Configuring Open ID Connect

You can use OpenID Connect to access the Administration Console and the  Identity Manager Service Center. The OpenID Connect provider must be able to authenticate the user and provide claims to a relying party about the authentication event and the user.

Before you begin

IBM® Security Verify Governance supports Open ID Connect providers that meet the following requirements:
  • The provider is fully OIDC-compliant.
  • The user registry is managed by IBM Security Verify Governance.
  • The relying party, IBM Security Verify Governance, is reachable from the provider.

Ensure that you configured an Open ID Connect provider such as Active Directory Federation Services (ADFS) or IBM Security Verify.

Procedure

  1. Configure WebSphere Application Server as an OpenID Connect Client.
    In the WebSphere Application Server documentation, see Configuring an OpenID Connect Relying Party.
  2. Add the Identity Provider Realms to the list of Inbound Trusted Realms.
    1. Log on to the IBM WebSphere® Application Server administrative console. For example, http://localhost:9060/ibm/console
    2. Navigate to Securtity > Security Domains > ISIMSecurityDomain.
    3. Expand User Realm.
    4. Click Configure.
    5. In the Related Items section, click Trusted authentication relams - inbound.
    6. Click Add External Realm.
    7. Enter realm name and click OK.
    8. In the Inbound Trust column, ensure that the realm shows Trusted.
    9. Click Apply and Save.
  3. Update the property files.
    1. Update the following properties in ui.properties.

      enrole.ui.disableLoginPage=true

      enrole.ui.logoffURL=/itim/console/jsp/logon/openidLogout.jsp

      If you enabled OpenID Connect as the authentication provider for the Identity Manager Service Center or REST APIs, you must update the following property:

      ui.isc.oidcEnabled=true

    2. Update the following properties in UIconfig.properties

      ui.disableLoginPage=true

      logouturl=/itim/ui/openidLogout.jsp

  4. If you enabled Open ID Connect as the authentication provider for REST APIs, perform the following steps:
    1. Navigate to:
      $WAS_HOME/profiles/$PROFILE_NAME/installedEBAs/com.ibm.isim.sse_6.0.0.vXX/byValue/XXX.YY/YY/restlogin
      Note: The path might be different depending on your deployed environment.
    2. Back up login.jsp.
    3. Replace login.jsp that is in restlogin with the login.jsp file that is in the custom/login/provider/ directory.
  5. If you want to clean all OpenID Connect provider tokens, then add OpenID Connection provider logout URL in openidLogout.jsp.
    For example, the ADFS logout url is

    <https://<hostname>/adfs/oauth2/logout>

    For the administration console path of openidLogout.jsp:

    $WAS_HOME/profiles/$PROFILE_NAME/installedApps/CellName/ITIM.ear/itim_console.war/jsp/logon/

    For Identity Manager Service Center path of openidLogout.jsp:

    $WAS_HOME/profiles/$PROFILE_NAME/installedEBAs/com.ibm.isim.sse_6.0.0.vXX/byValue/XXX.YY/YY/restlogin

    Note: The path may be different in your environment.
  6. Restart WebSphere Application Server.