IBM Application Runtimes Come for answers. Stay for best practices. All we’re missing is you. Join / Log in Ask a question
We currently have our applications on tWAS configured with OIDC federated authentication, which works. Through setting this up we discovered that even with a valid token from the IdP, tWAS still needs a user registry/repository to look for that user in. We could either create all the users that should log on in the local file backed registry, or we could use LDAP, which is what we did. What we are wondering now is if there is a way to just auto-create or auto-provision users in the registry when they log on for the first time with a valid token? Maintaining LDAP and its configuration just to have a read-only store to match user tokens against seems overkill. All the information we need is in the token that the IdP issues, so we don't need to look for additional information in the registry.
There is mention of the same functionality in the blogpost How to Configure LTPA/OAuth/OIDC SSO with FileNet ICN, CS GraphQL, and CPE on WebSphere ND Application Server, written by @ROGER Bacalzo. In those examples a realm called UmsManagedUsers is mentioned, which works like this.
So is there a way to configure self-sign up with federated authentication in tWAS? Thanks!