WebSphere Application Server & Liberty

 View Only

Federated identity self-signup/automatic provisioning

  • 1.  Federated identity self-signup/automatic provisioning

    Posted Mon October 16, 2023 02:44 PM

    Hi all.

    We currently have our applications on tWAS configured with OIDC federated authentication, which works. Through setting this up we discovered that even with a valid token from the IdP, tWAS still needs a user registry/repository to look for that user in. We could either create all the users that should log on in the local file backed registry, or we could use LDAP, which is what we did. What we are wondering now is if there is a way to just auto-create or auto-provision users in the registry when they log on for the first time with a valid token? Maintaining LDAP and its configuration just to have a read-only store to match user tokens against seems overkill. All the information we need is in the token that the IdP issues, so we don't need to look for additional information in the registry.

    There is mention of the same functionality in the blogpost How to Configure LTPA/OAuth/OIDC SSO with FileNet ICN, CS GraphQL, and CPE on WebSphere ND Application Server, written by @ROGER Bacalzo. In those examples a realm called UmsManagedUsers is mentioned, which works like this.

    So is there a way to configure self-sign up with federated authentication in tWAS? Thanks!



    ------------------------------
    Morgan Simonsen
    ------------------------------