Configuring an SSO connection between IBM Business Automation Navigator and UMS

You can configure IBM Business Automation Navigator to enable the use of UMS to provide a single sign-on experience with other IBM Cloud Pak for Automation applications.

Before you begin

Configuring SSO for IBM Business Automation Navigator and UMS requires the following prerequisite steps:
  1. Deploying the navigator-sso image as your IBM Business Automation Navigator deployment image.
  2. Configuring IBM Business Automation Navigator.
  3. Deploying and configuring UMS.

About this task

After you deploy your IBM Business Automation Navigator SSO container and the UMS server container, you perform various configuration updates to set up SSO communication between Navigator and UMS.

  1. Import the UMS certificate to Business Automation Navigator.
  2. Configure OpenID Connect Client for the Business Automation Navigator container.
  3. Register the Navigator service URL into the UMS server.
  4. Configure logout SSO between Business Automation Navigator and UMS.
  5. Verify the SSO connection between Business Automation Navigator and UMS.

Procedure

To enable the use of UMS for SSO with Business Automation Navigator:

  1. Import the UMS certificate to the IBM Business Automation Navigator trust store.
    You can use a command similar to the following to import the root CA of UMS into the IBM Business Automation Navigator trust store:
    keytool -importcert -alias ums-rootCA-alias -file ums-rootCA-file 
-keystore NAV-truststore -storepass your-NAV-trust-store-password
    Where:
    • ums-rootCA-alias is the UMS root CA alias that you want to use in the Navigator trust store.
    • ums-rootCA-file is the UMS root CA file, for example, rootCA.crt.pem.
    • NAV-truststore is the trust store of IBM Business Automation Navigator, for example, truststore.jks.
    • your-NAV-trust-store-password is your Navigator trust store password.
    You can also optionally import the UMS certificate into the Navigator trust store, for example:
    keytool -import -alias ums-CA-alias NAV-truststore -file ums-CA-file -storepass your-NAV-trust-store-password
    Note: If you import the UMS certificate file after you deploy IBM Business Automation Navigator, you must restart your IBM Business Automation Navigator pod after importing the certificate.
  2. Configure the Open ID Connect Client for IBM Business Automation Navigator:
    1. Create an XML file called OpenIDConnectClient.xml in the icnconfig/overrides directory for your container environment.
    2. Add the following contents to the file: 
      <server>
<featureManager>
<feature>openidConnectClient-1.0</feature>
</featureManager>
<openidConnectClient id="<openid_connect_id>"
scope="openid profile email general"
clientId="<icn_application_id>"
clientSecret="<icn_application_secret>"
mapIdentityToRegistryUser="true"
authorizationEndpointUrl="https://<UMS_host>:<UMS_HTTPS_port>/oidc/endpoint/ums/authorize"
tokenEndpointUrl="https://<UMS_host>:<UMS_HTTPS_port>/oidc/endpoint/ums/token"
inboundPropagation="supported"
signatureAlgorithm="RS256"
validationEndpointUrl="https://<UMS_host>:<UMS_HTTPS_port>/oidc/endpoint/ums/introspect"
jwkEndpointUrl="https://<UMS_host>:<UMS_HTTPS_port>/oidc/endpoint/ums/jwk" >
</openidConnectClient>
      Where:
      • clientId is the application name. You can use “navigator”, and the OpenID Connect Client id can be the same as this clientId. For the value of clientId and clientSecret, you can use the Kubernetes secret to store them or use string value directly.
      • clientSecret is the secret that is used between UMS and Navigator. This secret is used when registering the Navigator service into the UMS server.
      • authorizationEndpointUrl, tokenEndpointUrl, validationEndpointUrl, jwkEndpointUrl are the HTTPS URLs of the UMS server. Update the values with your UMS server host and port.
  3. Register the Navigator service URL with the UMS server:
    You can use the HTTP basic authentication with the UMS admin user to post a JSON object to the URL https://ums_server:ums_port/oidc/endpoint/ums/registration.
    1. Create a JSON file, for example, clientConfig.json, that includes the following components: 
      { 
   "scope": "openid profile email general", 
   "preauthorized_scope": "openid profile email general", 
   "introspect_tokens": true, 
   "client_id": "<icn_app_id>", 
   "client_secret": "<icn_app_secret>",
   "client_name": "<icn_app_name>",
   "grant_types": [
        "authorization_code",
        "client_credentials",
        "implicit",
        "refresh_token",
        "urn:ietf:params:oauth:grant-type:jwt-bearer"
   ],
   "response_types": [
        "code",
        "token"
    ],
   "redirect_uris": [ 
      "https://<icn_host>:<icn_https_port>/oidcclient/redirect/navigator" 
   ] 
}
      Where:
      • client_id is the client_id, for example "navigator", that must match the clientId in the Navigator configuration.
      • client_secret is the secret which is configured for the IBM Business Automation Navigator server.
      • client_name is the client_name that can optionally share the client_id value.
      • redirect_uris refers to the OIDC endpoints of the UMS client, in this case, Navigator.
    2. Use the following command to register your Navigator service URL with the UMS server: 
      curl -k -u ums-admin-user: ums-admin-password -T clientConfig.json --request 
POST -H 'Content-Type: application/json' https://ums-host:port/oidc/endpoint/ums/registration
      Where:
      • ums-admin-user is the UMS administrative user.
      • ums-admin-password is the password for the UMS administrative user.
      • ums-host is the UMS host.
    If you receive a JSON object from the terminal, your registration is successful. Otherwise, check the steps carefully to find what has gone wrong.
  4. Configure the logout SSO between Navigator and UMS:
    1. Log in to IBM Business Automation Navigator, and click Plug-ins in the navigation panel.
    2. Click New Plug-in, and in the JAR file path field, enter /opt/ibm/intPlugins/SSO/SSOLogoutPlugin.jar.
    3. Click Load, then add your value to the Single sign-on log out redirect URI field.
    4. Click Save and Close to save the plug-in configuration.
    5. On the navigation panel, click Desktops.
    6. In the Desktops tab, click New Desktop, and choose the type of desktop to create, for example, Platform.
    7. Specify a Name and ID for the desktop.
    8. In the Connections field, specify the connection that you created.
    9. Save and close the desktop configuration.
  5. Verify the SSO connection between Navigator and UMS:
    1. In a browser, enter the URL for your desktop, for example: 
      https://navigator-host:port/navigator/?desktop=your-desktop-name
    2. When the page redirects to the UMS login, enter the user name and password for UMS.
    When the user name and password are verified successfully, the page is redirected to your Navigator desktop.