Configure an OpenID Relying Party

We can configure a WAS to function as an OpenID Relying Party (RP or client) to take advantage of web single sign-on using an OpenID Provider as an identity provider.

Read OpenID authentication overview for more information on OpenID.

Review the properties configure for OpenID Relying Party configuration options. Read OpenID Relying Party custom properties for more information.

Configure a WAS to act as an OpenID Relying Party by performing the following steps:

1. In the console, click Security > Global security > Web and SIP security > Trust association.

2. Click Interceptors.

3. Click New to add a new interceptor.

4. Enter the interceptor class name: com.ibm.ws.security.openid20.client.OpenIDRelyingPartyTAI,

5. Add custom properties for the environment. Read OpenID Relying Party custom properties for a list of the properties.

6. Click Apply and Save the configuration updates.

   Important: Do not click Save without clicking Apply first or the custom properties are discarded.

7. Under Global Security > Trust Association, select the Enable Trust Association check box.

8. Click Security > Global security and then click Custom properties.

9. Click New and define the following custom property information under General properties:

       Name: com.ibm.websphere.security.performTAIForUnprotectedURI
       Value: true

   Set only if it there is a need for TAI to intercept a request to an unprotected URI.

10. Import the OpenID provider's SSL signer certificate to the WAS's truststore.

    1. In the console, click Security > SSL certificate and key management > Key stores and certificates > NodeDefaultTrustStore > Signer certificates. Use CellDefaultTrustStore instead of NodeDefaultTrustStore for a deployment manager.

    2. Click Add.

11. In the console, add the trusted realm.

    1. Click Global Security.

    2. Under user account repository, click Configure.

    3. Click Trusted authentication realms inbound.

    4. Click Add External Realm,

       The RP by default uses the name OpenIDDefaultRealm. If that default is not modified during the configuration of the RP, the same name should be added as a trusted realm.

       Make sure the realmName property configured in the RP is added as a trusted realm.

12. Restart WebSphere Application Server.

Results

These steps establish the minimum configuration required to configure a WebSphere Application server as an OpenID Relying Party capable of communicating with an OpenID Provider.

Subtopics

• (iseries)(dist)(zos)
• OpenID Relying Party custom properties
  The following tables list the custom properties for the OpenID Relying Party (RP) Trust Association Interceptor (TAI). We can define these properties in the Custom Properties panel for the OpenID TAI using the console.

Related concepts

OpenID authentication overview

OpenID Relying Party custom properties