You can use OpenID Connect to access the Administration Console and the Identity Manager Service Center. The OpenID Connect provider must be able to
authenticate the user and provide claims to a relying party about the authentication event and the
user.
Before you begin
IBM® Security Verify Governance supports Open ID Connect providers that
meet the following requirements:
- The provider is fully OIDC-compliant.
- The user registry is managed by IBM Security Verify Governance.
- The relying party, IBM Security Verify Governance, is reachable from
the provider.
Ensure that you configured an Open ID Connect provider such as Active Directory Federation
Services (ADFS) or IBM Security Verify.
Procedure
- Configure WebSphere Application Server as an OpenID Connect Client.
- Add the Identity Provider Realms to the list of Inbound Trusted Realms.
- Log on to the IBM
WebSphere® Application Server administrative console. For
example, http://localhost:9060/ibm/console
- Navigate to .
- Expand User Realm.
- Click Configure.
- In the Related Items section, click Trusted
authentication relams - inbound.
- Click Add External Realm.
- Enter realm name and click OK.
- In the Inbound Trust column, ensure that the realm shows
Trusted.
- Click Apply and Save.
- Update the property files.
- Update the following properties in ui.properties.
enrole.ui.disableLoginPage=true
enrole.ui.logoffURL=/itim/console/jsp/logon/openidLogout.jsp
If you enabled OpenID Connect as the authentication provider for the Identity Manager Service Center or REST APIs, you must update the following
property:
ui.isc.oidcEnabled=true
- Update the following properties in UIconfig.properties
ui.disableLoginPage=true
logouturl=/itim/ui/openidLogout.jsp
- If you enabled Open ID Connect as the authentication provider for REST APIs, perform the
following steps:
- Navigate
to:
$WAS_HOME/profiles/$PROFILE_NAME/installedEBAs/com.ibm.isim.sse_6.0.0.vXX/byValue/XXX.YY/YY/restlogin
Note: The path might be different depending on your deployed environment.
- Back up login.jsp.
- Replace login.jsp that is in restlogin with
the login.jsp file that is in the custom/login/provider/
directory.
- If you want to clean all OpenID Connect provider tokens, then add OpenID Connection
provider logout URL in openidLogout.jsp.
For example, the ADFS
logout url is
<https://<hostname>/adfs/oauth2/logout>
For the
administration console path of
openidLogout.jsp:
$WAS_HOME/profiles/$PROFILE_NAME/installedApps/CellName/ITIM.ear/itim_console.war/jsp/logon/
For
Identity Manager Service Center path of
openidLogout.jsp:
$WAS_HOME/profiles/$PROFILE_NAME/installedEBAs/com.ibm.isim.sse_6.0.0.vXX/byValue/XXX.YY/YY/restlogin
Note: The path may be different in your environment.
- Restart WebSphere Application
Server.