You can configure a WebSphere® Application
Server to function as an OpenID Connect Relying Party (RP, or client)
to take advantage of web single sign-on using an OpenID Connect Provider
as an identity provider.
About this task
Configure a WebSphere Application
Server to act as an OpenID Connect Relying Party by performing the
following steps:
Procedure
- In the administrative console, click Security > Global
security > Web and SIP security > Trust association.
- Click Interceptors.
- Click New to add a new interceptor.
- Enter the interceptor class name of
com.ibm.ws.security.oidc.client.RelyingParty.
- Add custom properties for your environment. Read OpenID Connect Relying Party custom properties for a list of the
properties.
- Click Apply and Save the configuration updates.
Important: Do not click Save without clicking Apply first
or the custom properties are discarded.
- Click Security > Global security and then click Custom
properties.
- Click New and define the following custom property
information under General properties:
Name: com.ibm.websphere.security.InvokeTAIbeforeSSO
Value: com.ibm.ws.security.oidc.client.RelyingParty
Note: If
this property is already defined, then add com.ibm.ws.security.oidc.client.RelyingParty to
the existing value, which is separated by a comma to create a list.
- Import the OpenID connect provider's SSL signer certificate
to the WebSphere Application
Server's truststore.
- In the administrative console, click Security >
SSL certificate and key management > Key stores and certificates
> NodeDefaultTrustStore > Signer certificates. Use
CellDefaultTrustStore instead of NodeDefaultTrustStore
for a deployment manager.
- Click Add.
- Complete the certificate information, then click Apply.
- Install the oidc application. cd to the app_server_root/bin directory
and run the script installOIDCRP.py for each profile on which the
OpenID Connect RP is to be installed. For example:
cd <install_root>/bin
wsadmin -f installOIDCRP.py install nodeName serverName
or:wsadmin -f installOIDCRP.py install clusterName
where: - nodeName
- is the node name of the target application server.
- serverName
- is the server name of the target application server.
- clusterName
- is the name of the cluster on which OpenID Connect RP is to be
installed.
- Restart WebSphere Application
Server.
Results
The steps in this topic establish the minimum configuration
that is required to configure a WebSphere Application
Server as an OpenID Connect Relying Party capable of communicating
with an OpenID Connect provider.