WebSphere Application Server & Liberty

 View Only
Expand all | Collapse all

Websphere and Azure AD

  • 1.  Websphere and Azure AD

    Posted Tue March 07, 2023 10:12 AM

    Dear community members,

    I have an application running in ibmwebsphere I need to Authenticate any user who try to access the url of that application using azure ad. How can I do this in IBM websphere? I have registered an application in azure ad and have a tenant I'd, client I'd and secret. But I am confused how I configure my IBM websphere , under global security to redirect anyone who access my application API to azure login page and then if the authentication is successful allow to the actual url . I don't think I need to change my application configuration here, but can implement it only with the configuration in IBM websphere console. Can someone please help me here how can I do this? 

    Thanks in advance

    Sudheesh 



    ------------------------------
    sudheesh krishna
    ------------------------------


  • 2.  RE: Websphere and Azure AD

    Posted Wed March 08, 2023 06:52 AM

    You must configure OIDC TAI in Websphere to redirect to Azure for login.

    Check the following documents:

    Configuring an OpenID Connect Relying Party

    https://www.ibm.com/docs/en/was-nd/9.0.5?topic=users-configuring-openid-connect-relying-party

    https://help.hcltechsw.com/connections/v7/admin/secure/c_azure_oidc_container.html

    https://help.hcltechsw.com/connections/v7/admin/secure/t_azure_oidc_websphere.html



    ------------------------------
    MIGUEL ANGEL CAMACHO CABRERA
    ------------------------------



  • 3.  RE: Websphere and Azure AD

    Posted Wed March 08, 2023 10:29 AM
    Edited by Barbara Jensen Wed March 08, 2023 12:44 PM

    Hi Sudheesh,

    Here is a technote that contains OIDC examples for WebSphere traditional and Liberty:  Examples: OpenID Connect, Liberty and WebSphere traditional

    The closest example to follow is the google one:

    1. If you aren't running WebSphere 9.0.5.14, 8.5.5.23, install OIDC 1.4.0.
    2. Don't do step 1
    3. On step 4h, use the preferred method and use https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration as your discoveryEndpointUrl, where {tenant} is your tenant ID.
    4. On step 5, import Microsoft's signing certificate from host=login.microsoftonline.com, port=443 instead of Google's certificate.
    5. Instead of performing steps 6 and 7, set provider_1.useRealm=WAS_DEFAULT
    6. Set the following OIDC properties:
      • provider_1.userinfoEndpointEnabled=false
      • provider_1.revokeEndpointEnabled=false
      • provider_1.endSessionEndpointEnabled=false
    7. Instead of step 10, do the following:
      1. Login to the Azure Portal
      2. Click Azure Active Directory
      3. Under Manage, click App registrations
      4. Click on your application
      5. Click on the link next to Redirect URIs (search the example document redirect URL for how to determine the value for your redirect URI)
        • If you already have a Web platform, click Add URI, add your WebSphere redirect URL, then click Add.
        • Otherwise, click Add a platform > Web , enter your WebSphere redirect URL, then click Configure.
      6. If you did not yet create a client secret, or you did not save the secret value (you can't view it later), create a new client ID and secret:
        1. Click Overview in the menu on the left
          • The Application (client) ID is the client ID, set this as provider_1.clientId
        2. Click the link next to Client credentials 
        3. Click New client secret
        4. Enter a description and expiration, then click Add
        5. The new credentials are displayed:
          • The Value is the client secret, set this as provider_1.clientSecret


    ------------------------------
    Barbara Jensen
    ------------------------------



  • 4.  RE: Websphere and Azure AD

    Posted Fri March 10, 2023 06:17 AM
      |   view attached

    Hi Barbara Jensen,

    Thank you very much for your detailed techno note , however I have some confusion here i.e in example you gave https://www.ibm.com/support/pages/node/567695/#OIDCTAIExamples

    in step 4  and in that step 'i '  I configured provider_1.identifier as hello

    as my application is accessible as http://localhost:9080/hello/ same I configured in my Azure Ad redirect url and  on restart its not redirecting me to Microsoft login page. Please fin the attached screen shot of configurations for your reference.

    The verson  I am using is 9.0.5.12 do I need to install OIDC 1.4.0?

