Content Management and Capture

 View Only
Expand all | Collapse all

Integration of FileNet on CP4BA with MS AD for SSO using Kerberos

  • 1.  Integration of FileNet on CP4BA with MS AD for SSO using Kerberos

    Posted Wed September 04, 2024 09:23 AM

    Hello everyone,

    I am currently running IBM FileNet on Cloud Pak for Business Automation (CP4BA) within an OpenShift private cloud environment. In this setup, I also have Keycloak deployed for identity and access management. Additionally, my organization uses a Windows Server with Active Directory (AD) for user authentication.

    I would like to configure the system so that users can log in to their Windows domain accounts and then access FileNet components, such as IBM Content Navigator, without needing to re-authenticate. Essentially, I am looking to implement Single Sign-On (SSO) using Kerberos.

    Could anyone provide guidance on how to achieve this integration? Specifically, I am interested in how to configure FileNet on CP4BA to authenticate users through AD and enable SSO via Kerberos.

    Thank you in advance for your help!



    ------------------------------
    Patrik Vinčur
    ------------------------------


  • 2.  RE: Integration of FileNet on CP4BA with MS AD for SSO using Kerberos

    Posted 19 days ago

    Hi Patrik,

    In CP4BA, authentication is handled by the CloudPak Foundational Services Identity Management (IM) component.  This only supports integrations with LDAP, SAML, and OIDC.  Kerberos is not supported.

    Since you are using Keycloak, you should be able to integrate Kerberos SSO with Keycloak.  I found this link which might be helpful

    https://medium.com/@rishabhsvats/red-hat-single-sign-on-integration-with-kerberos-user-federation-f9c9e757ace

    Once you have Keycloak working with Kerberos, you should be able to integrate Keycloak with IM via SAML for authentication.  I don't believe IM supports Keycloak for SCIM yet.  So you will need to ensure the sc_skip_ldap_config parameter is set to false in your CP4BA Custom Resource (CR) to allow FileNet authorization to use an LDAP connection to your MS Active Directory for authorization as described in https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/24.0.0?topic=scp-shared-configuration



    ------------------------------
    ROGER Bacalzo
    ------------------------------