(V5.5.5 and later) Configuring external users with an Identity Provider for a traditional WebSphere Application Server environment

To manage external users with an Identity Provider, you configure settings in the WebSphere Application Server and register with the identity provider.

Before you begin

Set up the Managed User Directory configuration using the Administration Console for Content Platform Engine. Configure only one Managed User directory for the external users, even if more than one IDP is configured for the external users. The external users must be uniquely identified by the email address across all realms specified in the P8 domain, other than the Managed User Directory realm. To configure the Managed User Directory configuration see Configuring users with an identity provider.

All Identity Providers (IdPs) that support OAuth 2.0 or OpenID Connect authentication have a registration mechanism to identify the client application to the Identity Provider. At a minimum, a client ID, client secret, and redirect URLs to the client application are required by the OAuth 2.0 and OpenID Connect specifications.

For an example, you can review the Google Identity Platform documentation that describes how to obtain OAuth 2.0 credentials for applications: OpenID Connect.

When registering an application with an Identity Provider, you can use the same clientId registration for each of the IBM® Content Navigator and Content Platform Engine instances in your environment. You must provide a redirect URL for each of these instances using the following pattern:

https://<hostname:port>/oidcclient/<ExShareId>

Where:

<hostname> is the host name for your IBM Content Navigator or the Content Platform Engine instance.

Each deployment requires a unique URI for redirection back from the Identity Provider to distinguish itself for the appropriate service. The URI are entered at the Identity providers registration page.

As an example, for Google Sign In Identity provider, the OAuth 2.0 client ID for ExShareGID would have the following Authorized redirect URIs entered by the user, one for each deployment:

https://cpe_hostname:9443/oidcclient/ExShareGID

https://icn_hostname:9443/oidcclient/ExShareGID

About this task

To prepare for managing users with an external and internal identity provider, you must configure your environment to communicate securely with the identity providers. Note that most configuration steps are repeated for each component, IBM Content Navigator and Content Platform Engine.
To configure an external identity provider to work with external share, you perform the following configuration procedures:
  1. Configure LDAP user authentication to use LTPA for WSI transport between IBM Content Navigator and Content Platform Engine.
  2. Configure WebSphere Application Server for OAuth/OIDC.

    This step must be performed on both the WebSphere Application Server instance for Content Platform Engine and the instance for IBM Content Navigator.

  3. Register the Content Platform Engine and IBM Content Navigator servers with the identity provider as an OAuth/OIDC client.