Managing internal OpenID Connect authentication

Identity Governance and Intelligence uses an internal OpenID Connect authentication server to administer the login to the virtual appliance local management interface, the Administration Console, and the Service Center.

About this task

With the internal OpenID Connect authentication server enabled, all the components use the same login and logout pages.

The internal OpenID Connect authentication server is enabled by default after you setup the initial virtual appliance, following the fresh install of this version of the product.

After the setup is complete, internal OpenID Connect authentication is enabled. From this moment, users are redirected to the internal OpenID Connect authentication login page.

Figure 1. The internal OpenID Connect authentication login page for the virtual appliance and the Administration Console.

With internal OpenID Connect authentication, by default the virtual appliance and the Administration Console use the same internal Identity Governance and Intelligence user registry for the login. The user name and the password that are required to access the two consoles are the same.

You can configure the internal OpenID Connect Provider to use an external user registry and define two separate groups of users with exclusive administration rights for either the virtual appliance or the Administration Console. In this way, you can define administrators who can access one console but not the other.

The login page for the Service Center includes the Forgot Password option.

Figure 2. The internal OpenID Connect authentication login page for the Service Center.

The user name and the password that are required to access the Service Center are stored in the internal Identity Governance and Intelligence user registry, or in an external one.

The server is disabled when you upgrade from an older version. You can enable it after the upgrade.

Enablement for internal OpenID Connect authentication is mutually exclusive with the following features:

• External OpenID configuration (Configure > Manage External Entities > OpenID Connect Configuration)
• Management authentication (Manage > System Settings > Management Authentication)

In the OpenID Connect Provider Configuration pane of the local management interface you can do the following tasks:

• Start, stop, or restart the internal OpenID Connect authentication server.
  Important: The server keeps a connection to the Identity Governance and Intelligence database. If you need to close all the open connections to the database, you must also stop the internal OpenID Connect authentication server.
• Enable or disable the internal OpenID Connect authentication feature.
• Configure external user registries for the Administration Console and the Service Center, based on IBM® Security Directory Server or Microsoft Active Directory.

1. To access the OpenID Connect Provider Configuration pane, select Configure > Manage Server Setting > OpenID Connect Provider Configuration in the local management interface dashboard. The OpenID Connect Provider Configuration pane shows whether the feature is currently enabled and the status of the server. It also displays OpenID Connect configuration settings for the Administration Console and the Service Center:

   Scope

   The openid scope represents the intent of the client application to use the OIDC protocol to verify the identity of the user.

   Signature algorithm

   The algorithm that is used to sign the ID token that is issued by a provider.

   Authorization URL

   The initial endpoint that is contacted by the relying party to begin a flow.

   Token URL

   The endpoint that is used to exchange an authorization code for a token.

   JWK URL

   The JSON web key endpoint that is used for signature verification.

   Issuer identifier

   The verifiable identifier for an issuer. An issuer identifier is a case-sensitive URL that uses the HTTP scheme. It contains scheme, host, and optionally, port number and path components.

   Client ID

   A publicly exposed string that is used by the service API to identify the application. It is also used to build authorization.

   Client secret

   Secret is used to authenticate the identity of the application to the service API when the application requests to access a user account. It is kept private between the application and the API.

2. Optional: To start, stop, or restart the internal OpenID Connect authentication server, select the corresponding button. Stopping the server prevents users from authenticating through OpenID Connect.

   The Restart action stops and starts the server immediately.

3. Optional: To update the values in the grid, after changing any of the OpenID Connect configuration settings, click Refresh.
4. Optional: To enable or disable the internal OpenID Connect authentication feature, select Enable or Disable. Select Enable to use the feature after upgrading from an older product version. Or select Disable if you want to use the External OpenID Configuration or Management Authentication features.

   After enabling or disabling the feature, clear any notifications that might be displayed in the dashboard. To do so, complete the actions that are requested in the Notifications section. In a cluster, check the local management interface dashboards of the member nodes and clear the notifications.

5. Optional: By default, the components are set up to use the internal Identity Governance and Intelligence user registry. This means that the same administrators can access and use both the Administration Console and the virtual appliance local management interface. If you want to keep these administration rights separate, or simply configure an external user registry for the Administration Console or the Service Center, select Manage, and then select Administrator User Registry or Service Center User Registry.

   For either component, the Manage User Registry pane is displayed. The configuration settings are identical for the Administration Console and the Service Center, except that the pane for Administrator User Registry includes an LMI Authorization box where you define a group of administrators with exclusive access to the local management interface.