    Name                  IBM WebSphere Application Server
    Version               9.0.5.12
    ID                    BASE
    Build Level           f5122219.04
    Build Date            5/13/22
    Package               com.ibm.websphere.BASE.v90_9.0.5012.20220513_1431
    Architecture          x86-64 (64 bit)
    Installed Features    WebSphere Application Server traditional
                          EJBDeploy tool for pre-EJB 3.0 modules
                          Embeddable EJB container
                          Stand-alone thin clients and resource adapters

    Where am i going wrong here? 

    Thanks

    Sudheesh



    ------------------------------
    sudheesh krishna
    ------------------------------



  • 5.  RE: Websphere and Azure AD

    Posted Fri March 10, 2023 11:03 AM

    Hi Sudheesh,

    I suspect that you aren't redirecting to Azure to login because your TAI did not load.  I think that the TAI did not load because the property name for the discovery URL is incorrect therefore it missing required properties.

    Lets take this one thing at a time:

    1. Delete the picture from your post.  It has secret data in it.
    2. Change the property name oidcProviderURL to provider_1.discoveryEndpointUrl
    3. I suggest accessing your app from the SSL port (ie https://localhost:(sslport)/hello); this will prevent adding more properties
    4. Set the redirect URL property in Azure to https://localhost:(sslport)/oidcclient/hello.  That is https://(host):(sslport)/oidcclient/(provider_1.identifier)
    5. I suggest setting provider_1.interceptedPathfilter to /hello instead of /.*
    6. Yes, please install OIDC 1.4.0.  This ensures that you are running the latest version of the TAI.

    Please make these changes and see if they work out for you.



    ------------------------------
    Barbara Jensen
    ------------------------------



  • 6.  RE: Websphere and Azure AD

    Posted Fri March 10, 2023 11:29 AM

    Dear Barbara Jensen,

    The attachment picture has no actual values but some dummy value so I hope I don't have to worry here :) And sure will make the other changes and will let the group know whether it works or not.

    Thanks You 



    ------------------------------
    sudheesh krishna
    ------------------------------



  • 7.  RE: Websphere and Azure AD

    Posted Mon March 13, 2023 11:40 AM

    Hi Barbara Jensen,

    I guess the problem is I don't have oidc 1.40 not installed with my IBM WAS. Sorry that I am using IBM Webspher for the first time and I have lot of confusions regarding installation of oidc here. I tried download the same using the link you provided but  I got some expectations. Also, if I download the oidc manually will you please help me with the manual installation of the same  , I also saw links that we can install it through installation manager but non of the steps are clear and very confusing . Otherwise as u said in the first reply Can I install  the version 9.0.5.14 of IBM Webspher? Could you please help me with it's repository url so that I don't have to install oidc 1.4.0 here? In either ways I am blocked . Appreciate your help here.



    ------------------------------
    sudheesh krishna
    ------------------------------



  • 8.  RE: Websphere and Azure AD

    Posted Wed March 15, 2023 11:47 AM
    Edited by Barbara Jensen Wed March 15, 2023 11:47 AM

    Hi Sudheesh,

    Software Subscription and Support (S&S) Entitlement is required to download WebSphere interim fixes or fix packs.  If you think that you should have the authority to download fixes, see WebSphere Application Server, Liberty and WebSphere eXtreme Scale fix access requires S&S Entitlement in 2021 for instructions.

    If you aren't able to download a fixpack or OIDC 1.4.0, you obviously have no choice but to use the 9.0.5.12 system that you have.

    Have you made the configuration updates that I suggested?  If so, what are the results?



    ------------------------------
    Barbara Jensen
    ------------------------------



  • 9.  RE: Websphere and Azure AD

    Posted Thu March 16, 2023 03:47 AM

    Hi Barbara Jensen

    Below are the complete steps and details what I followed based on the sample link

    https://www.ibm.com/support/pages/node/567695/#OIDCTAIExamples

    Setting up the WebSphere traditional OIDC RP TAI to use the Google™ OP

    1.       I have installed IBM websphere base version  Base 9.0.5.12 

    2.       I have sample application I,e ear file installed  and accessible under below url

    http://localhost:9080/HelloWorldFirst/ which gives the response as Hellow world!!

