Configuring Cloud Pak for Business Automation with Okta or Azure Active Directory for System for SCIM support

Steps

• I.  Manual installation CPfs
  • Execute the cp4a-clusteradmin-setup.sh script, which will perform all the steps below.  All the scripts can be found from the Case package that you downloaded following the instructions from the readme file.
    • Create the CP4BA namespace
    • Create the CPfs configMap in the kube-public namespace to specify CPfs to be installed in the CP4BA namespace
    • Apply the catalog sources associated with the iFix
    • Install all CP4BA operators
  • In order to install CPfs and configure Okta or Azure AD with IAM, modify the YAML below and provide the corresponding values for  "namespace", "shared_configuration.sc_deployment_profile_size in CP4BA CR", "fast storage class in CP4BA CR", and "block storage class in CP4BA CR".  Then manually create the AutomationUIConfig and Cartridge resources using the YAML and following these steps:
    apiVersion: core.automation.ibm.com/v1beta1
    kind: AutomationUIConfig
    metadata:
      name: iaf-system
      namespace: <<namespace>>
    spec:
      description: automation-ui-config for CP4BA Cartridge
      license:
        accept: true
      tls: {}
      version: v1
      zen: true
      zenService:
        iamIntegration: true
        scaleConfig: <<shared_configuration.sc_deployment_profile_size in CP4BA CR>>
        storageClass: <<fast storage class in CP4BA CR>>
        zenCoreMetaDbStorageClass: <<block storage class in CP4BA CR>>

    ---

    apiVersion: core.automation.ibm.com/v1beta1
    kind: Cartridge
    metadata:
      name: icp4ba
      namespace: <<namespace>>
    spec:
      description: cartridge for all CP4BA
      license:
        accept: true
      version: v1
  • Create a file called iaf.yaml and copy the YAML excerpt above into the iaf.yaml
  • Update iaf.yaml with the corresponding values for  <<namespace>>, <<shared_configuration.sc_deployment_profile_size in CP4BA CR>>, <<fast storage class in CP4BA CR>>, and <<block storage class in CP4BA CR>>.  Be sure to remove the "<<" and ">>" when you provide the values.
  • Execute: oc apply -f iaf.yaml
  • The command above will create the AutomationUIConfig and Cartridge resources from IBM Automation Foundation (IAF), which will in turn create the CPfs resources including Zen and IAM.
  • Check to make sure Cartridge is ready by executing the command below in the CP4BA namespace and check for the status below:
    
    oc get Cartridge
    
    If the Ready status shows True, then you are ready to proceed to the next step
    
    NAME   READY
    icp4ba True
    
    Note: It takes approximately 30 mins for Cartridge to be ready after executing the "oc apply -f iaf.yaml" command.

• II.  Complete the configuration of Okta or Azure AD with Identify Access Management (IAM) in CPfs
  • For integration with Okta, follow the CPfs documentation here to complete the Okta configuration with IAM.
  • For integration with Azure AD, follow the CPfs documentation here to complete the AzureAD
  • The initial deployment of CPfs includes a self-signed TLS certificate that is used for enabling HTTPS connections of the foundational services endpoint.  However, Okta and Azure AD do not trust self-signed certificate. Therefore, you must replace the CPfs self-signed certificate with your own valid and trusted certificate by following the CPfs Knowledge Center instructions here.
  • After you have completed the configuration above, make sure that Okta or Azure AD users can log in to the CPD route.
    • To get the Zen (CPD) route, execute: oc get route | grep cpd
    • Open a browser using the Zen route from the command above
    • Then log in using either with Okta or Azure AD user and ensure that the login is successful

• III.  Perform installation of CP4BA
  • Follow the installation instructions from the CP4BA Knowledge Center to perform a new installation, with the following additions.
  • Business Automation Workflow and Business Automation Studio:
    • You need to change Workflow configuration properties in a 100Custom.xml. The file must contain the following settings:
       

      <properties>
       <common>
        <security>
         <scim-options>
          <user-search-attribute merge="replace">userName</user-search-attribute>
          <common-name-search-attribute merge="replace">displayName</common-name-search-attribute>
          <use-wildcards-in-filter-expressions merge="replace">false</use-wildcards-in-filter-expressions>
         </scim-options>
        </security>
       </common>
      </properties>

    • Business Automation Workflow: Follow these instructions to install the customized 100Custom.xml.
    • Business Automation Studio: Follow these instructions to install the customized 100Custom.xml.
  • When the final CR is created, you can remove the ldap_configuration section in the CR as it is not required to complete with Okta or Azure AD integration
  • Set sc_skip_ldap_configuration: true under the shared_configuration section in the CP4BA CR:
    
    shared_configuration:
      sc_skip_ldap_configuration: true
      
  • Set disable_basic_auth: false under the ecm_configuration section in the CP4BA CR:
    
    ecm_configuration:
      disable_basic_auth: false
     
  • Set disable_basic_auth: false under the navigator_configuration in the CP4BA CR:
    
    navigator_configuration:
      disable_basic_auth: true

  • Add the section below in the CP4BA CR if configuring Okta:
    
    idp_iam_configuration:
      - idp_id: <this name must match with the Idp provider name in IAM>
        idp_type: okta
        idp_allow_email_or_upn_short_names: true (Optional - default value is true)

  • Add the section below in the CP4BA CR if configuring Azure AD:

• Automation Document Processing capability of CP4BA is not yet supported
• Business Automation Workflow (BAW) Case management limitation
  • BAW case management solutions and applications are currently not supported
• BAW Content - Process Integration limitation
  • Processes will not be triggered if adding documents from Administrative Console for Content Engine (ACCE).  Note that from Navigator BAW desktop, processes can be launch when adding documents.
• BAW External Services limitation
  • Creation of External Services for REST Services and Web Services is not yet supported
  • Creation of External Workflow is not yet supported
  • Process applications that are published by Open API cannot be consumed by an Automation Service