Configuring ADFS integration with Liberty

You can validate the opendID Connect (OIDC)-based authentication during log in, log out, or time out. To use ADFS to manage user IDs and passwords, configure the ADFS as an identity provider.

Procedure

Configure following entries in the server.xml.

<openidConnectClient id="adfs" 
clientId="yourclientid" clientSecret="yourclientsecret"  
discoveryEndpointUrl= 
"your_adfs_discovery_url"
scope="openid"
httpsRequired="true" signatureAlgorithm="RS256" 
authFilterRef="myAuthFilter"  
/>
<authFilter id="myAuthFilter">
<requestUrl id="bypass1" 
urlPattern="/restapi|/heartbeat|/MQConnVerifierServlet|/restapi_internal
|/servlets/scwcsoapservlet|/wms/error|/console/ibmid|/interop/
InteropHttpServlet" matchType="notContain" />
Confidential, For INTERNAL use only
<requestUrl id="myURL" urlPattern="/sbc|/isccs|/wsc|/sfs|/sma|/smcfs|/isf"
matchType="contains" />
</authFilter>
<application context-root="smcfs" type="ear" id="smcfs" name="smcfs" location=" your location ">
            <application-bnd>
                <security-role name="All Role">
                    <special-subject type="ALL_AUTHENTICATED_USERS" />
                </security-role>
				<security-role name="ExcludeAuth">
                    <special-subject type="EVERYONE" />
                </security-role>
            </application-bnd>
</application>
<applicationMonitor dropinsEnabled="false" />

Replace the placeholder values yourclientid, yourclientsecret, and your_adfs_discovery_url with actual values.

The following is a sample server.xml with the given values configured.

Note: This is a sample file and no support is provided for the following configuration.

<server description="Default server">
    <!-- Enable features -->
    <featureManager>
        <feature>adminCenter-1.0</feature>
        <feature>jdbc-4.1</feature>
        <feature>jndi-1.0</feature>
        <feature>jsp-2.3</feature>
        <feature>servlet-3.1</feature>
        <feature>ssl-1.0</feature>
        <feature>appSecurity-2.0</feature>
        <feature>openidConnectClient-1.0</feature>
    </featureManager>

<httpDispatcher enableWelcomePage="false" />
<httpSession invalidateOnUnauthorizedSessionRequestException="true" />
<webContainer trustHostHeaderPort="true" extractHostHeaderPort="true"/>
<webContainer disableXPoweredBy="true"/>
<httpOptions removeServerHeader="true"/>

<httpEndpoint id="defaultHttpEndpoint" host="*" httpPort="9080" 
httpsPort="9443">
<httpOptions removeServerHeader="true" />
</httpEndpoint>

<sslDefault sslRef="defaultSSLSettings" />
    <ssl id="defaultSSLSettings" sslProtocol="TLSv1.2" 
keyStoreRef="defaultKeyStore" 
clientAuthenticationSupported="true" />
    <keyStore id="defaultKeyStore" location="##########" 
type="JKS" password="##########" />
 
<openidConnectClient id="adfs" 
clientId="###############" clientSecret="###############"  
discoveryEndpointUrl= "#########"
scope="openid"
httpsRequired="true" signatureAlgorithm="RS256" 
authFilterRef="myAuthFilter"  
/>
 <authFilter id="myAuthFilter">
<requestUrl id="bypass1" 
urlPattern="/restapi|/heartbeat|/MQConnVerifierServlet|/restapi_internal|/
servlets/scwcsoapservlet|/wms/error|/console/ibmid|/interop/
InteropHttpServlet" matchType="notContain" />
<requestUrl id="myURL" urlPattern="/sbc|/isccs|/wsc|/sfs|/sma|/smcfs|/isf"
matchType="contains" />
</authFilter>
<application context-root="smcfs" type="ear" id="smcfs" name="smcfs" 
location="################# ">
            <application-bnd>
                <security-role name="All Role">
                    <special-subject type="ALL_AUTHENTICATED_USERS" />
                </security-role>
                <security-role name="ExcludeAuth">
                    <special-subject type="EVERYONE" />
                </security-role>
            </application-bnd>
</application>
<applicationMonitor dropinsEnabled="false" />
</server>

Download the root CA cert for ADFS from the ADFS discovery URL and import it to the keystore that is used by Liberty.
Add the following property to sandbox properties in <Runtime>/properties/sandbox.cfg.
```
ENABLE_IBMID_AUTHENTICATION=true
```
Apply the sandbox configuration changes by running the following command:
```
<runtime>/bin/setupfiles.sh
```
Add the following properties to customer overrides:
```
yfs.yfs.ibmid.provisioner.name=adfs
yfs.yfs.ibmid.provisioner.adfs.class=com.ibm.sterling.afc.auth.ibmid.IBMIDBlueIdImpl
yfs.yfs.ibmid.provisioner.adfs.uniqueClaim=sub
yfs.yfs.ibmid.provisioner.adfs.secondaryid=email
yfs.yfs.ibmid.provisioner.adfs.logouturl=<your adfs url>/adfs/oauth2/logout
```
Note: An ID token claim named "email" is mandatory to link users. Ensure that your Active Directory configuration has email ID configured for the users that are intending to login to Sterling™ Order Management System Software. Additionally, ensure that you have configured your OIDC provider to pass on email ID as an ID token claim. In case your claim is named anything other than "email", configure the yfs.yfs.ibmid.provisioner.adfs.secondaryid property accordingly.
For example, if you have defined your email claim as “email_id”, ensure you update the following property in customer overrides:
yfs.yfs.ibmid.provisioner.adfs.secondaryid=email_id
Add the URL https://localhost:9443/oidcclient/redirect/ to the list of sign-in redirect URLs in the ADFS configuration. This URL is an example when accessing the application from localhost. For production environment, change it to https://<domain or ip:port>/oidcclient/redirect/adfs to match your production domain or ip:port. For more information, see ADFS documentation.
Rebuild EAR and redeploy.
To verify if the property is in effect, check the web.xml for smcfs.war. It should have the security constraints entries created which are in relation to the security Roles in server.xml.