Adding IBM Process Federation Server to a quick start configuration

Edit online

Traditional:
Add a Process Federation Server server to use a User Management Service (UMS) 1.1.0 quick start configuration of for single sign-on (SSO).

Important: This topic does not apply if you created a quick start configuration using UMS 1.0.0, 1.0.1, or 1.0.3.

Add the required configuration to the User Management Service (the quick start configuration has no database).
1. For Process Federation Server, copy the template wlp\ibmUserManagement\extension\configTemplates\pfs\oidc-rp-template-pfs.xml into your server's configuration directory wlp\usr\servers\server_name\configDropins\overrides.
  The template has the following structure:
```
  <server>
      <oauthProvider id="oidcOAuthProvider" autoAuthorize="true">
        [...]
        <autoAuthorizeClient>PFS</autoAuthorizeClient>
          <localStore id="oidcClients">
              [...]
              <client id="PFS"
                      introspectTokens="true"
                      name="PFS"
                      secret="password"
                      scope="openid profile"
                      preAuthorizedScope="openid profile">
                  
                  
                  <redirect>https://PFS_HOST:PFS_PORT/oidcclient/redirect/umsClient</redirect>
              </client>
          </localStore>
      </oauthProvider>
  </server>
```
2. Edit your copy of the template, and specify the following configuration properties:
  <autoAuthorizeClient>PFS</autoAuthorizeClient>
  
  To skip user consent for this Process Federation Server server, its client_id can be configured as an automatically authorizing client, autoAuthorizeClient. Provide the same value as for the name attribute.
  
  <localStore id="oidcClients">
  
  If you connect to more than one Process Federation Server system using OpenID Connect Relying Party, then make sure that you use the identical configuration id for the localStore configuration element in all your OpenID Connect Relying Party configuration files. This ensures that the one and only localStore is extended when you merge configuration files. In a quick start configuration with only one Process Federation Server system, just keep the setting.
  
  Attribute "id" in client
  
  Specify a unique ID for the configuration of this specific client in the localStore.
  
  Attribute "name" in client
  
  Set a name for the client specification of your Process Federation Server system. Later, when you are configuring in the SSO in your Process Federation Server system, this name must match the client_id setting , as required by the OIDC and OAuth 2.0 protocol.
  
  Attribute "secret" in client
  
  Set a secret for the client specification of your Process Federation Server system. Later, in the Process Federation Server system SSO configuration, this secret must match the client_secret setting according to the OIDC and OAuth 2.0 protocol.
  
  Attribute "scope" in client
  
  All scopes that this client can request. For single sign-on, the only supported value is "openid profile".
  
  Attribute "preAuthorizedScope" in client
  
  The set of scopes for which user consent can be skipped. For seamless single sign-on, use the same value as for scope.
  
  <redirect>...</redirect>
  The full URL in the OpenID Connect Relying Party to which the user can be redirected after successful authentication. The OpenID Connect Relying Party support in WebSphere underneath Process Federation Server exposes a URL following this pattern:
```
https://host:port/oidcclient/ums
```
  Where host is the host name of your Process Federation Server system and port is the https port that you use to login to Process Federation Server.
  Note: You can add many <redirect> elements for clients that allow redirection to a set of URLs, for example in case your Process Federation Server system can be accessed using multiple host names.
Add the single sign-on configuration for User Management Service to the Process Federation Server configuration, by adapting and adding the contents of the file wlp/ibmUserManagement/extension/configTemplates/pfs/PFS-template-server.xml into the Process Federation Server server.xml file.
To specify that the User Management Service server is providing authentication and SSO for your Process Federation Server servers, update all the <ibmPfs_federatedSystem> configuration elements in the server.xml configuration file that point to your federated Business Automation Workflow V19.0.0.1 (or higher) systems by setting the optional attribute authenticationMechanism to the value PFS_ACCESS_TOKEN. For example:
```
<ibmPfs_federatedSystem 
    authenticationMechanism="PFS_ACCESS_TOKEN" 
    ... 
/>
```
Important: if the openidConnectClient-1.0 feature is not yet installed in your Liberty server, you must add it using the Liberty install utility:
```
$WLP_HOME/bin/installUtility install openidConnectClient-1.0
```
Add the User Management Service server certificate to the Process Federation Server truststore by using the standard IBM® WebSphere® Application Server Liberty procedure. This is necessary because SSL is used to access the User Management Service. For more information, see Adding trusted certificates in Liberty.

