Configure an OpenID Connect Relying Party

We can configure a WebSphere Application Server to function as an OpenID Connect Relying Party (RP) to take advantage of web single sign-on using an OpenID Connect Provider as an identity provider.

Tasks

1. From the administrative console, add a new interceptor....
   Security > Global security > Web and SIP security > Trust association > Interceptors > New

2. Enter the interceptor class name of...
   com.ibm.ws.security.oidc.client.RelyingParty.

3. Add RP custom properties for the environment.

4. Click Apply and Save the configuration updates.

   Important: Do not click Save without clicking Apply first or the custom properties are discarded.

5. Click...
   Security > Global security > Custom properties > New

   ...and define the following custom property information under General properties:

   Name: com.ibm.websphere.security.InvokeTAIbeforeSSO
   Value: com.ibm.ws.security.oidc.client.RelyingParty

   If this property is already defined, then add com.ibm.ws.security.oidc.client.RelyingParty to the existing value, which is separated by a comma to create a list.

6. Import the OpenID connect provider's SSL signer certificate to the WAS's truststore.

   1. In the administrative console, click...
      Security > SSL certificate and key management > Key stores and certificates > NodeDefaultTrustStore > Signer certificates

      Use CellDefaultTrustStore instead of NodeDefaultTrustStore for a dmgr.

   2. Click Add.

   3. Complete the certificate information, then click Apply.

7. Install the oidc application. For each profile on which the OpenID Connect RP is to be installed, run...
   cd <install_root>/bin
   wsadmin -f installOIDCRP.py install nodeName serverName

   or:

   wsadmin -f installOIDCRP.py install clusterName

   ...where:

   nodeName	Node name of the target application server.
   serverName	Server name of the target application server.
   clusterName	Name of the cluster on which OpenID Connect RP is to be installed.

8. Restart WAS.

The steps in this topic establish the minimum configuration required to configure a WAS as an OpenID Connect Relying Party capable of communicating with an OpenID Connect provider.

Related:

OpenID Connect overview

OpenID Connect Relying Party custom properties