   Follow these steps to configure for external registry:

   1. In Select Registry, select External User Registry.
   2. In Ldap Type, select the directory server product.
   3. Complete the following fields:

      Option	Value
      Host name (FQDN, IPv4, or IPv6)	The name of the server that hosts the directory server in one of the specified formats
      Port	The directory server port
      SSL	Select to apply SSL encryption to the connection with this server.
      Principal DN	The distinguished name for the Application server that can bind to the directory server. For example, cn=root.
      Password	The password for the principal distinguished name.
      Anonymous Bind	Select to connect to the directory server without supplying a principal DN and password. If you flag this option, the Principal DN and Password options become unavailable.
      Base DN	The starting point of the authentication search. For example, the organization, group, or domain name of the external directory.
      Group ID Map	The attribute from the LDAP that you want to display for the user group. For example, in both Directory Server and Active Directory to use the cn attribute, specify *:cn. If you are using Active Directory, specify *:displayName.
      User ID Map	The attribute from the LDAP that you want to display for the full name of the user. For example, in Directory Server to use the cn attribute, specify *:cn. If you are using Active Directory, specify *:displayName.
      Group Member ID Map	Enter the group name for group membership searches. Searches are performed by locating users on the member list of groups. For example, For Directory Server, use: ibm-allGroups:member For Active Directory, use: memberOf:member
      User Filter	Specify which users in the external registry can access the application. For example, For Directory Server, (&(uid=%v)(objectclass=inetOrgPerson)) uses user IDs (uid) and the inetOrgPerson object class to find the users. At run time, %v is replaced with the uid attribute of each user, which must be a unique key within the same object class in LDAP. For Active Directory, (&(sAMAccountName=%v)(objectclass=organizationalPerson))) uses user account names (sAMAccountName) and the organizationalPerson object class to find the users.
      Group Filter	Use group names to specify which users in the external registry can access the application. For example, For Directory Server, use: (&(cn=%v)(objectclass=groupOfNames)) The filter looks up groups in the directory service based on their common name (CN). At runtime, %v is replaced by the group name. The object class can be groupOfNames, groupOfUniqueNames, or groupOfURLs. You can specify multiple object classes. For example, (&(cn=%v)(|(objectclass=groupOfNames) (objectclass=groupOfUniqueNames)(objectclass=groupOfURLs))) For Active Directory, use: (&(cn=%v)(objectcategory=CN=Group,CN=Schema, CN=Configuration,DC=DN location of Active Directory)))
      LMI Admin Group Distinguished Name	This option is available in the Manage User Registry pane of Administrator User Registry only. Enter the distinguished name of the group of administrators who can access and use the virtual appliance local management interface. Administrators in this group, who are also defined elsewhere in the pane for Administrator User Registry, can access and use both the local management interface and the Administration Console. Otherwise, the following restrictions apply: Administrators who are defined only in this field can use the local management interface but not the Administration Console. Administrators who are defined elsewhere in the pane for Administrator User Registry, but not in this field, can use the Administration Console but not the local management interface.

   4. Select Save Configuration to save and exit the Manage User Registry pane, or Cancel to exit without saving the data.
6. Optional: To configure for reverse proxy, select Manage > Reverse Proxy > Configure. In the Reverse proxy host and port configuration window, you can specify the host and the port number of redirect OpenID relying parties for Identity Governance and Intelligence and for the local management interface.
   1. In Host name (FQDN, IPv4, or IPv6), specify the host names of the proxies for Identity Governance and Intelligence and for the local management interface, separated by commas.
   2. In Port, specify the port numbers of the proxies for Identity Governance and Intelligence and for the local management interface, separated by commas.
   3. Select Save Configuration. A confirmation message is displayed.
7. Optional: To remove the configuration for reverse proxy, select Manage > Reverse Proxy > Unconfigure.
8. Optional: You can replace the default personal certificate of the internal OpenID Connect authentication server with one of your own. When you do so, you must upload the new certificate also for the Local Management Interface and for Identity Governance and Intelligence. Follow these steps:
   1. Select Configure > Certificates > OpenID Connect Provider Configuration in the local management interface dashboard.
   2. In the Certificate Stores pane, select the OpenID Connect Provider key store certificate database and click Edit.
   3. In the following pane, select the personal certificate and click Update.
   4. In the Upload Certificate window, enter the requested data and click Save. The new certificate is uploaded in the Certificate Stores>OpenID Connect Provider key store>Certificates pane.
   5. Go back to Certificate Stores, select the Local Management Interface key store certificate database and click Edit.
   6. In the Certificate Stores>Local Management Interface key store>Certificates pane, select the Signer tab. Select the signer certificate and click Update.
   7. In the Upload Certificate window, enter the information of the certificate that you are uploading from your computer and click Save. The new certificate is uploaded in the Certificate Stores>Local Management Interface key store>Certificates pane.
   8. Repeat steps e,f, and g also for the Identity Governance and Intelligence key store certificate database.
   9. Clear any notifications that might be displayed in the dashboard.