(V5.5.5 and later) Configuring external users with an Identity Provider for a traditional WebSphere Application Server environment
To manage external users with an Identity Provider, you configure settings in the WebSphere Application Server and register with the identity provider.
Before you begin
Set up the Managed User Directory configuration using the Administration Console for Content Platform Engine. Configure only one Managed User directory for the external users, even if more than one IDP is configured for the external users. The external users must be uniquely identified by the email address across all realms specified in the P8 domain, other than the Managed User Directory realm. To configure the Managed User Directory configuration see Configuring users with an identity provider.
All Identity Providers (IdPs) that support OAuth 2.0 or OpenID Connect authentication have a registration mechanism to identify the client application to the Identity Provider. At a minimum, a client ID, client secret, and redirect URLs to the client application are required by the OAuth 2.0 and OpenID Connect specifications.
For an example, you can review the Google Identity Platform documentation that describes how to obtain OAuth 2.0 credentials for applications: OpenID Connect.
When registering an application with an Identity Provider, you can use the same clientId registration for each of the IBM® Content Navigator and Content Platform Engine instances in your environment. You must provide a redirect URL for each of these instances using the following pattern:
https://<hostname:port>/oidcclient/<ExShareId>
Where:
<hostname> is the host name for your IBM Content Navigator or the Content Platform Engine instance.
Each deployment requires a unique URI for redirection back from the Identity Provider to distinguish itself for the appropriate service. The URI are entered at the Identity providers registration page.
As an example, for Google Sign In Identity provider, the OAuth 2.0 client ID for ExShareGID would have the following Authorized redirect URIs entered by the user, one for each deployment:
https://cpe_hostname:9443/oidcclient/ExShareGID
https://icn_hostname:9443/oidcclient/ExShareGID
About this task
- Configure LDAP user authentication to use LTPA for WSI transport between IBM Content Navigator and Content Platform Engine.
- Configure WebSphere Application Server for OAuth/OIDC.
This step must be performed on both the WebSphere Application Server instance for Content Platform Engine and the instance for IBM Content Navigator.
- Register the Content Platform Engine and IBM Content Navigator servers with the identity provider as an OAuth/OIDC client.