Content Management and Capture

Content Management and Capture

Come for answers. Stay for best practices. All we’re missing is you.

 View Only
Back to discussions
Expand all | Collapse all

FileNet API SSO using OIDC procedure in FileNet 5.5.9

  • 1.  FileNet API SSO using OIDC procedure in FileNet 5.5.9

    Posted Wed September 07, 2022 09:35 AM
    Hi,

    Recently from 5.5.9, FileNet has support for API SSO using OIDC. I have a couple of queries regarding this.

    1) Is there any additional configuration to be done at WebSphere level to achieve this ?

    2) The sample mentioned in the Knowledge center is only for Java. Is there any available sample we can use for C# or ASp.Net ?

    Thanks and Regards,
    Amit

    ------------------------------
    amit bagusetty
    ------------------------------


  • 2.  RE: FileNet API SSO using OIDC procedure in FileNet 5.5.9

    Posted Thu September 08, 2022 01:50 PM
    The CPE WebSphere server has to be configured to accept OAuth/OIDC tokens.  If your CPE server is running on traditional WebSphere, here are a couple of blog posts that describe how to set up OIDC on traditional WebSphere for CPE

    How to Configure LTPA/OAuth/OIDC SSO with FileNet ICN, CS GraphQL, and CPE on WebSphere ND Application Server
    https://community.ibm.com/community/user/automation/blogs/roger-bacalzo1/2021/05/28/how-to-configure-sso-with-fncm-on-websphere-nd

    How to Configure LTPA/OAuth/OIDC SSO with FileNet ICN, CS GraphQL, and CPE on WebSphere traditional application server
    https://community.ibm.com/community/user/automation/blogs/roger-bacalzo1/2020/12/17/how-to-configure-sso-between-icn-and-cpe

    The new OpenTokenCredentials API is also available for C# CPE clients.  Here's sample code on how to use it.

    // Set connection parameters; substitute for the placeholders.
    String uri = "https://<hostname>:<portnumber>/wsi/FNCEWS40MTOM/";
    String username = "<username>"
    String authToken = "<authToken>" // Client application method to obtain OAuth or OIDC SSO token

    // Get client context.
    IConnection conn = Factory.Connection.GetConnection(uri);
    OpenTokenCredentials creds = new OpenTokenCredentials(username, authToken, null);
    ClientContext.SetProcessCredentials(creds);

    // Get default domain.
    IDomain domain = Factory.Domain.FetchInstance(conn, null, null);
    Debug.WriteLine("Domain: " + domain.Name);



    ------------------------------
    ROGER Bacalzo
    ------------------------------

    Original Message


  • 3.  RE: FileNet API SSO using OIDC procedure in FileNet 5.5.9

    Posted Thu September 15, 2022 09:04 AM
    Hi Roger,

    Thanks for the information. 

    We currently use ASP,NET for FileNet and use Kerberos authentication and would typically like to switch to OIDC for SSO.

    Is there any documentation or information on how to configure any FileNet ASP.NET client to use OIDC with any IDP.

    Thanks and Regards,
    Amit

    ------------------------------
    amit bagusetty
    ------------------------------

    Original Message


  • 4.  RE: FileNet API SSO using OIDC procedure in FileNet 5.5.9

    Posted Fri September 16, 2022 03:46 PM
    Hi Amit, no we don't provide any documentation on using ASP.NET with OIDC.  However, you should be able to find Microsoft documentation on this topic, since this is a Microsoft feature. 

    Once you have your ASP.NET application working with OIDC, you should be able to obtain the Bearer token resulting from the OIDC authentication and pass that Bearer token to FileNet using the OpenTokenCredentials API example I provided.

