Using OpenID Connect single sign-on

You can optionally configure the PowerSC GUI server to implement single sign-on (SSO) using the OpenID Connect protocol. You must also configure IBM® PowerSC Multi-Factor Authentication for SSO, as described in IBM PowerSC MFA Installation and Configuration.

You must satisfy the following prerequisites:
  • You must already know the OpenID Connect provider hostname, client ID, and client secret. If you do not already have these values, contact your IT department.
  • The OpenID Connect application must use the following sign-in redirect URL. Contact your IT department if needed to configure this setting. 
    https://uiserver-name/ws/powerscui/sso/callback
  • A user who attempts to log in to the PowerSC GUI server must be provisioned in IBM PowerSC Multi-Factor Authentication for SSO, as described in IBM PowerSC MFA Installation and Configuration. The associated MFA ID must also belong to the logonGroupList, as described in Adding groups who can perform administrator functions.

To use OpenID Connect single sign-on, perform the following steps:

  1. Configure IBM PowerSC Multi-Factor Authentication for SSO, as described in IBM PowerSC MFA Installation and Configuration.
  2. Configure PowerSC GUI to use IBM PowerSC MFA authentication, as described in Using IBM PowerSC MFA authentication (optional).
  3. Run the pscuiserverctl setsso command to create the /etc/security/powersc/uiServer/sso.conf.properties file with the following values: 
    # pscuiserverctl setsso client_id value 
client_id=value 
# pscuiserverctl setsso client_secret value 
client_secret=value 
# pscuiserverctl setsso openid_provider_hostname value 
openid_provider_hostname=value
  4. Run the pscuiserverctl set command to update the /etc/security/powersc/uiServer/uiServer.conf.properties file with the exact value pamServiceName=powerscui and the URL of the IBM PowerSC Multi-Factor Authentication server: 
    # pscuiserverctl set pamServiceName powerscui
 # pscuiserverctl set mfaUrl https://server_name:port
  5. Run the /opt/powersc/uiServer/bin/import_certificate.sh script to import the certificate of the openid_provider_hostname into the PowerSC GUI server trusted store. 
    ./import_certificate.sh openid_provider_hostname
:
:
DONE
Certificate was added to keystore
  6. Run the /opt/powersc/uiServer/bin/import_certificate.sh script again to import the certificate of the IBM PowerSC Multi-Factor Authentication server into the PowerSC GUI server trusted store. Ensure that you specify the port number of the IBM PowerSC Multi-Factor Authentication server. 
    ./import_certificate.sh MFA_server_host_name port 
:
DONE
Certificate was added to keystore
    Important: Pay close attention to the results of the /opt/powersc/uiServer/bin/import_certificate.sh script. The error 
    verify error:num=20:unable to get local issuer certificate  
:
verify error:num=21:unable to verify the first certificate
    may indicate that the Alternate Subject Name of the certificate is invalid. The SSO authentication might not succeed if importing the server's certificate results in an error.
  7. Restart the PowerSC GUI server. Run one of the following commands based on the operating system of the PowerSC GUI server:
    • For AIX systems:
      stopsrc -s pscuiserver
startsrc -s pscuiserver
    • For Linux systems: 
      systemctl stop powersc-uiServer.service
systemctl start powersc-uiServer.service
  8. Open the home page of the PowerSC GUI server. For example: 
    https://powerscservername
  9. Log in with your SSO username and password.
If the following error is displayed in the PowerSC GUI uiServer log file, check the JWT CTC Timeout setting in the IBM PowerSC Multi-Factor Authentication server.
An error occurred in authentication, usually because of an 
invalid authentication token.
This setting sets the time-to-live for all cache token credentials (CTCs) that are generated from JWTs, and the configured setting might be insufficient.