" IgnoreAffinityRequests="true" LoadBalance="Round Robin" Name="jazzop_default_node_Cluster" PostBufferSize="0" PostSizeLimit="-1" RemoveSpecialHeaders="true" RetryInterval="60" ServerIOTimeoutRetry="-1">
      <Server CloneID="609d6ec4-46b5-4652-a377-76e8a1d0743c" ConnectTimeout="5" ExtendedHandshake="false" LoadBalanceWeight="20" MaxConnections="-1" Name="default_node_jazzop" ServerIOTimeout="900" WaitForContinue="false">
         <Transport Hostname="[JAS_IP]" Port="9280" Protocol="http"/>
         <Transport Hostname="[JAS_IP]" Port="9643" Protocol="https">
            <Property Name="keyring" Value="/opt/IBM/WebSphere/Plugins/config/webserver1/plugin-key.kdb"/>
            <Property Name="stashfile" Value="/opt/IBM/WebSphere/Plugins/config/webserver1/plugin-key.sth"/>
         </Transport>
      </Server>
      <PrimaryServers>
         <Server Name="default_node_jazzop"/>
      </PrimaryServers>
   </ServerCluster>
   
   <UriGroup Name="default_host_jazzop_default_node_Cluster_URIs">
      <Uri AffinityCookie="JSESSIONID" AffinityURLIdentifier="jsessionid" Name="/jazzop/*"/>
      <Uri AffinityCookie="JSESSIONID" AffinityURLIdentifier="jsessionid" Name="/oidc/endpoint/jazzop/*"/>
      <Uri AffinityCookie="JSESSIONID" AffinityURLIdentifier="jsessionid" Name="/ibm/api/social-login/*"/>
   </UriGroup>
   
   <Route ServerCluster="jazzop_default_node_Cluster" UriGroup="default_host_jazzop_default_node_Cluster_URIs" VirtualHostGroup="default_host_jazzop"/>


<!-- Jazz Authorization Server - New Liberty Server /locallop -->

<VirtualHostGroup Name="default_host_localop">
      <VirtualHost Name="*:80"/>
      <VirtualHost Name="*:443"/>
   </VirtualHostGroup>
   <ServerCluster CloneSeparatorChange="false" GetDWLMTable="false" IgnoreAffinityRequests="true" LoadBalance="Round Robin" Name="localop_default_node_Cluster" PostBufferSize="0" PostSizeLimit="-1" RemoveSpecialHeaders="true" RetryInterval="60" ServerIOTimeoutRetry="-1">
      <Server CloneID="26d51d70-2025-4aed-8822-cdff0f1d93bd" ConnectTimeout="5" ExtendedHandshake="false" LoadBalanceWeight="20" MaxConnections="-1" Name="default_node_localop" ServerIOTimeout="900" WaitForContinue="false">
         <Transport Hostname="[JAS_IP]" Port="9281" Protocol="http"/>
         <Transport Hostname="[JAS_IP]" Port="9644" Protocol="https">
            <Property Name="keyring" Value="/opt/IBM/WebSphere/Plugins/config/webserver1/plugin-key.kdb"/>
            <Property Name="stashfile" Value="/opt/IBM/WebSphere/Plugins/config/webserver1/plugin-key.sth"/>
         </Transport>
      </Server>
      <PrimaryServers>
         <Server Name="default_node_localop"/>
      </PrimaryServers>
   </ServerCluster>
   <UriGroup Name="default_host_localop_default_node_Cluster_URIs">
      <Uri AffinityCookie="JSESSIONID" AffinityURLIdentifier="jsessionid" Name="/localop/*"/>
      <Uri AffinityCookie="JSESSIONID" AffinityURLIdentifier="jsessionid" Name="/oidc/endpoint/localop/*"/>
   </UriGroup>
   <Route ServerCluster="localop_default_node_Cluster" UriGroup="default_host_localop_default_node_Cluster_URIs" VirtualHostGroup="default_host_localop"/>

Testing the configuration

When multiple OIDC Providers are configured to protect a request, Liberty provides a default selection form that offers you the option to choose between the available OIDC providers configured in the Liberty server. Visit Liberty Social Media Selection Form for additional information.

Here is the selection form for the sample provided in the previous step. User can click on the OIDC Provider of interest

Related topics: Jazz Authorization Server Landing Page

External links:

• IBM