Configuring OpenID Connect single sign-on with IBM Product Master

To use OpenID Connect (OIDC) single sign-on (SSO) for Product Master, you need to perform following configuration for the IBM WebSphere® Application Server.

Before you begin

Fix Pack 12

Ensure that you have a Microsoft Entra ID P2 (formerly Azure Active Directory P2) and you can log in to Microsoft Entra site.
Register your app at the above site, and keep Client ID, Tenant ID, Client Secret, and OpenID Connect metadata document values ready. The values are going to be used during the OIDC-IBM WebSphere Application Server configuration.
Ensure that you have OIDC client Version 1.5.3 or later for the IBM WebSphere Application Server Version 9.0.x.x.
Download the 9.0.0.0-WS-WASProd-IFPH61002.zip file that contains OIDC client Version 1.5.3 from the PH60195: OIDC v1.5.3; WebSphere Application Server is vulnerable to a denial of service due to jose4j (CVE-2023-51775 CVSS 7.5).

Verify the OIDC client version by running the following command.
```
$ cd $WAS_HOME/plugins
$ java -cp ./com.ibm.ws.security.oidc.client.jar com.ibm.ws.security.oidc.util.Version
```
Output
```
com.ibm.ws.security.oidc.client.jar
1.5.3
```

Procedure

Configure Product Master.

You need to enable SSO properties. To enable SSO properties, proceed as follows.

Enable SSO authentication in the Login.wpcs file. To enable SSO authentication, you must set the wpcOnlyAuthentication flag in the Login.wpcs file to false in case SSO authentication is required. The Login.wpcs file identifies the authentication mechanism.
1. Click Data Model Manager > Scripting > Scripts Console.
2. Select login script from the drop-down list.
3. Click Edit for the Login.wpcs script.
4. Find and set the wpcOnlyAuthentication flag to false.

In the Admin UI, add the OIDC attributes in the SSO Configuration Lookup table.

If you have not already done, import the mdmce-env.zip file located at $TOP/mdmui/env-export/mdmenv folder.
Go to Product Manager > Lookup Table > Lookup Table Console.
Select SSO Configuration Lookup table and add a role.

Populate all the attributes as follows.

Attribute	Description
Id	The primary key of the lookup table entry, this is auto generated.
SSO Type	OIDC
Create Role	False
First Name Attribute	firstName
Last Name Attribute	lastName
Mail Id Attribute	email
Roles Attribute	roles
Organization Attribute	Leave this field empty as the OIDC does not support the Vendor feature.

Enable SSO flags for the Product Master.
To enable SSO flags for the Product Master, proceed as follows.
1. Modify the env_settings.ini file located at the $TOP/bin/conf/ with following properties.
  - In the [appserver.websphere] section, set the following property.
```
admin_security=true
```
  - In the [appserver] section, specify the IBM WebSphere Application Server credentials.
```
username= 
password=
```
  - In the [sso] section, specify the following properties.
```
enable_sso=true
sso_company=<provide your company name>
oidc_sso_enabled=<false/true>
oidc_email=<preferred_username>
oidc_username=<name>
oidc_roles=<roles>
oidc_first_name=<given_name>
oidc_last_name=<family_name>
# This is needed to execute OIDC id_token flow, this value is available in iss attribute
from id_token OR issuer’s value from API response of EntraId configuration endpoint 
oidc_issuer=https://login.microsoftonline.com/XXXXXXX/v2.0
```
1. In the config.json file located at the $TOP/mdmui/dynamic/mdmui/, update the value of the enableSSO property to true and run the following command.
```
$TOP/mdmui/bin/updateRtProperties.sh
```
2. In the common.properties file located at the $TOP/etc/default, update the value of the enable_referer_check property to false.
3. Stop IBM Product Master application services.
4. Run the following command for the common.properties file located at the $TOP/etc/default because of the new properties added in the common.properties.default file.
```
 $TOP/bin/configureEnv.sh/configureEnv.sh -ov
```

Enable administrative security for the WebSphere Application Server and Product Master.
To enable administrative security, proceed as follows.
1. Log in to WebSphere Application Server Console.
2. Select Security and then click Global Security.
3. Click Security Configuration Wizard.
4. Select Enable application security and Enable administrative security, and then click Next.
5. Select Federated repositories, and then click Next.
6. Enter the administrative credentials, and then click Next.
7. Click Finish > Save.

Enable OIDC support and OpenID Provider (OP)-initiated web SSO in the WebSphere Application Server.

Refer the Configuring an OpenID Connect Relying Party topic in the IBM WebSphere Application Server Network Deployment documentation for the step-by-step instructions.

Following is a list of the steps that require Product Master-specific instructions.

Step 2

While installing the WebSphereOIDCRP.ear file, ensure that you modify only the following values.

