You can configure IBM Business Automation Navigator to enable the use of UMS to provide a single sign-on experience with other IBM Cloud Pak for Automation applications.
Before you begin
Configuring SSO for
IBM Business Automation Navigator and UMS
requires the following prerequisite steps:
- Deploying the navigator-sso image as your IBM Business Automation Navigator deployment image.
- Configuring IBM Business Automation Navigator.
- Deploying and configuring UMS.
About this task
After you deploy your IBM Business Automation Navigator SSO
container and the UMS server container, you perform various configuration updates to set up SSO
communication between Navigator and UMS.
- Import the UMS certificate to Business Automation Navigator.
- Configure OpenID Connect Client for the Business Automation Navigator container.
- Register the Navigator service URL into the UMS server.
- Configure logout SSO between Business Automation Navigator and UMS.
- Verify the SSO connection between Business Automation Navigator and UMS.
Procedure
To enable the use of UMS for SSO with Business Automation Navigator:
- Import the UMS certificate to the IBM Business Automation Navigator trust store.
You can use a command
similar to the following to import the root CA of UMS into the
IBM Business Automation Navigator trust store:
keytool -importcert -alias ums-rootCA-alias -file ums-rootCA-file
-keystore NAV-truststore -storepass your-NAV-trust-store-password
Where:
- ums-rootCA-alias is the UMS root CA alias that you want to use in the
Navigator trust store.
- ums-rootCA-file is the UMS root CA file, for example, rootCA.crt.pem.
- NAV-truststore is the trust store of IBM Business Automation Navigator, for example, truststore.jks.
- your-NAV-trust-store-password is your Navigator trust store password.
You can also optionally import the UMS certificate into the Navigator trust store, for
example:
keytool -import -alias ums-CA-alias NAV-truststore -file ums-CA-file -storepass your-NAV-trust-store-password
Note: If you import the UMS certificate file after you deploy IBM Business Automation Navigator, you must restart your IBM Business Automation Navigator pod after importing the certificate.
- Configure the Open ID Connect Client for IBM Business Automation Navigator:
- Create an XML file called OpenIDConnectClient.xml in the
icnconfig/overrides directory for your container environment.
- Add the following contents to the file:
<server>
<featureManager>
<feature>openidConnectClient-1.0</feature>
</featureManager>
<openidConnectClient id="<openid_connect_id>"
scope="openid profile email general"
clientId="<icn_application_id>"
clientSecret="<icn_application_secret>"
mapIdentityToRegistryUser="true"
authorizationEndpointUrl="https://<UMS_host>:<UMS_HTTPS_port>/oidc/endpoint/ums/authorize"
tokenEndpointUrl="https://<UMS_host>:<UMS_HTTPS_port>/oidc/endpoint/ums/token"
inboundPropagation="supported"
signatureAlgorithm="RS256"
validationEndpointUrl="https://<UMS_host>:<UMS_HTTPS_port>/oidc/endpoint/ums/introspect"
jwkEndpointUrl="https://<UMS_host>:<UMS_HTTPS_port>/oidc/endpoint/ums/jwk" >
</openidConnectClient>
Where:
- clientId is the application name. You can use “navigator”, and the OpenID
Connect Client id can be the same as this clientId. For the value of clientId and clientSecret, you
can use the Kubernetes secret to store them or use string value directly.
- clientSecret is the secret that is used between UMS and Navigator. This
secret is used when registering the Navigator service into the UMS server.
- authorizationEndpointUrl, tokenEndpointUrl, validationEndpointUrl,
jwkEndpointUrl are the HTTPS URLs of the UMS server. Update the values with your UMS
server host and port.
- Register the Navigator service URL with the UMS server:
You can use the HTTP
basic authentication with the UMS admin user to post a JSON object to the URL
https://ums_server:ums_port/oidc/endpoint/ums/registration
.
- Create a JSON file, for example, clientConfig.json, that includes
the following components:
{
"scope": "openid profile email general",
"preauthorized_scope": "openid profile email general",
"introspect_tokens": true,
"client_id": "<icn_app_id>",
"client_secret": "<icn_app_secret>",
"client_name": "<icn_app_name>",
"grant_types": [
"authorization_code",
"client_credentials",
"implicit",
"refresh_token",
"urn:ietf:params:oauth:grant-type:jwt-bearer"
],
"response_types": [
"code",
"token"
],
"redirect_uris": [
"https://<icn_host>:<icn_https_port>/oidcclient/redirect/navigator"
]
}
Where:
- client_id is the client_id, for example "navigator", that must match the
clientId in the Navigator configuration.
- client_secret is the secret which is configured for the IBM Business Automation Navigator server.
- client_name is the client_name that can optionally share the client_id
value.
- redirect_uris refers to the OIDC endpoints of the UMS client, in this case,
Navigator.
- Use the following command to register your Navigator service URL with the UMS
server:
curl -k -u ums-admin-user: ums-admin-password -T clientConfig.json --request
POST -H 'Content-Type: application/json' https://ums-host:port/oidc/endpoint/ums/registration
Where:
- ums-admin-user is the UMS administrative user.
- ums-admin-password is the password for the UMS administrative user.
- ums-host is the UMS host.
If you receive a JSON object from the terminal, your registration is
successful. Otherwise, check the steps carefully to find what has gone wrong.
- Configure the logout SSO between Navigator and UMS:
- Log in to IBM Business Automation Navigator, and click
Plug-ins in the navigation panel.
- Click New Plug-in, and in the JAR file
path field, enter
/opt/ibm/intPlugins/SSO/SSOLogoutPlugin.jar.
- Click Load, then add your value to the Single
sign-on log out redirect URI field.
- Click Save and Close to save the plug-in
configuration.
- On the navigation panel, click Desktops.
- In the Desktops tab, click New Desktop,
and choose the type of desktop to create, for example,
Platform.
- Specify a Name and ID for the
desktop.
- In the Connections field, specify the connection that you
created.
- Save and close the desktop configuration.
- Verify the SSO connection between Navigator and UMS:
- In a browser, enter the URL for your desktop, for example:
https://navigator-host:port/navigator/?desktop=your-desktop-name
- When the page redirects to the UMS login, enter the user name and password for
UMS.
When the user name and password are verified successfully, the page is
redirected to your Navigator desktop.