    ------------------------------
    ROGER Bacalzo
    ------------------------------

    Original Message


  • 5.  RE: FileNet API SSO using OIDC procedure in FileNet 5.5.9

    Posted Wed August 30, 2023 11:03 AM

    Hi ROGER,

    does OpenTokenCredentials  supported on 5.5.8?
    can you provide please java sample code how to authentication using OpenTokenCredentials  ?

    our current environment:
    FN 5.5.8

    WAS 9.0.5.11



     



    ------------------------------
    Ahmed
    alssarty@yahoo.com
    ------------------------------

    Original Message


  • 6.  RE: FileNet API SSO using OIDC procedure in FileNet 5.5.9

    Posted Wed August 30, 2023 11:56 AM

    The OpenTokenCredentials API is available only in CPE 5.5.9 and later.  Here are some documentation links on how to use it:

    • Single sign-on integrations via Content Engine API Bearer Token Authentication 
      • https://www.ibm.com/docs/en/filenet-p8-platform/5.5.x?topic=authentication-v559-later-single-sign-integrations-via-content-engine-api-bearer-token
    • Credentials Java API
      • https://www.ibm.com/docs/en/filenet-p8-platform/5.5.x?topic=comfilenetapiauthentication-credentials
    • OpenTokenCredentials Java API
      • https://www.ibm.com/docs/en/filenet-p8-platform/5.5.x?topic=comfilenetapiauthentication-opentokencredentials
    • Credentials .NET API
      • https://www.ibm.com/docs/en/filenet-p8-platform/5.5.x?topic=namespace-credentials-class
    • OpenTokenCredentials .NET API
      • https://www.ibm.com/docs/en/filenet-p8-platform/5.5.x?topic=namespace-opentokencredentials-class


    ------------------------------
    ROGER Bacalzo
    ------------------------------

    Original Message


  • 7.  RE: FileNet API SSO using OIDC procedure in FileNet 5.5.9

    Posted Tue October 10, 2023 10:24 AM

    Hi ROGER, is there any sample code to get a VWSession with OpenTokenCredentials ?



    ------------------------------
    Mahmoud Saleh
    ------------------------------

    Original Message


  • 8.  RE: FileNet API SSO using OIDC procedure in FileNet 5.5.9

    Posted Thu October 12, 2023 01:28 PM

    Unfortunately, the OpenTokenCredentials API does not yet work properly with the PE API to get a VWSession.  That is being worked on and will be available in a future release.



    ------------------------------
    ROGER Bacalzo
    ------------------------------

    Original Message


  • 9.  RE: FileNet API SSO using OIDC procedure in FileNet 5.5.9

    Posted Fri October 13, 2023 03:31 AM

    Hello ROGER, so using OpenTokenCredentials API there's currently no support at all to launch workflows or to get work items even with REST APIs?



    ------------------------------
    Mahmoud Saleh
    ------------------------------

    Original Message


  • 10.  RE: FileNet API SSO using OIDC procedure in FileNet 5.5.9

    Posted Thu April 10, 2025 05:17 PM

    Hello @ROGER Bacalzo We are looking at this approach to use in our applications. Do we have any samples on github on using SSO in IBM FileNet API?



    ------------------------------
    Krishna
    ------------------------------

    Original Message


  • 11.  RE: FileNet API SSO using OIDC procedure in FileNet 5.5.9

    Posted Mon April 14, 2025 11:52 AM

    The documentation for OpenTokenCredentials shows code samples of how to pass a Bearer token to the FileNet API

    https://www.ibm.com/docs/en/filenet-p8-platform/5.5.x?topic=authentication-v559-later-single-sign-integrations-via-content-engine-api-bearer-token

    If your FileNet client runs on WebSphere and authenticates with an OIDC Identity Provider, then the FileNet Content Engine API is able to look at the WebSphere JAAS subject to extract the OIDC access_token or id_token to send on FileNet API requests for SSO if the following JVM argument is set on the FileNet client

    -Dcom.filenet.authentication.wsi.AutoDetectAuthToken=true

    See this link for additional details

    https://www.ibm.com/docs/en/filenet-p8-platform/5.5.x?topic=SSNW2F_5.5.0/com.ibm.p8.ce.dev.ce.doc/ssotokenssetup.html



    ------------------------------
    ROGER Bacalzo
    ------------------------------

    Original Message