Configuring the redirect URL with the Identity Provider

After you deploy your containers, use the information from the cluster namespace to determine your redirect URL entries for your identity provider.

About this task

After your containers are deployed, you can get details of the deployment to construct the appropriate redirect URLs that the identity provider requires. Make sure that the URLs are registered with your identity provider for authentication to be successful.

Procedure

Follow the steps to configure the redirect URLs:

  1. Determine your environment hostname values to use when you register your components as clients of the identity provider.
    When you register an application with an Identity Provider, you can use the same clientId registration for each of the deployed components in your environment. Provide a redirect URL for each of these instances by using the following pattern:
    https://<component>-<namespace>.<hostname>/oidcclient/redirect/<Provider ID for each instance>

    The format of your component URL is based on the type of the platform that you choose and the configuration of the custom resource file.

    • For OCP deployments, the operator automatically creates routes based on the cluster canonical hostname.
    • For CNCF deployments, the operator creates an ingress (if enabled) based on the sc_deployment_hostname_suffix.

    The FNCM operator generates a configmap listing all component access routes and ingress URLs. To retrieve all access URLs, use the following command:

    
    kubectl get cm fncmdeploy-fncm-access-info -o yaml -n <namespace>
    Note: When you deploy External Share on OCP, additional ingress objects are created.
    To retrieve your generated Ingress URLs, use the following command:
    kubectl get ingress -n <namespace>
    kubectl describe ingress <ingress name> -n <namespace>
    The command returns a list of all the backend paths under Backends, for example, /oidcclient/redirect/IBMVerifyCPE. <Provider ID for each instance> is the provider_name parameter that you specified in the Custom Resource YAML with the instance acronym attached to it. For example, if you specified IBMVerifyfor your provider name, your <Provider ID for each instance> is as:
    IBMVerifyCPE
    IBMVerifyES
    IBMVerifyNAV
    IBMVerifyCMIS
    IBMVerifyGRAPHQL
    IBMVerifyTM
  2. In your Identity Provider, edit your client registrations to add the updated redirect URLs.

Example

For OCP and CNCF deployments, refer to the following examples with the URLs that need to be registered with OAuth 2.0 client ID for IBMVerify.

OCP:

https://cpe-namespace.apps.cluster.com/oidcclient/redirect/IBMVerifyCPE
https://navigator-namespace.apps.cluster.com/oidcclient/redirect/IBMVerifyNAV
https://graphql-namespace.apps.cluster.com/oidcclient/redirect/IBMVerifyGRAPHQL
https://cmis-namespace.apps.cluster.com/oidcclient/redirect/IBMVerifyCMIS
https://tm-namespace.apps.cluster.com/oidcclient/redirect/IBMVerifyTM
Note: If External Share is enabled, the following additional URLs need to be registered.
https://ingress-es-namespace.apps.cluster.com/oidcclient/redirect/IBMVerifyCPE
https://ingress-es-namespace.apps.cluster.com/oidcclient/redirect/IBMVerifyES
https://ingress-es-namespace.apps.cluster.com/oidcclient/redirect/IBMVerifyNAV
CNCF:
https://fncm-deploy.filenet.com/oidcclient/redirect/IBMVerifyCPE
https://fncm-deploy.filenet.com/oidcclient/redirect/IBMVerifyNAV
https://fncm-deploy.filenet.com/oidcclient/redirect/IBMVerifyGRAPHQL
https://fncm-deploy.filenet.com/oidcclient/redirect/IBMVerifyCMIS
https://fncm-deploy.filenet.com/oidcclient/redirect/IBMVerifyTM
https://fncm-deploy.filenet.com/oidcclient/redirect/IBMVerifyES