    3.       To determine the version of the OIDC TAI that I have I executed below command

    C:\Program Files\IBM\WebSphere\AppServer\plugins> java -cp ./com.ibm.ws.security.oidc.client.jar com.ibm.ws.security.oidc.util.Version

    Output : com.ibm.ws.security.oidc.client.jar

    9.0 f5122219.01

    4.       I am unable to download the latestversion of OIDC so, just gave a try to install the same version of OIDC jar which I have under

               C:\Program Files\IBM\WebSphere\AppServer\installableApps\WebSphereOIDCRP.ear

                Using below command  Syntax

                                   cd <install_root>/bin

                                               wsadmin -f installOIDCRP.py install nodeName serverName 

    Where node and server name can be obtained under  servertypes>Application servers

    as follow  and I got an exception as below

    C:\Program Files\IBM\WebSphere\AppServer\bin>wsadmin -f installOIDCRP.py install DESKTOP-924RNPQNode01  DESKTOP-924RNPQ.bbrouter

    WASX7209I: Connected to process "server1" on node DESKTOP-924RNPQNode01 using SOAP connector;  The type of process is: UnManagedProcess

    WASX7303I: The following options are passed to the scripting environment and are available as arguments that are stored in the argv variable: "[install, DESKTOP-924RNPQNode01, DESKTOP-924RNPQ.bbrouter]"

    Installing OpenID Connect relying party...

    Deploying WebSphereOIDCRP.ear

    ADMA5016I: Installation of WebSphereOIDCRP started.

    ADMA5026E: No valid target is specified in ObjectName WebSphere:cell=DESKTOP-924RNPQNode01Cell,node=DESKTOP-924RNPQNode01,server=DESKTOP-924RNPQ.bbrouter for module com.ibm.ws.security.oidc.servlet.war+WEB-INF/web.xml.

    ADMA5011I: The cleanup of the temp directory for application WebSphereOIDCRP is complete.

    ADMA5014E: The installation of application WebSphereOIDCRP failed.

    Exception occurred during installOIDCRP(DESKTOP-924RNPQNode01Cell, DESKTOP-924RNPQNode01, DESKTOP-924RNPQ.bbrouter): com.ibm.ws.scripting.ScriptingException: WASX7132E: Application install for C:\Program Files\IBM\WebSphere\AppServer\installableApps\WebSphereOIDCRP.ear failed: see previous messages for details.

    Skipping Config Save

    in loop see com.ibm.wsspi.security.web.webAuthReq(cells/DESKTOP-924RNPQNode01Cell|security.xml#DescriptiveProperty_8)

    persisting modified

    5.        But I Installed the

    WebSphereOIDCRP.ear file under C:\Program Files\IBM\WebSphere\AppServer\installableApps

     As we install a normal .ear file using IBM console and started the application

    Please find attached Picture1

    6.        Rest all the steps I followed as you mentioned in your earlier response  .ie

    1.    On step 4h, use the preferred method and use login.microsoftonline.com/{tenant}/v2.0/.well-known/... as your discoveryEndpointUrl, where {tenant} is your tenant ID.

    2.    On step 5, import Microsoft's signing certificate from host=https://login.microsoftonline.comport=443 instead of Google's certificate.

    3.    Instead of performing steps 6 and 7, set provider_1.useRealm=WAS_DEFAULT

    4.    Set the following OIDC properties:

    o    provider_1.userinfoEndpointEnabled=false

    o    provider_1.revokeEndpointEnabled=false

    o    provider_1.endSessionEndpointEnabled=false

    5.    Instead of step 10, do the following:

    a.     Login to the Azure Portal

    b.    Click Azure Active Directory

    c.     Under Manage, click App registrations

    d.    Click on your application

    e.    Click on the link next to Redirect URIs (search the example document redirect URL for how to determine the value for your redirect URI)

    §  If you already have a Web platform, click Add URI, add your WebSphere redirect URL, then click Add.

    §  Otherwise, click Add a platform > Web , enter your WebSphere redirect URL, then click Configure.

    Please not the  redirect url I configured in Azure ad as

    https://localhost:9043/oidcclient/abc

     and  https://localhost:9043/ibm/console/login.do?action=secure   is my ibm console URLand find the attached picture 2 for the details of the configuration I made.

