Recommended Architecture & Implementation Steps for OIDC-based SSO with Microsoft Entra ID in Multi-Cluster AKS (Open Liberty + IBM FileNet CPE)
1. Core Architecture Design
- Unified Identity Provider Layer
Use Microsoft Entra ID as the central OIDC provider for both the Open Liberty application and IBM FileNet CPE. Register two separate app registrations in Entra ID (one for each workload) with identical OIDC scopes ( openid profile email ) and redirect URIs pointing to the public Ingress endpoints of each AKS cluster. Enable Entra ID Workload Identity Federation for the AKS clusters to eliminate static client secrets, leveraging the AKS OIDC issuer for keyless authentication.
- Cross-Cluster OIDC Trust Establishment
Enable the OIDC issuer for both AKS clusters (enabled by default in K8s 1.34+; for older versions, run az aks update --name <cluster-name> --resource-group <rg-name> --enable-oidc-issuer ). Extract the OIDC issuer URL of each cluster ( az aks show --name <cluster-name> --resource-group <rg-name> --query "oidcIssuerProfile.issuerUrl" -o tsv ) and configure them as trusted token issuers in Entra ID to enable cross-cluster OIDC token validation.
- Application-Level OIDC Integration
- Open Liberty: Enable the openidConnectClient-1.0 feature in server.xml , configure Entra ID's OIDC endpoints (authorization, token, userinfo URLs), and inject OIDC settings into the application pod via the Open Liberty Operator.
- IBM FileNet CPE: Configure an OIDC identity provider connection in the FileNet CPE Custom Resource (CR), specify Entra ID as the external IDP, set the redirect URI to https://<cpe-ingress-host>/oidc/redirect , and use the IBM FileNet Operator to auto-generate authentication keys.
2. Step-by-Step Implementation
Prerequisites
- Ensure both AKS clusters have an Ingress controller (e.g., NGINX) with public domain names and TLS certificates.
- Create enterprise applications in Entra ID, and record the client ID, tenant ID, and Entra ID OIDC metadata endpoint ( https://login.microsoftonline.com/<tenant-id>/.well-known/openid-configuration ).
Open Liberty Application Configuration
Add the following to the server.xml (mounted via the Open Liberty Operator CR):
xml
<featureManager>
<feature>openidConnectClient-1.0</feature>
<feature>ssl-1.0</feature>
</featureManager>
<openidConnectClient
id="entra-oidc-client"
clientId="<entra-openliberty-client-id>"
clientSecretRef="entra-oidc-secret"
issuerUrl="https://login.microsoftonline.com/<tenant-id>/v2.0"
redirectUri="https://<openliberty-ingress-domain>/oidc/redirect"
scope="openid profile email"
responseType="code"
tokenEndpointAuthMethod="client_secret_basic"/>
<keyStore id="defaultKeyStore" password="<keystore-password>"/>
Create a Kubernetes Secret to store the Entra ID client secret:
bash
kubectl create secret generic entra-oidc-secret --from-literal=clientSecret=<entra-client-secret> -n <openliberty-namespace>
IBM FileNet CPE Configuration
Update the FileNet CPE CR (deployed via the IBM FileNet Operator) to include OIDC settings:
yaml
apiVersion: filenet.ibm.com/v1
kind: ContentPlatformEngine
metadata:
name: cpe-oidc-deployment
namespace: <filenet-namespace>
spec:
oidcConfig:
enabled: true
issuerUrl: "https://login.microsoftonline.com/<tenant-id>/v2.0"
clientId: "<entra-filenet-client-id>"
clientSecret: "<entra-filenet-client-secret>"
redirectUri: "https://<filenet-ingress-domain>/oidc/redirect"
scopes: ["openid", "profile", "email"]
claimMappings:
userId: "email"
groupId: "groups"
# Retain existing CPE configuration (storage, compute, etc.)
Cross-Cluster SSO Validation
1. Access the Open Liberty application via its Ingress URL; you will be redirected to the Entra ID login page.
2. After authentication, access the FileNet CPE UI/WSI APIs-SSO should auto-authenticate using the Entra ID token (no re-login required).
3. Verify token validation across clusters by checking the OIDC token claims in both application logs (Open Liberty's messages.log and FileNet CPE's P8Server.log ).
3. Key Considerations
- Network Connectivity: Ensure both AKS clusters have outbound access to login.microsoftonline.com (Entra ID endpoints) and mutual inbound access between the Open Liberty app and FileNet CPE (for WSI API calls).
- Token Lifespan: Configure Entra ID's access token lifetime (1 hour by default) and refresh token settings to align with application session requirements.
- Security Hardening: Use AKS Secret Store CSI Driver to mount Entra ID secrets from Azure Key Vault (instead of plain K8s Secrets) and enable TLS 1.3 for all OIDC traffic.
------------------------------
陈旭东
------------------------------
Original Message:
Sent: Sun December 14, 2025 05:14 AM
From: Mahmoud Abd El Aziz
Subject: Enabling OIDC-Based SSO with Microsoft Entra ID for Open Liberty Application Integrated with IBM FileNet CPE Across Separate AKS Clusters
We have a custom Java application container image deployed using the Open Liberty Operator. The application integrates with IBM FileNet Content Platform Engine (CPE) for authentication and uses FileNet WSI APIs.
The custom application and the FileNet CPE are deployed in separate Azure Kubernetes Service (AKS) clusters.
We would like to enable single sign-on (SSO) using Microsoft Entra ID based on OpenID Connect (OIDC) across both applications.
What is the recommended approach or supported architecture to integrate Open Liberty and IBM FileNet CPE with Microsoft Entra ID using OIDC in this multi-cluster setup?
------------------------------
Mahmoud Abd El Aziz
------------------------------