E
dit
A
ttach
P
rintable
r11 - 2020-11-26 - 06:39:43 -
TadahiroHara
You are here:
TWiki
>
Deployment Web
>
DeploymentInstallingUpgradingAndMigrating
>
JazzAuthorizationServer
>
JASandAppIDonIBMCloud
<div id="header-title" style="padding: 10px 15px; border-width:1px; border-style:solid; border-color:#FFD28C; background-image: url(<nop>https://jazz.net/wiki/pub/Deployment/WebPreferences/TLASE.jpg); background-size: cover; font-size:120%"> ---+!! How to configure Jazz Authentication Server with App ID on IBM Cloud <img src="https://jazz.net/wiki/pub/Deployment/WebPreferences/todo.png" alt="todo.png" width="50" height="50" align="right"> %DKGRAY% Authors: -- Main.TadahiroHara - 2020-11-26 <br> Build basis: ELM 7.0.2 and higher %ENDCOLOR%</div></sticky> <!-- Page contents top of page on right hand side in box --> <sticky><div style="float:right; border-width:1px; border-style:solid; border-color:#DFDFDF; background-color:#F6F6F6; margin:0 0 15px 15px; padding: 0 15px 0 15px;"> %TOC{title="Page contents"}% </div></sticky> <sticky><div style="margin:15px;"></sticky> Starting with the Collaborative Lifecycle Management Solution 6.0 software release, Jazz Security Architecture SSO is available as an authentication option. Based on [[http://openid.net/connect/faq][OpenID Connect]] , authentication is NOT performed by the container hosting Jazz applications, but instead is delegated to a separate Jazz Authorization Server (JAS), which performs the role of an !OpenID Connect provider (OP). For further Information on Jazz Security Architecture you can visit our jazz.net article [[https://jazz.net/library/article/75][Jazz Server Authentication Explained]] You can configure the Liberty !OpenID Connect Provider to further delegate the user authentication like [[https://cloud.ibm.com/catalog/services/app-id][App ID]] on IBM cloud using the Liberty "Social Login" feature. This article shows an example of configuration with JAS and App ID. The configuration information are extracted and modified for JAS from [[https://www.ibm.com/support/knowledgecenter/SSD28V_liberty/com.ibm.websphere.wlp.core.doc/ae/twlp_sec_sociallogin.html#twlp_sec_sociallogin__openid][Liberty Topic: Configuring Social Login in Liberty]] and [[JASandOIDCProvider][Configuring CLM Authentication with a 3rd Party OIDC provider]] ---++ Limitations In this approach the user authentication is further delegated from JAS to App ID and this leads to redirections which some clients cannot do. Following are the limitations * Authenticating with App ID works only for Browser based clients * Thick Clients (Eclipse, Visual Studio) and Command line utilities can be configured to authenticate via JAS and hence JAS needs to be connected to the own LDAP server or local directory as App ID does not provides LDAP access. Alternatively Client Certificate or Native Password can be considered. ---++ Deployment Pattern The following diagram depicts the deployment topology and the authentication flow.<BR> <img src="%ATTACHURLPATH%/Topology.png" alt="Topology.png" width="1000" height="500" /> ---++ Overview of Configuration Overview of the different steps involved in this configuration. * Configure on App ID * Configure OIDC Login in liberty in JAS * Set Redirect URL from JAS in App ID * Import certificate of App ID in a trust store in JAS * Add users to Cloud Directory in App ID ( Optional ) ---++ Configure on App ID ---+++ Create App ID instance on IBM cloud You can deploy [[https://cloud.ibm.com/catalog/services/app-id][App ID]] instance from catalog in IBM Cloud when you have an account of IBM Cloud. Deploying App ID instance.