Configure an OpenID Connect Relying Party

We can configure a WebSphere Application Server to function as an OpenID Connect Relying Party (RP, or client) to take advantage of web single sign-on using an OpenID Connect Provider as an identity provider.

Read OpenID Connect overview for more information on OpenID Connect.

Review the properties that configure for OpenID Connect Relying Party configuration options. Read OpenID Connect Relying Party custom properties for more information.

Configure a WAS to act as an OpenID Connect Relying Party by performing the following steps:

Tasks

1. In the administrative console, click Security > Global security > Web and SIP security > Trust association.

2. Click Interceptors.

3. Click New to add a new interceptor.

4. Enter the interceptor class name of com.ibm.ws.security.oidc.client.RelyingParty.
5. Add custom properties for the environment. Read OpenID Connect Relying Party custom properties for a list of the properties.

6. Click Apply and Save the configuration updates.

   Important: Do not click Save without clicking Apply first or the custom properties are discarded.

7. Click Security > Global security and then click Custom properties.

8. Click New and define the following custom property information under General properties:

      Name: com.ibm.websphere.security.InvokeTAIbeforeSSO
      Value: com.ibm.ws.security.oidc.client.RelyingParty
   

   If this property is already defined, then add com.ibm.ws.security.oidc.client.RelyingParty to the existing value, which is separated by a comma to create a list.

9. Import the OpenID connect provider's SSL signer certificate to the WAS's truststore.

   1. In the administrative console, click Security > SSL certificate and key management > Key stores and certificates > NodeDefaultTrustStore > Signer certificates. Use CellDefaultTrustStore instead of NodeDefaultTrustStore for a deployment manager.

   2. Click Add.
   3. Complete the certificate information, then click Apply.

10. Install the oidc application. cd to app_server_root/bin and run the script installOIDCRP.py for each profile on which the OpenID Connect RP is to be installed. For example:

    cd <install_root>/bin 
    wsadmin -f installOIDCRP.py install nodeName serverName
    

    or:

    wsadmin -f installOIDCRP.py install clusterName
    

    where:

    nodeName

    is the node name of the target application server.

    serverName

    is the server name of the target application server.

    clusterName

    is the name of the cluster on which OpenID Connect RP is to be installed.

11. Restart WAS.

The steps in this topic establish the minimum configuration required to configure a WAS as an OpenID Connect Relying Party capable of communicating with an OpenID Connect provider.

Subtopics

• OpenID Connect Relying Party custom properties
  The following tables list the custom properties for the OpenID Connect Relying Party (RP) Trust Association Interceptor (TAI). We can define these properties in the Custom Properties panel for the OpenID Connect TAI using the administrative console.

Related:

OpenID Connect overview

OpenID Connect Relying Party custom properties