OpenID Connect setup for the Control Center user interface

The Control Center user interface integrates with OpenID Connect (OIDC) for authentication processing. This integration provides a higher level of security to the login process, such as two-factor authentication.

When a user logs in to the Control Center user interface, the OIDC principal is checked against the user table in the database for final validation. The user must exist in the FTM database to be allowed access to the Control Center user interface. All authorization to actions and pages is still stored in the FTM database.

You need to configure redirect URLs in your OIDC provider. You can also configure a user exit to use with OIDC. The following sections describe how to do this configuration.

Configure redirect URLs in your OIDC providers

Configure the following redirect URLs in your OIDC provider. Replace the InstanceName and the route name variables with the values for your environment.
  • https://<InstanceName><control-center route>/oidcclient/redirect/ftm
  • https://<InstanceName><core-ui-api route>/login/oauth2/code/ftm
  • https://<InstanceName><ftm-ui-ts route>/login/oauth2/code/ftm.

Configure an OIDC user exit

You can use the sample OIDC user exit that is provided by FTM. If you want to use this user exit, set the OIDC login user exit property to com.ibm.paydir.userexit.samples.OIDCSampleUserExit. For more information, see System properties.

You can also create your own user exit. Copy your user exit JAR file to the pv-ftm-application persistent volume for the core-ui-api deployment. It needs to be in the /opt/ibm/ftm/core-ui-api/lib folder. Then, provide the class name of your user exit in the OIDC login user exit property.