Configuring an OpenID Connect Relying Party

You can configure a WebSphere® Application Server to function as an OpenID Connect Relying Party (RP, or client) to take advantage of web single sign-on using an OpenID Connect Provider as an identity provider.

Before you begin

Read OpenID Connect overview for more information on OpenID Connect.

Review the properties that you must configure for OpenID Connect Relying Party configuration options. Read OpenID Connect Relying Party custom properties for more information.

About this task

Configure a WebSphere Application Server to act as an OpenID Connect Relying Party by performing the following steps:

Procedure

  1. In the administrative console, click Security > Global security > Web and SIP security > Trust association.
  2. Click Interceptors.
  3. Click New to add a new interceptor.
  4. Enter the interceptor class name of com.ibm.ws.security.oidc.client.RelyingParty.
  5. Add custom properties for your environment. Read OpenID Connect Relying Party custom properties for a list of the properties.
  6. Click Apply and Save the configuration updates.
    Important: Do not click Save without clicking Apply first or the custom properties are discarded.
  7. Click Security > Global security and then click Custom properties.
  8. Click New and define the following custom property information under General properties:
       Name: com.ibm.websphere.security.InvokeTAIbeforeSSO
       Value: com.ibm.ws.security.oidc.client.RelyingParty
    Note: If this property is already defined, then add com.ibm.ws.security.oidc.client.RelyingParty to the existing value, which is separated by a comma to create a list.
  9. Import the OpenID connect provider's SSL signer certificate to the WebSphere Application Server's truststore.
    1. In the administrative console, click Security > SSL certificate and key management > Key stores and certificates > NodeDefaultTrustStore > Signer certificates. Use CellDefaultTrustStore instead of NodeDefaultTrustStore for a deployment manager.
    2. Click Add.
    3. Complete the certificate information, then click Apply.
  10. Install the oidc application. cd to the app_server_root/bin directory and run the script installOIDCRP.py for each profile on which the OpenID Connect RP is to be installed. For example:
    cd <install_root>/bin 
    wsadmin -f installOIDCRP.py install nodeName serverName
    or:
    wsadmin -f installOIDCRP.py install clusterName
    where:
    nodeName
    is the node name of the target application server.
    serverName
    is the server name of the target application server.
    clusterName
    is the name of the cluster on which OpenID Connect RP is to be installed.
  11. Restart WebSphere Application Server.

Results

The steps in this topic establish the minimum configuration that is required to configure a WebSphere Application Server as an OpenID Connect Relying Party capable of communicating with an OpenID Connect provider.


Icon that indicates the type of topic Task topic



Timestamp icon Last updated: March 5, 2017 17:29
File name: tsec_oidconfigure.html