After you deploy your containers, use the information from the cluster namespace to
determine your redirect URL entries for your identity provider.
About this task
After your containers are deployed, you can get details of the deployment to construct the
appropriate redirect URLs that the identity provider requires. Make sure that the URLs are
registered with your identity provider for authentication to be successful.
Procedure
Follow the steps to configure the redirect URLs:
- Determine your environment hostname values to use when you register your components as
clients of the identity provider.
When you register an application with an Identity
Provider, you can use the same clientId registration for each of the deployed components in your
environment. Provide a redirect URL for each of these instances by using the following pattern:
https://<component>-<namespace>.<hostname>/oidcclient/redirect/<Provider ID for each instance>
The
format of your component URL is based on the type of the platform that you choose and the
configuration of the custom resource file.
- For OCP deployments, the operator automatically creates routes based on the cluster
canonical hostname.
- For CNCF deployments, the operator creates an ingress (if enabled) based on the
sc_deployment_hostname_suffix
.
The FNCM operator generates a configmap listing all component access routes and ingress URLs. To
retrieve all access URLs, use the following command:
kubectl get cm fncmdeploy-fncm-access-info -o yaml -n <namespace>
Note: When you deploy External Share on OCP, additional ingress objects are
created.
To retrieve your generated Ingress URLs, use the following
command:
kubectl get ingress -n <namespace>
kubectl describe ingress <ingress name> -n <namespace>
The command returns a list of all the backend paths under
Backends
, for example,
/oidcclient/redirect/IBMVerifyCPE.
<Provider ID for each
instance> is the
provider_name parameter that you specified in the
Custom Resource YAML with the instance acronym attached to it. For example, if you specified
IBMVerify
for your provider name, your
<Provider ID for each
instance> is as:
IBMVerifyCPE
IBMVerifyES
IBMVerifyNAV
IBMVerifyCMIS
IBMVerifyGRAPHQL
IBMVerifyTM
- In your Identity Provider, edit your client registrations to add the updated redirect
URLs.
Example
For OCP and CNCF deployments, refer to the following examples with the URLs that need to be
registered with OAuth 2.0 client ID for IBMVerify
.
- OCP:
-
https://cpe-namespace.apps.cluster.com/oidcclient/redirect/IBMVerifyCPE
https://navigator-namespace.apps.cluster.com/oidcclient/redirect/IBMVerifyNAV
https://graphql-namespace.apps.cluster.com/oidcclient/redirect/IBMVerifyGRAPHQL
https://cmis-namespace.apps.cluster.com/oidcclient/redirect/IBMVerifyCMIS
https://tm-namespace.apps.cluster.com/oidcclient/redirect/IBMVerifyTM
Note: If External Share is enabled, the following additional URLs need to be
registered.
https://ingress-es-namespace.apps.cluster.com/oidcclient/redirect/IBMVerifyCPE
https://ingress-es-namespace.apps.cluster.com/oidcclient/redirect/IBMVerifyES
https://ingress-es-namespace.apps.cluster.com/oidcclient/redirect/IBMVerifyNAV
- CNCF:
-
https://fncm-deploy.filenet.com/oidcclient/redirect/IBMVerifyCPE
https://fncm-deploy.filenet.com/oidcclient/redirect/IBMVerifyNAV
https://fncm-deploy.filenet.com/oidcclient/redirect/IBMVerifyGRAPHQL
https://fncm-deploy.filenet.com/oidcclient/redirect/IBMVerifyCMIS
https://fncm-deploy.filenet.com/oidcclient/redirect/IBMVerifyTM
https://fncm-deploy.filenet.com/oidcclient/redirect/IBMVerifyES