Authenticating Jazz Authorization Server by using an OIDC authentication provider

Edit online

If you choose to use an OpenID Connect (OIDC) authentication provider for Jazz® Authorization Server (JAS) authentication, complete the following procedure. The Jazz security architecture single sign-on delegates authentication to a separate JAS, which manages the role of an OIDC provider. You can configure the Liberty OIDC provider to delegate the user authentication to your standard corporate OIDC provider by using the social login feature of Liberty.

Before you begin

Register JAS as a client in your OIDC authentication provider. For more information, see Configure social login as OpenID Connect client. Provide the redirect URI in the following format.
```
https://<jas-url>/ibm/api/social-login/redirect/<oidc-login-id>
```
Where:

jas-url

The hostname that is configured during the Engineering Lifecycle Management instance creation.

oidc-login-id

The ID to use in the oidcLogin field of the OIDC_CONFIG Config Map file.
After you create the application in the OIDC authentication provider, collect the clientId and clientSecret fields information. The information is used to create the OIDC_CONFIG file in the configmaps directory.

To create the Config Map elm-auth-type-config using OIDC configuration, use one of the following methods

By using the Red Hat® OpenShift® Container Platform web console method
By using the Red Hat OpenShift CLI method
Kubernetes CLI method

Red Hat OpenShift Container Platform web console method

Edit online

Procedure

In the web console, click Projects and open the project where the Engineering Lifecycle Management instance secret is to be created.
Click Workloads > Secrets.
On the Secrets page, select Key/Value Secret from the Create list.
The Create Key/Value Secret page opens.
Enter elm-tls-certs-secret in the Secret Name field.

Important: You must enter the secret name as elm-tls-certs-secret to create the Engineering Lifecycle Management instance.
Enter oidc-ssl-certificate in the Key field.
Click Browse and select the SSL certificate of your OIDC server.
Click Create to save the secret elm-tls-certs-secret.
The secret elm-tls-certs-secret is created and listed on the Secrets page.
Important: You must create the secret elm-tls-certs-secret in the Red Hat OpenShift before you create the Engineering Lifecycle Management instance. If it is not set up or created incorrectly in the cluster, the Engineering Lifecycle Management instance creation might fail.

Red Hat OpenShift CLI method

Edit online

Procedure

Log in to the Red Hat OpenShift command line.
1. Run the following command to log in to the cluster.
```
oc create --filename=<folder-path>/<oidc-file-name>
```
2. Run the following command to set the project area.
```
oc create --filename=/usr/example/elm-saml-idp-metadata.yaml
```
For more information on OIDC, see Fully populated sample YAML of elm-tls-certs-secret OIDC

Create the OIDC_CONFIG file in the configmaps directory. The following code block provides an example of the OIDC authentication provider configuration. You must replace the attribute values according to your OIDC authentication provider configuration. For more information about the configurable attributes, see OIDC Social Login (oidcLogin).

<oidcLogin id="OIDCOCP" clientId="${com.ibm.team.oidc.clientid}" displayName="Liberty OIDC"
	  clientSecret="${com.ibm.team.oidc.clientsecret}"
	  <!-- clientId and clientSecret field inputs are mapped from ELM instance secret elm-auth-secret. -->
	  inboundPropagation="required"
	  authorizationEndpoint="https://example.com:9898/oidc/endpoint/OP/authorize"
	  tokenEndpoint="https://example.com:9898/oidc/endpoint/OP/token"
	  jwksUri="https://example.com:9898/oidc/endpoint/OP/jwk"
	  issuer="https://example.com:9898/oidc/endpoint/OP"
	  scope="openid profile email general"
	  userNameAttribute="sub"
	  signatureAlgorithm="RS256"
	  authFilterRef="OCPAuthFilter"
	  mapToUserRegistry="true" >
</oidcLogin>

<authFilter id="OCPAuthFilter">
	<requestUrl id="OCPRequestUrl" urlPattern="/authorize|/personalTokenManagement|/usersTokenManagement" matchType="contains" />
	<userAgent id="OCPUserAgent" agent="Mozilla|Opera|app-password-enabled" matchType="contains"/>
</authFilter>

Important: The fields clientId and clientSecret are not populated in the OIDC_CONFIG file. They are referenced from the Engineering Lifecycle Management instance secret elm-auth-secret. For more information, see Creating the Engineering Lifecycle Management instance secret.

Run the following command to create the Config Map elm-auth-type-config in the cluster. For more information, see Creating a ConfigMap from a file.
```
oc create configmap elm-auth-type-config --from-file=configmaps/
```
The Config Map elm-auth-type-config is created. The information that is provided in the Config Map is used for JAS configuration. The availability of Config Map elm-auth-type-config and the provided inputs are validated during the Engineering Lifecycle Management instance creation. If the validation fails, the Engineering Lifecycle Management instance cannot be created and an error message is shown.

Creation of the secret elm-tls-certs-secret for SSL certificates

Download the SSL certificate of your OIDC authentication provider. .

Note: The SSL certificate of the OIDC server must be in Base-64 X.509 format.

Kubernetes CLI

Edit online

Procedure

Create a secret for OIDC auth provider by using the following command

kubectl create --filename=<folder-path>/<secret-file-name>
kubectl create --filename=/usr/example/elm-tls-certs-secret.yaml

For more information on OIDC, see Fully populated sample YAML of elm-tls-certs-secret OIDC