You can configure a WebSphere® Application
Server to function as an OpenID Relying Party (RP or client) to take advantage of web single sign-on
using an OpenID Provider as an identity provider.
About this task
Configure a WebSphere Application Server to act as an
OpenID Relying Party by performing the following steps:
Procedure
-
In the administrative console, click Security > Global security > Web and SIP security >
Trust association.
-
Click Interceptors.
-
Click New to add a new interceptor.
-
Enter the interceptor class name:
com.ibm.ws.security.openid20.client.OpenIDRelyingPartyTAI,
-
Add custom properties for your environment. Read OpenID Relying Party custom properties for a
list of the properties.
-
Click Apply and Save the configuration updates.
Important: Do not click Save without clicking Apply first or the custom
properties are discarded.
-
Under Global Security > Trust Association, select the Enable Trust Association
check box.
-
Click Security > Global security and then click Custom properties.
-
Click New and define the following custom property information under General
properties:
Name: com.ibm.websphere.security.performTAIForUnprotectedURI
Value: true
Note: This property should be set only if it there is a need for TAI to intercept a request to an
unprotected URI.
-
Import the OpenID provider's SSL signer certificate to the WebSphere Application Server's truststore.
-
In the administrative console, click Security > SSL certificate and key management > Key
stores and certificates > NodeDefaultTrustStore > Signer certificates.
Use CellDefaultTrustStore instead of NodeDefaultTrustStore for a deployment manager.
-
Click Add.
-
In the administrative console, add the trusted realm.
-
Click Global Security.
-
Under user account repository, click Configure.
-
Click Trusted authentication realms – inbound.
-
Click Add External Realm,
The RP by default uses the name OpenIDDefaultRealm. If that default is not modified during the
configuration of the RP, the same name should be added as a trusted realm.
Make sure that the realmName property configured in the RP is added as a trusted realm.
-
Restart WebSphere Application Server.
Results
These steps establish the minimum configuration required to configure a WebSphere Application server as an OpenID Relying Party capable of
communicating with an OpenID Provider.