Configuring OpenID Connect single sign-on

You can configure single sign-on (SSO) with OpenID Connect (OIDC) and IBM® TRIRIGA® Application Suite. OIDC is an authentication framework based on OAuth 2 (which otherwise is only concerned with authorisation). OIDC is the preferred authentication mechanism for TRIRIGA Application Suite because it allows the configuration of multiple endpoints with unique hostnames in the one definition.

Procedure

  1. Define the application with your OpenID Connect Provider (OP).
    For example, if you are using Okta:
    • Okta domain: dev-108858.oktapreview.com
    • Application type: Web
    • Sign-in redirect URIs (Allow wildcard * in login redirect URI): https://*<customer-site>.suite.tririga.com/oidcclient/redirect/ID
  2. Log in to your cluster.
    1. Log in to the Red Hat® OpenShift® Container Platform web console.
    2. Click your username, then click Copy login command.
    3. Open a new command-line interface and log in using the copied login command.
  3. Ensure that the IBM TRIRIGA installed operator is running.
    1. Go to Installed Operators > TRIRIGA Application Suite.
    2. Under the Status column, ensure that the TAS operator condition is Running.
  4. If the deployment is large, update the s1 and s2 TRIRIGAWEB.properties file with the following changes:
    
    SSO=Y
    SSO_REMOTE_USER=N
    SSO_USER_PRINCIPAL=Y
    SSO_REMOVE_DOMAIN_NAME=Y
    USERNAME_CASE_SENSITIVE=N
    SSO_SINGLE_SIGN_OUT_REDIRECT_URL=/ibm_security_logout
    
    Note:
    • Setting SSO_SINGLE_SIGN_OUT_REDIRECT_URL only clears TRIRIGA and WebSphere Liberty authentication tokens when the user logs out. If the OP token remains in the browser cache and the user goes to the same TRIRIGA URL again, the OP token is accepted and the user is relogged in without any prompts.
    • To implement proper SLO additional setup, including some certificate exchange will be required at the OP.
    • For Okta, setting values similar to the following is required to invalidate the OP token:
      
      SSO_SINGLE_SIGN_OUT_REDIRECT_URL=/ibm_security_logout?logoutExitPage=https://dev-108858.oktapreview.com/login/signout?fromURI=https://<customer-site>.suite.tririga.com/
      
  5. Stop the TRIRIGA Application Suite operator.
    1. Go to Deployments > TRIRIGA Controller Manager.
    2. Under Deployment details, scale the deployment to 0.
  6. Construct the OIDC secret as tas-oidc-secret.yaml.

    Provide the clientId and clientSecret values and a discovery endpoint to retrieve the other details. If you do not provide a discovery endpoint or it is not open to connect to, then you must also provide values for issuerIdentifier, tokenEndpointUrl,jwkEndpointUrl, authorizationEndpointUrl and userIdentityToCreateSubject (preferred_username is a commonly supported claim).

    
    kind: Secret
    apiVersion: v1
    metadata:
      name: tas-oidc-secret
      namespace: <customer tas project>
    stringData:
      method: oidc
      cfg: |
        <openidConnectClient
          clientId="<application id from your registered app>"
          clientSecret="<client secret that you created for your app>"
          id="<id to be used in redirect URI>"
          issuerIdentifier="<issuer from OpenID Connect metadata document>"
          tokenEndpointUrl="<token_endpoint from OpenID Connect metadata document>"
          jwkEndpointUrl="<jwks_uri from OpenID Connect metadata document>"
          authorizationEndpointUrl="<authorization_endpoint from OpenID Connect metadata document>"
          signatureAlgorithm="RS256"
          userIdentityToCreateSubject="preferred_username"
          >
        </openidConnectClient>
    
  7. Switch to the default project.
    
     oc project <customer tas project>
    
  8. Apply the secret.
    
    oc apply -f tas-oidc-secret.yaml
    
  9. Trust the TLS certificate of the OP by inserting it into the current tas-truststore.yaml file.
    For example, to add login.w3.ibm.com to the Okta preview site:
    
    apiVersion: truststore-mgr.ibm.com/v1
    kind: Truststore
    metadata:
      name: tas-truststore
      namespace: <customer tas project>
    spec:
      license:
        accept: true
      includeDefaultCAs: true
      servers:
      - "ibm.com:443"
      - "login.w3.ibm.com:443"
      - "oktapreview.com:443"
    
    Or, alternatively, you can add a certificate directly:
    
    apiVersion: truststore-mgr.ibm.com/v1
    kind: Truststore
    metadata:
      name: tas-truststore
      namespace: <customer tas project>
    spec:
      license:
        accept: true
      includeDefaultCAs: true
      servers:
      - "ibm.com:443"
      certificates:
      - alias: alias_1
        crt: |
        -----BEGIN CERTIFICATE-----
        ...
        Certificate 1
        ...
        -----END CERTIFICATE-----
        ...
    
  10. Apply the secret.
    
    oc apply -f tas-trustore.yaml
    
  11. Update the TRIRIGA Application Suite deployment.
    1. Get the TRIRIGA instance YAML file into the site:
      
      oc get $(oc get tririgas -oname) -o yaml > customer-site.yaml
      
    2. Update the spec.integration section to specify the following values:
      
      integration:
        server_xml_ext: tas-xml-extns
        sso:
          cfg_secret: tas-oidc-secret
          method: oidc
        truststore: tas-truststore
      
    3. Apply the changes:
      
      oc apply -f customer-site.yaml
      
  12. Restart the operator.
    1. Go to Deployments > TRIRIGA Controller Manager.
    2. Under Deployment details, scale the deployment back to 1, or its original value. Doing so applies the changes and restarts all TRIRIGA Application Suite pods.