+

Search Tips   |   Advanced Search

Configure an OpenID Connect Relying Party

We can configure a WAS to function as an OpenID Connect Relying Party (RP, or client) to take advantage of web single sign-on using an OpenID Connect Provider as an identity provider.

Read OpenID Connect overview for more information on OpenID Connect.

Review the properties that configure for OpenID Connect Relying Party configuration options. Read OpenID Connect Relying Party custom properties for more information.

Configure a WAS to act as an OpenID Connect Relying Party by performing the following steps:

  1. In the console, click Security > Global security > Web and SIP security > Trust association.

  2. Click Interceptors.

  3. Click New to add a new interceptor.

  4. Enter the interceptor class name: com.ibm.ws.security.oidc.client.RelyingParty,

  5. Add custom properties for the environment. Read OpenID Connect Relying Party custom properties for a list of the properties.

  6. Click Apply and Save the configuration updates.

    Important: Do not click Save without clicking Apply first or the custom properties are discarded.

  7. Click Security > Global security and then click Custom properties.

  8. Click New and define the following custom property information under General properties:
       Name: com.ibm.websphere.security.InvokeTAIbeforeSSO
       Value: com.ibm.ws.security.oidc.client.RelyingParty

    If this property is already defined, then add com.ibm.ws.security.oidc.client.RelyingParty to the existing value, which is separated by a comma to create a list.

  9. Import the OpenID connect provider's SSL signer certificate to the WAS's truststore.

    1. In the console, click Security > SSL certificate and key management > Key stores and certificates > NodeDefaultTrustStore > Signer certificates. Use CellDefaultTrustStore instead of NodeDefaultTrustStore for a deployment manager.

    2. Click Add.

    3. Complete the certificate information, then click Apply.

  10. Install the oidc application. cd to the app_server_root/bin directory and run the script installOIDCRP.py for each profile on which the OpenID Connect RP is to be installed. For example:

      cd <install_root>/bin wsadmin -f installOIDCRP.py install nodeName serverName

    or:

      wsadmin -f installOIDCRP.py install clusterName

    where:

    nodeName

    is the node name of the target application server.

    serverName

    is the server name of the target application server.

    clusterName

    is the name of the cluster on which OpenID Connect RP is to be installed.

  11. Restart WebSphere Application Server.


Results

The steps in this topic establish the minimum configuration required to configure a WAS as an OpenID Connect Relying Party capable of communicating with an OpenID Connect provider.


Subtopics


Related concepts

  • OpenID Connect overview
  • OpenID Connect Relying Party custom properties