Map this module both to the IPM Server or any other available server, and server1.
Map the virtual host to the IPM vhost (Not to the default_vhost).

Step 7

Add the following custom properties for the OIDC interceptors.

Property	Description	Example
provider_1.identifier	Used in forming the Redirect Uniform Resource Identifier (URI) in the Microsoft Entra ID configuration. The value of this property is a unique string.	ipm
provider_1.clientId	Specifies the OIDC RP instance for the OP server. The value of this property is fetched from the Microsoft Entra ID configuration.	b65ca009-23da-4928-b5cd-82f71df070ce
provider_1.clientSecret	Specifies the secret that is used by the OP. The value of this property is fetched from the Client Secret value that is generated during the Microsoft Entra ID configuration.	DCt8Q~N4Fn9jaAi0NKvXZZM1PohxknhedqLvLXcd_
provider_1.discoveryEndpointUrl	Specifies the OIDC provider's discovery endpoint URL. The format for the value of this property is, https://login.microsoftonline.com/`<Tenant ID>`/v2.0/.well-known/openid-configuration	https://login.microsoftonline.com/ea86fa24-8edf-9111-841f-7fe689f7136e/v2.0/.well-known/openid-configuration
provider_1.callbackServletContext	Specifies the context root for the WebSphere Application Server (Traditional).	/oidcclient
provider_1.interceptedPathFilter	Specifies a comma-separated list of regular expression patterns that determines whether the Trust Association Interceptor (TAI) intercepts the URI request.	/mdm_ui.*,/utils/enterLogin.jsp

Step 9

Additionally, get the issuer URL of your OP by using any one of the following methods.
- From the configuration response of the Postman API platform for the following URL.
  https://login.microsoftonline.com/<Microsoft Entra ID Tenant ID>/v2.0/.well-known/openid-configuration
- From the URL in the Microsoft Entra ID.
  Log in to Microsoft Entra ID > Applications > App registration, select your app, and click it. Search for the Directory (tenant) ID property and copy the value. Add that value in the following URL.
  
  https://login.microsoftonline.com/<Microsoft Entra ID Tenant ID>/v2.0
Add the Issuer in the RMI-IIOP security.
1. Log in to the WebSphere Application Server administrative console.
2. Click Global security.
3. Under RMI/IIOP Security, click CSIv2 outbound communications.
4. Click Trusted authentication realms – outbound.
5. Click Add External Realm.
6. Enter the external realm name. Enter the URL that you generated in the Step a.
  Example
  
  https://login.microsoftonline.com/en84fa24-abcd-42abcde57-671f-7abcdef7123e/v2.0

Configure security role mapping.

Log in to the WebSphere Application Server administrative console.
Go to Applications > Application Types > WebSphere enterprise applications. The Enterprise Applications page opens.
In the Enterprise Applications page, click <war_file_name> link. The Security role to user/group mapping page opens.

In the Security role to user/group mapping page, specify the following according to the file type, and click OK.

WAR file	Steps
ccd_mdmce.war	Select AllAuth role. Click Map Special Subjects. Select All Authenticated in Trusted Realms. Select LoginUser role. Click Map Special Subjects. Select All Authenticated in Trusted Realms.
mdm_ui.war	Select AllAuth role. Click Map Special Subjects. Select All Authenticated in Trusted Realms. Select LoginUser role. Click Map Special Subjects. Select Everyone.
mdm_rest.war	Select AllAuth role. Click Map Special Subjects. Select Everyone. Select LoginUser role. Click Map Special Subjects. Select Everyone.

Step 11

Restart both the IBM WebSphere application service and Product Master application services. Log in to the Product Master application by using the following URLs.

Admin UI: https://<hostname>:<ssl port number>/utils/enterLogin.jsp
Persona-based UI: https://<hostname>:<ssl port number>/mdm_ui

Access REST APIs.
You can either use Eclipse Integrated Development Environment (IDE), any other IDE, or the Postman API platform.
1. Eclipse IDE or any other IDE.
  1. Go to the following site, copy the sample code and create a Java™ project.
    
    UsernamePasswordFlow.java
  2. Import the newly created Java project in your IDE.
  3. Update the Java class with your Microsoft Entra ID details.
  4. Run the Java code.
  You get an ID Token (idToken in the program output) that should be used as the value for the header key (X-OidcIdToken) to access REST APIs.
2. Postman API platform.
  1. Create an API request.
  2. Use the following value for the application login URL.
    http://<server hostname>:<port number>/mdm-rest/api/v1/login
  3. Set the value for new header (X-OidcIdToken) with the idToken received from the program execution and send the request.

Results

When you try to log in to the Product Master application, you get redirected to the Microsoft Entra ID login page.

Enter the Microsoft Entra ID credentials, and provide the Multi-Factor Authentication (MFA) code (if enabled or when prompted).

After successful login, the home page of the Persona-based UI opens.