Configuring identity providers

Edit online

Open Liberty supports single sign-on by using the socialLogin-1.0 feature with identity providers that is built on the standard protocols of OpenID Connect and OAuth. With the socialLogin-1.0 feature, your application users can log in using their existing accounts for social media providers such as Google, Facebook, LinkedIn, Twitter, GitHub, or any OpenID Connect (OIDC) or OAuth 2.0 server account.

Open Liberty operator allows to easily configure and manage the single sign-on information for your applications.


App Security SSO support: Open Liberty pre-registered with OIDC/OAUTH Provider Scenario

The configuration that is needed at image build time includes:

  • The environment variable SEC_SSO_PROVIDERS must be defined and must contain a space delimited list of the identity providers to use. If more than one is specified, the user can choose which one to authenticate with. Any of the following values are valid: oidc oauth2 facebook twitter github google linkedin. Specify ARG SEC_SSO_PROVIDERS="(your choice goes here)" in your Dockerfile.
  • Providers usually require the use of HTTPS. Specify ARG TLS=true in your Dockerfile.
  • Your Dockerfile must call the configure.sh file for these to take effect.

Configuration for image build time or container deploy time

Since HTTPS is usually required, the following settings can simplify setup:

  • To automatically trust certificates from well known identity providers:
    ENV SEC_TLS_TRUSTDEFAULTCERTS=true
  • To automatically trust certificates issued by the Kubernetes cluster: 
    ENV SEC_IMPORT_K8S_CERTS=true

Each single sign-on provider needs some additional configuration to be functional: a client ID, a client secret, and possibly more. These variables can be supplied in several ways:

  • At build time, the variables can be defined in a server.xml file.
    <variable name="foo" value="bar" />
  • At build time, the variables can be defined as ENV variables in the Dockerfile, although this is less secure.
    ENV name=value
  • The variables can be passed as environment variables to the Docker container when it is deployed.
  • The variables can be supplied in a deployment YAML file or by the Liberty operator External link icon, which pass them to the container during deployment.

Client ID and Client Secret are obtained from the provider. The RedirectToRPHostAndPort (SEC_SSO_REDIRECTTORPHOSTANDPORT) parameter is the protocol, host, and port that the provider should send the browser back to after authentication. For example:

https://myApp-myNamespace-myClusterHostname.example.com

In some container environments, the pod cannot discern this and therefore it must be specified.

Other variables might be needed in some situations and are documented in detail in the Open Liberty documentation External link icon under each type of provider. The oidc and oauth2 configurations are general purpose configurations for use with any provider that uses the OpenID Connect 1.0 or OAuth 2.0 specifications.