Verify that the SSO is working.

Restart your server.
Use a browser to visit the URL https://PFS_host_name:PFS_port/rest/bpm/federated/v1/systems, where PFS_host_name is the host name of your Process Federation Server, and PFS_port is the port number. The browser should display the IBM Digital Business Automation log in panel.
Enter a valid user name and password.

If the authentication is successful, the browser displays a JSON document response that contains all your federated systems with a status of 200. For example:

{
	"federationResult": [{
		"restUrlPrefix": "https:\/\/my.workflow.server:9443\/rest\/bpm\/htm",
		"systemID": "_PK:90230163.2cbe0389.a701e1f6.56570002",
		"displayName": "BPEL8570",
		"systemType": "SYSTEM_TYPE_WPS",
		"id": "bpel8570",
		"taskCompletionUrlPrefix": "https:\/\/my.workflow.server:9443\/rest\/bpm\/htm",
		"version": "8.6.1.18001",
		"indexRefreshInterval": 2000,
		"statusCode": "200"
	},
	{
		"restUrlPrefix": "https:\/\/my.workflow.server:9443\/rest\/bpm\/wle",
		"systemID": "fcfda9e1-f10e-42ef-ae17-f968b01182eb",
		"displayName": "BPM8570",
		"systemType": "SYSTEM_TYPE_WLE",
		"portalSupportUrlPrefix": "https:\/\/my.workflow.server:9443\/portal",
		"id": "bpm8570",
		"taskCompletionUrlPrefix": "https:\/\/my.workflow.server:9443\/teamworks",
		"version": "8.6.1.18001",
		"indexRefreshInterval": 2000,
		"statusCode": "200"
	}],
	"systems": [{
		"systemID": "_PK:90230163.2cbe0389.a701e1f6.56570002",
		"systemType": "SYSTEM_TYPE_WPS",
		"version": "8.6.1.18001",
		"groupWorkItemsEnabled": false,
		"resources": ["tasks",
		"taskTemplates",
		"escalations",
		"workBaskets",
		"businessCategories",
		"processes",
		"processTemplates",
		"activities"],
		"taskHistoryEnabled": false,
		"buildLevel": "BPM8600 [20180627-005610.0]",
		"substitutionEnabled": false,
		"workBasketsEnabled": true,
		"substitutionManagementRestrictedToAdministrators": true,
		"businessCategoriesEnabled": true,
		"groupCaseSensitivity": "CASE_CONVERSION_NONE",
		"userCaseSensitivity": "CASE_CONVERSION_NONE",
		"serverLocale": "en_US"
	},
	{
		"systemID": "fcfda9e1-f10e-42ef-ae17-f968b01182eb",
		"systemType": "SYSTEM_TYPE_WLE",
		"version": "8.6.1.18001",
		"groupWorkItemsEnabled": false,
		"resources": ["tasks",
		"taskTemplates",
		"processes"],
		"taskHistoryEnabled": false,
		"buildLevel": "BPM8600-20180627-005610",
		"substitutionEnabled": false,
		"workBasketsEnabled": false,
		"substitutionManagementRestrictedToAdministrators": false,
		"businessCategoriesEnabled": false,
		"taskSearchEnabled": true,
		"notificationWebMessagingEnabled": true,
		"taskListWebMessagingEnabled": true,
		"apiVersion": "1.0",
		"supports": null,
		"hostname": "my.workflow.server"
	}]
}

Now the users of your Process Federation Server system can enjoy the benefits of single sign-on that uses a single User Management Service server without high-availability.