    But  when I access the Url  http://localhost:9080/HelloWorldFirst/  after restart it is suppose to redirect me to Microsoft login page , but its not.

    Where I am going wrong here?

    Is it because I am having wrong version of OIDC installed? If So cant I install the same for base version or I should opt a licensed product i.e network deployment ?

    Or run specific version of other WAS which has oidc installed already?

    Thank you very much for all your replies.



    ------------------------------
    sudheesh krishna
    ------------------------------



  • 10.  RE: Websphere and Azure AD

    Posted Thu March 16, 2023 11:25 AM
    Edited by Barbara Jensen Fri April 07, 2023 12:21 PM

    Hi Sudheesh,

    The installOIDCRP.py script installs WebSphereOIDCRP.ear that is required by the TAI.  It does not update the TAI itself.  Running this script is equivalent to doing step #3 in the example.  If you performed step 3 successfully, then you do not have to worry about any errors that you received from installOIDCRP.py.

    1. I suggest that you access your app from https://localhost:9443/HelloWorldFirst/  instead of http://localhost:9080/HelloWorldFirst/ if possible.  This will prevent further configuration.
    2. Set up the OIDC trace on the application server as specified in this document: https://www.ibm.com/support/pages/mustgather-web-single-sign-problems-websphere-application-server .
      • You do not need to do the browser trace.
    3. After you restart your server, run your test one time, then bring up the (profileRoot)/logs/(serverName)/trace.log file in an editor.
    4. Now go here: https://www.ibm.com/support/pages/node/540247/#noIntercept  https://www.ibm.com/support/pages/node/277989/#noIntercept
      • Yes, this is a SAML troubleshooting guide, but this section mostly applies to all TAIs.
      • On step 3, check for com.ibm.ws.security.oidc.client.RelyingParty instead of com.ibm.ws.security.web.saml.ACSTrustAssociationInterceptor
      • On step 4, again, the RelyingParty class instead of ACSTrustAssociationInterceptor
      • On step 5, you still search for isTargetInterceptor.  The trace line is similar:

                  RelyingParty  >  OIDC: isTargetInterceptor(https://localhost:9443/snoop) Entry
              checking for false too:
                 RelyingParty < ==> OIDC: isTargetInterceptor returns [false] Exit

    Go through this debug procedure and see if it helps you make progress.



  • 11.  RE: Websphere and Azure AD

    Posted Wed March 22, 2023 08:14 AM
      |   view attached

    @Barbara Jensen

    Hi , I tried to execute that python script to install OIDC, however this time too no luck  :(

    I have attached the log of my application and there is some exception for which I do not have any clue.

    Please find the attached log here with, I am also checking for solutions for the same. 



    ------------------------------
    sudheesh krishna
    ------------------------------

    Attachment(s)

    txt
    ws_logs.txt   132 KB 1 version


  • 12.  RE: Websphere and Azure AD

    Posted Thu March 23, 2023 09:28 AM
    Edited by Barbara Jensen Thu March 23, 2023 09:33 AM

    Hi Sudheesh, as I said in my previous post, running the python script is not essential for making the scenario work.  All you need to do is get the OIDC ear, WebSphereOIDCRP.ear, installed.  You can install the app_server_root/installableApps/WebSphereOIDCRP.ear file using the admin console:

    1. In the admin console, navigate to Applications > Application Types > WebSphere enterprise applications
      1. Check your application list for WebSphereOIDCRP.ear. If you find it, you're done.  Don't worry about installing the ear or running the python file ever again.
      2. Otherwise, continue.
    2. Click Install
    3. Click Browse
    4. Enter the path to (WAS_HOME)/installableApps. For example, c:\was90\WebSphere\AppServer\installableApps
    5. Select WebSphereOIDCRP.ear, then click Open
    6. Click Next through the subsequent panels, taking all defaults, then click Finish
    7. Click Save
    8. Restart the application server

    Once you have the ear installed and the TAI configured, before you attempt to run a test, you'll need to set the OIDC trace specification to debug problems (as show in the link that I provided previously):

    *=info:com.ibm.ws.security.oidc.*=all:com.ibm.ws.security.openidconnect.*=all:com.ibm.ws.security.openid20.*=all:com.ibm.ws.security.web.*=all

    I do not see that this trace spec is set in your file. After you set this trace spec, you can use the debug page that I gave you to help debug problems.

