Enabling OAuth 2.0 for LSF Web Services single sign-on for an high availability environment

If you have configured an LSF Web Services for a high availability environment, you can also integrate OAuth for it to enable users to safely give LSF Web Services access to data without having to share credentials. You integrate OAuth for LSF Web Services through an authentication server (such as Keycloak) as an OpenID Connect (OIDC) identity provider (IdP).

Before you begin

Tip: If you are not using a failover environment for LSF Web Services, then refer to the single sign-on configuration steps in Enabling OAuth 2.0 for LSF Web Services single sign-on instead. The flow for enabling single sign-on for a high availability environment is similar to a single environment with some variation for multiple LSF Web Services instances.

Procedure

  1. Configure a high availability environment for LSF Web Services. See Installing LSF Web Services for a high availability environment for installation details.
  2. Install Keycloak 24 from any Linux host. See Installing Keycloak to configure single sign-on with LSF Web Services for installation details.
  3. Access the Keycloak Admin Console from a web browser: sign into the Keycloak Admin Console as an administrative user, using the hostname or IP and port:

    http://Keycloak_hostname_or_IP:port

  4. Click Clients > Access settings and set the proxy URL for all the URL fields.
  5. Enable LDAP for single sign-on. For details, see Integrating Keycloak with LDAP for single sign-on with LSF Web Services.
  6. Authenticate and test your OAuth single sign-on connection for your LSF Web Services high availability environment:
    1. Log on as the LDAP user. The username here must be the user created in the realm when you installed Keycloak for single sign-on with LSF Web Services (such as lsfadmin) or the OpenLDAP user used when you integrated Keycloak with LDAP (such as user1).
      • For HTTP: 
        # lsf cluster logon --username xxxxxx --password xxxxxx --url http://LWS_proxy_hostname_or_IP_address:80
      • For HTTPS: 
        # lsf cluster logon --username xxxxxx --password xxxxxx --url https://LWS_proxy_hostname_or_IP_address:443
    2. List the logged clusters:
      For example: 
       
#lsf cluster list 
Default   Name     Version                                            URL 
*         lws_ha   IBM Spectrum LSF Standard 10.1.0.14, Jun 11 2023   https://lwshost.ibm.com:443
    3. Submit jobs to the LSF cluster.
      For example: 
      #lsf bsub -n2 -R "rusage[mem=500]" sleep 200 
Job <519> is submitted to default queue <normal>.