WebSphere Application Server & Liberty

 View Only
Expand all | Collapse all

Install application to admin_host

  • 1.  Install application to admin_host

    Posted Mon October 16, 2023 04:45 PM

    Hi all. We have implemented OIDC federated authentication for our tWAS. Now we are trying to protect the WAS Console itself. This seems to work, until the OP (IdP) redirects the browser back to tWAS. Then we are hit with error 'SRVE0255E: A WebGroup/Virtual Host to handle /oidcclient/EntraID has not been defined.' This seems to be because the WebSphereOIDCRP.ear is not mapped to the admin_host VirtualHost, but only the default_host. The admin_host is not selectable. How can we select admin_host for the WebSphereOIDCRP.ear application?

    Thanks



    ------------------------------
    Morgan Simonsen
    ------------------------------


  • 2.  RE: Install application to admin_host

    Posted Mon October 16, 2023 05:22 PM
    Edited by Barbara Jensen Wed October 18, 2023 05:03 PM

    Hi Morgan, protecting an admin application with OIDC is not the same as protecting "regular" applications.  In order to protect admin applications, you must install the OIDC RP EAR itself as an admin application.  You can find a script to do that on github: deployOidc.py

    The port for the redirect URI for console will be different for that of the RP for your other applications; it will be the admin port.  Keep that in mind when configuring the redirect URI on your OP.

    I suggest that you try this out using just the TAI configuration to protect the console and get that working, then add the config back for your other applications. 

    Also, I suggest that you do the following:

    • Make sure that you have OIDC 1.5.0 installed
    • Set provider_(id).useRealm to WAS_DEFAULT
    • If you have the provider_(id).signatureAlgorithm property configured, remove it.
    • Turn off console session timeout
      • If you don't do this, when the console times out, it will return to its own login screen that requires WebSphere credentials to login.  You don't want that.

    When you configure the admin console to use OIDC as the authentication mechanism, by default, it will use true SSO.   Here is a excerpt from one of the docs:

    The HttpServletRequest.logout() and form logout methods make the OIDC TAI remove the information to log out a single sign-on (SSO) user from the WebSphere Application Server. Some OpenID Connect providers leave information in the browser that keeps the user logged in to the OP to preserve the functions of SSO. If the user goes to a URL protected by the OP again, credentials are not needed even though the user logged out of the WebSphere Application Server. This behavior might not be desirable for some use cases.

    If you want to make sure that a user must login again after clicking logout on the console, you must configure RP-Initiated logout.  You must be running WebSphere fix packs 8.5.5.23 or 9.0.5.14 or later for RP-Initiated logout to work with the admin console.  However, be aware that this might produce a negative user experience as it might log the user out of other applications in their browser.


    ------------------------------
    Barbara Jensen
    ------------------------------