Configuring OpenID Connect single sign-on
You can configure single sign-on with OpenID Connect (OIDC) and TRIRIGA Application Suite (TAS). OIDC is an authentication framework based on OAuth 2 (which otherwise is only concerned with authorisation). OIDC is the preferred authentication mechanism for TAS because it allows the configuration of multiple endpoints with unique hostnames in the one definition.
Procedure
- Define the application with your OpenID Connect Provider (OP). For example, if you are using Okta:
- Okta domain: dev-108858.oktapreview.com
- Application type: Web
- Sign-in redirect URIs (Allow wildcard * in login redirect URI): https://*<customer-site>.suite.tririga.com/oidcclient/redirect/ID
- Log in to your cluster.
- Log in to the OpenShift Container Platform web console.
- Click your user name, then click Copy login command.
- Open a new command line interface and log in using the copied oc login command.
-
Ensure that the TRIRIGA installed operator is running.
- Go to Installed Operators > TRIRIGA Application Suite.
- Under the Status column, ensure that the TAS operator condition is Running.
- If the deployment is large, update the s1 and s2
TRIRIGAWEB.properties
file with the following changes:SSO=Y SSO_REMOTE_USER=N SSO_USER_PRINCIPAL=Y SSO_REMOVE_DOMAIN_NAME=Y USERNAME_CASE_SENSITIVE=N SSO_SINGLE_SIGN_OUT_REDIRECT_URL=/ibm_security_logout
Note:- Setting SSO_SINGLE_SIGN_OUT_REDIRECT_URL will only clear TRIRIGA and WebSphere Liberty authentication tokens when the user logs out. Therefore, if the OP token still remains in the browser cache if the user goes to the same TRIRIGA URL again, the OP token is accepted and the user is re-logged in without any prompts.
- To implement proper SLO additional setup, including some certificate exchange will be required at the OP.
- For Okta, setting values similar to the following is required to invalidate the OP
token:
SSO_SINGLE_SIGN_OUT_REDIRECT_URL=/ibm_security_logout?logoutExitPage=https://dev-108858.oktapreview.com/login/signout?fromURI=https://<customer-site>.suite.tririga.com/
- Stop the TAS operator.
- Go to Deployments > TRIRIGA Controller Manager.
- Under Deployment details, scale the deployment to 0.
- Construct the OIDC secret as tas-oidc-secret.yaml.
Provide the clientId and clientSecret values and a discovery endpoint to retrieve the other details. If you do not provide a discovery endpoint or it is not open to connect to, then you must also provide values for issuerIdentifier, tokenEndpointUrl,jwkEndpointUrl, authorizationEndpointUrl and userIdentityToCreateSubject (preferred_username is a commonly-supported claim).
kind: Secret apiVersion: v1 metadata: name: tas-oidc-secret namespace: <customer tas project> stringData: method: oidc cfg: | <openidConnectClient clientId="<application id from your registered app>" clientSecret="<client secret that you created for your app>" id="<id to be used in redirect URI>" issuerIdentifier="<issuer from OpenID Connect metadata document>" tokenEndpointUrl="<token_endpoint from OpenID Connect metadata document>" jwkEndpointUrl="<jwks_uri from OpenID Connect metadata document>" authorizationEndpointUrl="<authorization_endpoint from OpenID Connect metadata document>" signatureAlgorithm="RS256" userIdentityToCreateSubject="preferred_username" > </openidConnectClient>
- Switch the default project.
oc project <customer tas project>
- Apply the secret.
oc apply -f tas-oidc-secret.yaml
- Trust the TLS certificate of the OP by inserting it into the current
tas-truststore.yaml file. For example, to add login.w3.ibm.com to the Okta preview site:
apiVersion: truststore-mgr.ibm.com/v1 kind: Truststore metadata: name: tas-truststore namespace: <customer tas project> spec: license: accept: true includeDefaultCAs: true servers: - "ibm.com:443" - "login.w3.ibm.com:443" - "oktapreview.com:443"
Or, alternatively, a certificate can be added directly:apiVersion: truststore-mgr.ibm.com/v1 kind: Truststore metadata: name: tas-truststore namespace: <customer tas project> spec: license: accept: true includeDefaultCAs: true servers: - "ibm.com:443" certificates: - alias: alias_1 crt: | -----BEGIN CERTIFICATE----- ... Certificate 1 ... -----END CERTIFICATE----- ...
- Apply the secret.
oc apply -f tas-trustore.yaml
- Update the TAS deployment.
- Get the TRIRIGA instance YAML file into the site:
oc get $(oc get tririgas -oname) -o yaml > customer-site.yaml
- Update the
spec.integration
section to specify the following values:integration: server_xml_ext: tas-xml-extns sso: cfg_secret: tas-oidc-secret method: oidc truststore: tas-truststore
- Apply the changes:
oc apply -f customer-site.yaml
- Get the TRIRIGA instance YAML file into the site:
- Restart the operator.
- Go to Deployments > TRIRIGA Controller Manager.
- Under Deployment details, scale the deployment back to 1, or its original value. Doing so applies the changes and restarts all TAS pods.