<br/> <img src="%ATTACHURLPATH%/App_ID_-_IBM_Cloud.png" alt="App_ID_-_IBM_Cloud.png" width="677" height="438" /> ---+++ Add Application to App ID you can add "Application" to get information for liberty OIDC settings. please navigate Application from menu.<br/> <img src="%ATTACHURLPATH%/Applicaion.png" alt="Applicaion.png" /> Adding an application in App ID.<br/> <img src="%ATTACHURLPATH%/AddApplication.png" alt="AddApplication.png" width="500" /> You can get information for liberty OIDC settings after adding an "Application".<br/> <img src="%ATTACHURLPATH%/ApplicationInfo2.png" alt="ApplicationInfo2.png" width="800" /> <verbatim> { "clientId": "xxxx1234-1234-1234-xxxx-e18890408990", "tenantId": "xxxx1234-1234-1234-1234-206ad598442e", "secret": "XXXXXXXXXXXXMDRkMC00ZTRjLTk1Y2MtYWU4MTIzNmQ2ZDZl", "name": "JAS", "oAuthServerUrl": "https://au-syd.appid.cloud.ibm.com/oauth/v4/xxxx1234-1234-1234-1234-206ad598442e", "profilesUrl": "https://au-syd.appid.cloud.ibm.com", "discoveryEndpoint": "https://au-syd.appid.cloud.ibm.com/oauth/v4/xxxx1234-1234-1234-1234-206ad598442e/.well-known/openid-configuration", "type": "regularwebapp", "scopes": [ "myscope01" ] } </verbatim> ---++ Configure OIDC Login in liberty in JAS You need to configure server.xml and appConfig.xml in liberty in JAS to redirect authentication to App ID. * Open the =[JAS_HOME]\wlp\usr\servers\jazzop\server.xml= configuration file and add the socialLogin-1.0 , ssl-1.0 * Add the =oidcLogin= element and configure the connection to App ID by referring "Application" information. |Attribute in oidcLogin |Value from Application Information| |clientId|{clientId} | |clientSecret|{secret} | |authorizationEndpoint| {oAuthServerUrl}/authorization | |tokenEndpoint|{oAuthServerUrl}/token| |issuer|{oAuthServerUrl}| |jwksUri|{oAuthServerUrl}/publickeys| |scope|{scopes}| ---+++++ Example of configuration. <verbatim> <featureManager> <feature>socialLogin-1.0</feature> <feature>appSecurity-2.0</feature> <feature>ssl-1.0</feature> ... </featureManager> </verbatim> <verbatim> <oidcLogin id="myoidcserver" displayName="OIDC Login" clientId="xxxx1234-24a4-4172-ba66-e18890408990" clientSecret="XXXXXXXXXXXXMDRkMC00ZTRjLTk1Y2MtYWU4MTIzNmQ2ZDZl" authorizationEndpoint="https://au-syd.appid.cloud.ibm.com/oauth/v4/xxxx1234-1234-47ec-9e28-206ad598442e/authorization" tokenEndpoint="https://au-syd.appid.cloud.ibm.com/oauth/v4/xxxx1234-1234-47ec-9e28-206ad598442e/token" issuer="https://au-syd.appid.cloud.ibm.com/oauth/v4/xxxx1234-1234-47ec-9e28-206ad598442e" jwksUri="https://au-syd.appid.cloud.ibm.com/oauth/v4/xxxx1234-1234-47ec-9e28-206ad598442e/publickeys" scope="myscope01" userNameAttribute="email" > authFilterRef="myoidcAuthFilter" > </oidcLogin> <authFilter id="myoidcAuthFilter"> <userAgent id="oidcUserAgent" agent="Mozilla|Opera" matchType="contains"/> <requestUrl id="pingRequestUrl" urlPattern="/authorize" matchType="contains"/> </authFilter> </verbatim> ---+++++ Please see [[https://cloud.ibm.com/docs/appid?topic=appid-discovery][OIDC discovery document]] and [[https://www.ibm.com/support/knowledgecenter/SSD28V_liberty/com.ibm.websphere.wlp.core.doc/ae/twlp_sec_sociallogin.html#twlp_sec_sociallogin__openid][Liberty Topic: Configuring Social Login in Liberty]] for details ---++ Set Redirect URL from JAS in App ID You need to set "Redirect URL" of JAS to App ID. please navigate Identity Providers > Manage > Authentication Settings.