Overview: OpenID Connect
OpenID Connect (OIDC) is an authentication framework that is built on top of the OAuth 2.0 protocol. Operational Decision Manager servers use it to verify a user's identity with an OpenID Connect Provider, and to authorize access to the Operational Decision Manager applications and APIs. The servers also use it to obtain basic profile information about the user.
- OpenID Connect Provider (OP)
- An OpenID Connect Provider authenticates users and provides claims for a Relying Party.
The OpenID Connect Provider must already exist in an organization that uses OpenID Connect.
- Relying Party (RP)
- A Relying Party uses the claims returned from the OpenID Connect Provider to authenticate and
authorize incoming requests.
The Operational Decision Manager servers are Relying Parties, or OpenID Connect clients, and delegate authentication to the OpenID Connect Provider.
The following figures and tables show you which Operational Decision Manager components are Relying Parties.
Operational Decision Manager web application SSO with OpenID Connect
The following table summarizes which Operational Decision Manager component is the server, and therefore considered a Relying Party, in the different network communications:
| Client | Server (Relying Party or OIDC client) |
OIDC flow | Purpose | Parameters set in | Where to find information |
|---|---|---|---|---|---|
| Web browsers | Decision Center Business console | Authorization code flow | Author and manage rules | Application server | Configuring Relying Parties in the Liberty server |
| Web browsers | Rule Execution Server console | Authorization code flow | Browse and deploy decision services | ||
| Rule Designer | Decision Center Business console | Authorization code flow | Synchronize rule projects | JSON configuration file for Rule Designer | |
| Rule Designer | Rule Execution Server console | Authorization code flow | Deploy decision services | ||
| Decision Center Business console | Rule Execution Server console | Password flow | Deploy decision services | JSON configuration file for Decision Center | |
| Decision Center Business console | Decision Runner | Password flow | Run simulations |
Operational Decision Manager API invocations with OpenID Connect
External clients invoke Operational Decision Manager APIs by using OpenID Connect. The client must obtain an access token, and attach it in the Bearer header, and then invoke the API. In general, the access token is obtained by using the password flow.
- The client credentials flow requires the client ID and client secret, but it does not require user name and password.
- The client credentials flow must be configured with functional groups so that the access token has groups that can be authorized to access the APIs. Some OpenID Connect Providers might not be able to associate functional groups. In that case, these OpenID Connect Providers must use the password flow.
The following table describes the client/API connections with the Decision Center and Rule Execution Server REST APIs:
| Client | API (Relying Party or OIDC client) |
OIDC flow | Purpose | Parameters set in | Where to find information |
|---|---|---|---|---|---|
|
Ant tasks and scripts |
Decision Center REST API | Password flow or Client credentials flow | Do tasks Examples of tasks:
|
Ant tasks |
Passing parameters and registering the truststore Use the token attribute in all Decision Center Ant tasks |
|
Ant tasks and scripts Client applications |
Rule Execution Server management REST API | Password flow or Client credentials flow | Do tasks Examples of tasks:
|
Ant tasks |
Passing parameters and registering the truststore Use the authorizationToken attribute in the following Ant tasks:
|
| Client applications |
Rule Execution Server decision service REST API |
Password flow or Client credentials flow |
Call decision services |
Application server |