Content Platform Engine RelyingParty Interceptor settings

Use the following sample settings as a guide for the Interceptor class settings for your Content Platform Engine application server instance.

Each distinct identity provider must follow the naming pattern of provider_<n>, where <n> is a number starting at 1 and increments for each additional identity provider. All the properties specific to a given identity provider use the same provider_<n> prefix. The following table shows example values for 3 different identity providers:
  • provider_1 - Example UMS Identity Provider
  • provider_2 - Example Google Sign-In Identity Provider
  • provider_3 - Example IBM Id Identity Provider
Name Value
provider_1.authorizeEndpointUrl https://server_name:port/oidc/endpoint/ums/authorize
provider_1.tokenEndpointUrl https://server_name:port/oidc/endpoint/ums/token
provider_1.jwkEndpointUrl https://server_name:port/oidc/endpoint/ums/jwk
provider_1.signatureAlgorithm RS256
provider_1.issuerIdentifier https://server_name/oidc/endpoint/ums
provider_1.clientId exShareUms
provider_1.clientSecret Genius1
provider_1.identifier ExShareUms
provider_1.useRealm For multiple IDPs: ExShareUms

For a single IDP: ldap_realm

Set to Realm name under Security > Global security > User account repository.
provider_1.filter For multiple IDPs: auth-token-realm%=ExShareUms

The value after auth-token-realm%= must match the realm name that is set in IBM Content Navigator for this same provider by using the provider_n.useRealm property. For example, in the Navigator Relying Party Interceptor settings: provider_1.useRealm = ExShareUms

For a single IDP: Authorization%=Bearer

All requests with Bearer token are authenticated using this OAuth/OIDC configuration.
provider_1.userIdentifier sub
provider_1.useJwtFromRequest OAuth: no

OIDC: ifPresent
provider_1.scope openid email
provider_1.uniqueUserIdentifier sub
provider_1.introspectEndpointUrl https://server_name:port/oidc/endpoint/ums/introspect
provider_1.allowImplicitClientFlow true
provider_1.signVerifyAlias ums
provider_1.responseType id_token token
provider_1.verifyIssuerInIat true
provider_1.audiences exShareUms
provider_2.authorizeEndpointUrl https://accounts.google.com/o/oauth2/v2/auth
provider_2.tokenEndpointUrl https://oauth2.googleapis.com/token
provider_2.jwkEndpointUrl https://www.googleapis.com/oauth2/v3/certs
provider_2.signatureAlgorithm RS256
provider_2.issuerIdentifier https://accounts.google.com
provider_2.clientId 530122881973-fuotgltih4t5e3335im9aeca2uql7q52.apps.googleusercontent.com
provider_2.clientSecret YPcdr1FifclLuF2Dyu164WWD
provider_2.identifier ExShareGID
provider_2.useRealm For multiple IDPs: ExShareGID

For a single IDP: ldap_realm

Set to Realm name under Security > Global security > User account repository.
provider_2.filter For multiple IDPs: auth-token-realm%=ExShareGID

The value after auth-token-realm%= must match the realm name that is set in IBM Content Navigator for this same provider by using the provider_n.useRealm property. For example, in the Navigator Relying Party Interceptor settings: provider_1.useRealm = ExShareGID

For a single IDP: Authorization%=Bearer

All requests with Bearer token are authenticated using this OAuth/OIDC configuration.
provider_2.userIdentifier email
provider_2.useJwtFromRequest OIDC: ifPresent

Note: Google Sign-In must use OIDC. OAuth is not supported.
provider_2.scope openid email
provider_2.uniqueUserIdentifier email
provider_2.introspectEndpointUrl https://oauth2.googleapis.com/token
provider_2.allowImplicitClientFlow true
provider_2.verifyIssuerInIat true
provider_2.audiences 530122881973-fuotgltih4t5e3335im9aeca2uql7q52.apps.googleusercontent.com
provider_3.authorizeEndpointUrl https://prepiam.toronto.ca.ibm.com/idaas/oidc/endpoint/default/authorize
provider_3.tokenEndpointUrl https://prepiam.toronto.ca.ibm.com/idaas/oidc/endpoint/default/token
provider_3.signVerifyAlias prepiam_toronto_ca_ibm_com
provider_3.signatureAlgorithm RS256
provider_3.issuerIdentifier https://prepiam.toronto.ca.ibm.com
provider_3.clientId exShareIbmId
provider_3.clientSecret MTQ0YjMwYmItNDVjMS00
provider_3.identifier ExShareIbmId
provider_3.useRealm For multiple IDPs: ExShareIbmId

For a single IDP: ldap_realm

Set to Realm name under Security > Global security > User account repository.
provider_3.filter For multiple IDPs: auth-token-realm%=ExShareIbmId

The value after auth-token-realm%= must match the realm name that is set in IBM Content Navigator for this same provider by using the provider_n.useRealm property. For example, in the Navigator Relying Party Interceptor settings: provider_1.useRealm = ExShareIbmId

For a single IDP: Authorization%=Bearer

All requests with Bearer token are authenticated using this OAuth/OIDC configuration.
provider_3.userIdentifier sub
provider_3.useJwtFromRequest OAuth: no

OIDC: ifPresent
provider_3.scope openid email
provider_3.uniqueUserIdentifier sub
provider_3.introspectEndpointUrl https://prepiam.toronto.ca.ibm.com/idaas/oidc/endpoint/default/introspect
provider_3.allowImplicitClientFlow true
provider_3.verifyIssuerInIat OAuth: false

OIDC: true
provider_3.audiences exShareIbmId