<br/> <img src="%ATTACHURLPATH%/RedirectURL.png" alt="RedirectURL.png" width="1408" height="180" /> For example, the redirect URL for the oidcLogin configuration example has the following format: <verbatim> https://[JAS_Host]:[Port]/ibm/api/social-login/redirect/oidclogin_id </verbatim> <br/> The following error message shows when redirect URL is not set in App ID. <img src="%ATTACHURLPATH%/ErrorWhenNoRedirectURL.png" alt="ErrorWhenNoRedirectURL.png" width="545" /> Please see [[https://cloud.ibm.com/docs/appid?topic=appid-managing-idp#add-redirect-uri][Adding redirect URIs]] for details. ---++ Import a certificate of App ID in a trust store in JAS You need to import a certificate of App ID in a trust store in JAS or you can see the following error when http request is redirected from App ID. <verbatim> CWPKI0823E: SSL HANDSHAKE FAILURE: A signer with SubjectDN [CN=au-syd.appid.cloud.ibm.com, O=International Business Machines Corporation, L=Armonk, ST=New York, C=US] was sent from the host [au-syd.appid.cloud.ibm.com:443]. The signer might need to be added to local trust store [ibm-team.keystore], located in SSL configuration alias [defaultSSLConfig]. The extended error message from the SSL handshake exception is: [PKIXCertPathBuilderImpl could not build a valid CertPath.]. </verbatim> * import the certificate to the Liberty truststore =[JAS_HOME]\wlp\usr\servers\jazzop\ibm-team.keystore= file, in your browser, go to one of the endpoints specified by the oidcLogin element =au-syd.appid.cloud.ibm.com=, and export the certificate. Use a key management tool such as iKeyman or the Java keytool utility to add the certificate to the Liberty truststore file. ---++ Add users to Cloud Directory in App ID (Optional) When you use Cloud Directory for user management you can add users by referring [[https://cloud.ibm.com/docs/appid?topic=appid-cd-users#add-users][Add Users]].<br /> When you only use IBM ID for user management this is not needed. ---++ After configuration After configuration, when you access to JTS application, your request will be redirect to Login Form in App ID on IBM Cloud.<br /> <img src="%ATTACHURLPATH%/LoginForm.png" alt="LoginForm.png" width="490" /> ---+++++!! Related topics: * [[JASandOIDCProvider][Configuring CLM Authentication with a third Party OIDC provider ]] ---+++++!! External links: * [[https://cloud.ibm.com/catalog/services/app-id][App ID]] * [[https://www.ibm.com/support/knowledgecenter/SSD28V_liberty/com.ibm.websphere.wlp.core.doc/ae/twlp_sec_sociallogin.html#twlp_sec_sociallogin__openid][Liberty Topic: Configuring Social Login in Liberty]] ---+++++!! Additional contributors: <sticky></div></sticky>
E
dit
|
A
ttach
|
P
rintable
|
V
iew topic
|
Backlinks:
We
b
,
A
l
l Webs
|
H
istory
: r11
<
r10
<
r9
<
r8
<
r7
|
M
ore topic actions
Deployment
Deployment web
Planning and design
Installing and upgrading
Migrating and evolving
Integrating
Administering
Monitoring
Troubleshooting
Community information and contribution guidelines
Create new topic
Topic list
Search
Advanced search
Notify
RSS
Atom
Changes
Statistics
Web preferences
NOTE: Please use the Sandbox web for testing
Status icon key:
To do
Under construction
New
Updated
Constant change
None - stable page
Smaller versions of status icons for inline text:
Copyright © by IBM and non-IBM contributing authors. All material on this collaboration platform is the property of the contributing authors.
Contributions are governed by our
Terms of Use.
Please read the following
disclaimer
.
Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more
here
.