azureOidcMod.md

Modify Azure OIDC for WebSphere and Liberty clients

---

Description

Modifying a Microsoft Azure OIDC OP for WebSphere Application Server and Liberty clients. This example shows how to modify an existing Microsoft ®️ Azure™️ app registration to add a WebSphere™️ traditional or Liberty OIDC relying parties (RP). The steps are similar for the Entra™️ ID console.

References

Here are some links from Microsoft that contain more detailed configuration information:

• Quickstart: Set up a tenant
• Quickstart: Register an application with the Microsoft identity platform
• Quickstart: Configure an application to expose a web API
• Quickstart: Configure a client application to access a web API

Background

The Azure AD application configuration and OIDC RP configurations work in concert with each other. The Azure config requires a redirect URL from the RP. The RP configuration requires the client ID, client secret, and discovery URL from the Azure configuration. Whichever configuration you choose to do first, you must go back and edit that configuration using information from the second. For instance, if you configure Azure first, after configuring the RP, you go back into your Azure config and add the redirect URL.

If the RP (WebSphere traditional or Liberty) and Azure administration roles are separated in your organization, it is best to perform the RP configuration first, then provide the redirect URL to your Azure administrator. The Azure administrator then returns the client ID, client secret, and discovery URL to you.

Before you begin

Configure your OIDC RP:

• For WebSphere Application Server Traditional, see Configuring an OpenID Connect Relying Party and OpenID Connect Relying Party custom properties.

  • On the Import the OpenID connect provider's SSL signer certificate to the WebSphere Application Server truststore step, use the following data:
    • host: login.microsoftonline.com
    • port: 443

• For Liberty, see Configuring an OpenID Connect Client in Liberty

  • On the step to Configure the truststore of the server to include the signer certificates of the OpenID Connect Providers that are supported using the Adding trusted certificates in Liberty topic in IBMDOCS, the signer certificate that you want is for the following endpoint:
    • https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
    • Where {tenant} is the name of your tenant.

• The Redirect URI that you will use for the RP when configuring Azure is https://(hostname):(port)/(contextRoot)/(identifier), where:

  • (hostname):(port):
    • The hostname and SSL port of the WebSphere or Liberty server.
  • (contextRoot):
    • Liberty :
      • Replace the value with oidcclient/redirect
    • WebSphere traditional:
      • The default value is oidcclient
      • This is the context root of WebsphereOIDCRP ear
      • To find the value, in the Administrative console, navigate to All Applications > WebsphereOIDCRP > Context Root for Web Modules
        • If you installed the OIDC ear using deployOidc.py for use with the admin console, then you want to look for WebsphereOIDCRP_Admin instead of WebsphereOIDCRP
  • (identifier)
    • Liberty: the value for the id attribute of your openidConnectClient configuration.
    • WebSphere traditional: the value for the provider_(id).identifier OIDC TAI custom property.
  • Examples :
    • Liberty: https://test.co:9443/oidcclient/redirect/RP1
    • Websphere traditional: https://test.co:9443/oidcclient/RP1

Procedure

Login to the Azure portal

1. Login to the Azure portal at https://portal.azure.com.

2. If you have access to multiple tenants, perform the following actions to choose the tenant in which you want to register the application:

   • Click    in the top menu to access the Directories + subscriptions filter menu.
   • Switch to the tenant in which you want to register the application.
   • After you select your tenant, click    in the top menu on the left to return to the Azure services menu.

Navigate to your App Registration

1. In the search box in the menu bar at the top, search for Azure Active Directory then click Azure Active Directory

   

2. Under Manage in the menu on the left, click App Regsistrations

   

3. Click the application that you want to use.

Get the client ID and discovery URL values

Note values to use when when configuring WebSphere or Liberty later in this task.

• The values for the client ID and tenant ID
  • All your client secrets use the same client ID.
• Your discovery URL is https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration
  • where {tenant} is the name of your tenant.

Create a client secret

1. Click the link next to Client credentials

2. Click New client secret

3. Enter a description for your new secret and the expiration, then click Add

4. Caution: Be sure to note the value that is generated for the client secret to use when configuring WebSphere or Liberty later in this task. You might not see this value again later.

   

Add a redirect URI:

Under Manage, click Authentication

• If the Web platform already exists:
  1. Click Add URI
  2. Enter your Redirect URI: https://(hostname):(port)/(contextRoot)/(identifier)
     • If you have your redirect URI, enter it now.
     • Otherwise, see the Before you begin section for how to determine your redirect URI.
• Otherwise, if the Web platform does not exist:
  1. Click Add a platform
  2. Click Web
  3. Fill in the information on the Configure Web panel:
     1. Redirect URI: https://(hostname):(port)/(contextRoot)/(identifier)
        • If you have your redirect URI, enter it now.
        • Otherwise, see the Before you begin section for how to determine your redirect URI.
     2. Implicit grant and hybrid flows:
        • Check both Access tokens and ID tokens
  4. Click Configure

What to do next

1. Use the client ID, client secret, and discovery URL to complete your OIDC configuration on WebSphere or Liberty

   • For WebSphere Application Server Traditional, see OpenID Connect Relying Party custom properties.
   • For Liberty, see Configuring an OpenID Connect Client in Liberty.

2. (Optional): If your RP is WebSphere traditional:

   • See the Configuring the OIDC TAI to perform RP-Initiated Logout task in IBMDOCs to determine if you want to use RP-Initiated logout.

   • If you want to perform RP-Initiated logout, perform the configuration on WebSphere, then use the provider_(id).endSessionRedirectUrl to complete configuration in Azure:

     1. Login to the Azure portal at https://portal.azure.com.

     2. If you have access to multiple tenants, perform the following actions to choose the in which your application definition resides:

        • Click    in the top menu to access the Directories + subscriptions filter menu.
        • Switch to the tenant in which your application definition resides.
        • After you select your tenant, click    in the top menu on the left to return to the Azure services menu.

     3. Click More services > Azure Active Directory

     4. Under Manage, click App registrations

     5. Click the application that you want to update.

     6. Under Manage, click Authentication.

     7. In the Platform configurations panel, enter your endSessionRedirectUrl in the Front-channel logout URL field, then click Save.