Configuring OpenID Connect single sign-on
You can configure single sign-on (SSO) with OpenID Connect (OIDC) and IBM® TRIRIGA® Application Suite. OIDC is an authentication framework based on OAuth 2 (which otherwise is only concerned with authorisation). OIDC is the preferred authentication mechanism for TRIRIGA Application Suite because it allows the configuration of multiple endpoints with unique hostnames in the one definition.
Procedure
- Define the application with your OpenID Connect Provider (OP). For example, if you are using Okta:
- Okta domain: dev-108858.oktapreview.com
- Application type: Web
- Sign-in redirect URIs (Allow wildcard * in login redirect URI): https://*<customer-site>.suite.tririga.com/oidcclient/redirect/ID
- Log in to your cluster.
- Log in to the Red Hat® OpenShift® Container Platform web console.
- Click your username, then click Copy login command.
- Open a new command-line interface and log in using the copied login command.
-
Ensure that the
IBM TRIRIGA installed operator is running.
- Go to Installed Operators > TRIRIGA Application Suite.
- Under the Status column, ensure that the TAS operator condition is Running.
- If the deployment is large, update the s1 and s2
TRIRIGAWEB.properties
file with the following changes:SSO=Y SSO_REMOTE_USER=N SSO_USER_PRINCIPAL=Y SSO_REMOVE_DOMAIN_NAME=Y USERNAME_CASE_SENSITIVE=N SSO_SINGLE_SIGN_OUT_REDIRECT_URL=/ibm_security_logout
Note:- Setting SSO_SINGLE_SIGN_OUT_REDIRECT_URL only clears TRIRIGA and WebSphere Liberty authentication tokens when the user logs out. If the OP token remains in the browser cache and the user goes to the same TRIRIGA URL again, the OP token is accepted and the user is relogged in without any prompts.
- To implement proper SLO additional setup, including some certificate exchange will be required at the OP.
- For Okta, setting values similar to the following is required to invalidate the OP
token:
SSO_SINGLE_SIGN_OUT_REDIRECT_URL=/ibm_security_logout?logoutExitPage=https://dev-108858.oktapreview.com/login/signout?fromURI=https://<customer-site>.suite.tririga.com/
- Stop the TRIRIGA Application Suite operator.
- Go to Deployments > TRIRIGA Controller Manager.
- Under Deployment details, scale the deployment to 0.
- Construct the OIDC secret as tas-oidc-secret.yaml.
Provide the clientId and clientSecret values and a discovery endpoint to retrieve the other details. If you do not provide a discovery endpoint or it is not open to connect to, then you must also provide values for issuerIdentifier, tokenEndpointUrl,jwkEndpointUrl, authorizationEndpointUrl and userIdentityToCreateSubject (preferred_username is a commonly supported claim).
kind: Secret apiVersion: v1 metadata: name: tas-oidc-secret namespace: <customer tas project> stringData: method: oidc cfg: | <openidConnectClient clientId="<application id from your registered app>" clientSecret="<client secret that you created for your app>" id="<id to be used in redirect URI>" issuerIdentifier="<issuer from OpenID Connect metadata document>" tokenEndpointUrl="<token_endpoint from OpenID Connect metadata document>" jwkEndpointUrl="<jwks_uri from OpenID Connect metadata document>" authorizationEndpointUrl="<authorization_endpoint from OpenID Connect metadata document>" signatureAlgorithm="RS256" userIdentityToCreateSubject="preferred_username" > </openidConnectClient>
- Switch to the default project.
oc project <customer tas project>
- Apply the secret.
oc apply -f tas-oidc-secret.yaml
- Trust the TLS certificate of the OP by inserting it into the current
tas-truststore.yaml file. For example, to add login.w3.ibm.com to the Okta preview site:
apiVersion: truststore-mgr.ibm.com/v1 kind: Truststore metadata: name: tas-truststore namespace: <customer tas project> spec: license: accept: true includeDefaultCAs: true servers: - "ibm.com:443" - "login.w3.ibm.com:443" - "oktapreview.com:443"
Or, alternatively, you can add a certificate directly:apiVersion: truststore-mgr.ibm.com/v1 kind: Truststore metadata: name: tas-truststore namespace: <customer tas project> spec: license: accept: true includeDefaultCAs: true servers: - "ibm.com:443" certificates: - alias: alias_1 crt: | -----BEGIN CERTIFICATE----- ... Certificate 1 ... -----END CERTIFICATE----- ...
- Apply the secret.
oc apply -f tas-trustore.yaml
- Update the TRIRIGA Application Suite deployment.
- Get the TRIRIGA instance YAML file into the site:
oc get $(oc get tririgas -oname) -o yaml > customer-site.yaml
- Update the
spec.integration
section to specify the following values:integration: server_xml_ext: tas-xml-extns sso: cfg_secret: tas-oidc-secret method: oidc truststore: tas-truststore
- Apply the changes:
oc apply -f customer-site.yaml
- Get the TRIRIGA instance YAML file into the site:
- Restart the operator.
- Go to Deployments > TRIRIGA Controller Manager.
- Under Deployment details, scale the deployment back to 1, or its original value. Doing so applies the changes and restarts all TRIRIGA Application Suite pods.