You can configure a WebSphere® Application
Server to function as an OpenID Relying Party (RP or client) to take
advantage of web single sign-on using an OpenID Provider as an identity
provider.
About this task
Configure a WebSphere Application
Server to act as an OpenID Relying Party by performing the following
steps:
Procedure
- In the administrative console, click Security > Global
security > Web and SIP security > Trust association.
- Click Interceptors.
- Click New to add a new interceptor.
- Enter the interceptor class name: com.ibm.ws.security.openid20.client.OpenIDRelyingPartyTAI,
- Add custom properties for your environment. Read OpenID Relying Party custom properties for a list of
the properties.
- Click Apply and Save the configuration updates.
Important: Do not click Save without clicking Apply first
or the custom properties are discarded.
- Under Global Security > Trust Association, select
the Enable Trust Association check box.
- Click Security > Global security and then click Custom
properties.
- Click New and define the following custom property
information under General properties:
Name: com.ibm.websphere.security.performTAIForUnprotectedURI
Value: true
Note: This property should be set only
if it there is a need for TAI to intercept a request to an unprotected
URI.
- Import the OpenID provider's SSL signer certificate to
the WebSphere Application
Server's truststore.
- In the administrative console, click Security > SSL
certificate and key management > Key stores and certificates > NodeDefaultTrustStore
> Signer certificates.
Use CellDefaultTrustStore instead
of NodeDefaultTrustStore for a deployment manager.
- Click Add.
- In the administrative console, add the trusted realm.
- Click Global Security.
- Under user account repository, click Configure.
- Click Trusted authentication realms – inbound.
- Click Add External Realm,
The RP
by default uses the name OpenIDDefaultRealm. If that default is not
modified during the configuration of the RP, the same name should
be added as a trusted realm.
Make sure that the realmName property
configured in the RP is added as a trusted realm.
- Restart WebSphere Application
Server.
Results
These steps establish the minimum configuration required
to configure a WebSphere Application
server as an OpenID Relying Party capable of communicating with an
OpenID Provider.