    Next: I suggest that you backtrack and use the snoop application to debug your TAI configuration instead of your own app.  After you get the TAI working, you can then modify the filter for your target application.  Why do I suggest this?  Because it separates any TAI problems that you might have from application problems.  Once you know that the TAI config is working, if you encounter an error when you switch over to protect your app, the problem is most likely the app (or filter config) and not the TAI.  This is why all the examples use snoop.

    To do this, change your provider_1.interceptedPathFilter to /snoop, then use the URL https://(host:sslport)/snoop in the browser.

    snoop should already be on your server.  It is in defaultApplication.


    ------------------------------
    Barbara Jensen
    ------------------------------



  • 13.  RE: Websphere and Azure AD

    Posted Thu March 23, 2023 06:27 PM

    Hi Sudheesh, Here is a version of the troubleshooting steps that are specific to OIDC so you don't have to translate from SAML: https://www.ibm.com/support/pages/node/540247/#noIntercept .  Sorry that I didn't realize that I already had those steps in the OIDC document.



    ------------------------------
    Barbara Jensen
    ------------------------------



  • 14.  RE: Websphere and Azure AD

    Posted Sat March 25, 2023 03:40 AM

    Dear Barbara Jensen,

    First & foremost thank you very much for all your replies for my all questions .I really appreciate your patience and willingness to help others:) 

    Finally something is working for me even though its not up to the mark.

    I changed the intercepting URL of the TAI filter to /.* , rest remain the same, and restarted the server and now  the URL

    "https://localhost:9043/ibm/console"  being protected and taking me to Microsoft login Page. However On redirect I am getting some exception. I have attached the complete log trace, Redirect URL I configured and err screenshot herewith.

    However my application is running under url "localhost:9080/HellowWorld is not intercepted here

    When I installed ibm websphere  i configured "Admin console secure port as 9043 and Https transport port as 9080 i.e default values. Please find port config screenshot.

    My questions are now is 

    1. Why its not intercepting for URL "localhost:9080/HellowWorld" I remember you said me to call application with same port 9043 instead of 9080  i.e "localhost:9043/HellowWorld" but this notworking for me.
    2. Why after redirect from Microsoft I am getting below error, Now I am not able to login to console any more due to this exception but its redirecting me to MS login page"

      SRVE0255E: A WebGroup/Virtual Host to handle /oidcclient/abc has not been defined.

      "

    Thanks,

    Sudheesh



    ------------------------------
    sudheesh krishna
    ------------------------------

    Attachment(s)

    log
    trace.log   660 KB 1 version


  • 15.  RE: Websphere and Azure AD

    Posted Mon March 27, 2023 12:34 PM
    Edited by Barbara Jensen Mon March 27, 2023 12:34 PM

    Hi Sudheesh,

    I apologize, you should try 9443 for your HelloWorld app, not 9043.  You received the SRVE0255E message because the OIDC URL is not defined on the admin port.

    Its not a good idea to protect the admin console with OIDC unless you are fully aware of the ramifications, can install 9.0.5.14, and are an expert at OIDC and AD configuration.

    I've sent the rest of my reply in a private message.



    ------------------------------
    Barbara Jensen
    ------------------------------



  • 16.  RE: Websphere and Azure AD

    Posted Thu March 30, 2023 04:19 AM
      |   view attached

    Dear Barbara Jensen,

    Its working for me now ,I am now able to protect my /snoop url :)

    Thank you very much for all your support, really appreciate your patience in replying to my all questions.

    There is one observation , after redirecting back from Azure AD the url to be accessed is asking my console username and pwd which I configured during the installation of IBM WAS. when I give the right credentials the URL is properly accessible . Is it an expected behaviour after redirect? if we want to remove this extra login screen what can be done?.PFA screenshot

    Thanks,

    Sudheesh

     



    ------------------------------
    sudheesh krishna
    ------------------------------



  • 17.  RE: Websphere and Azure AD

    Posted Thu March 30, 2023 10:51 AM
    Edited by Barbara Jensen Thu March 30, 2023 11:28 AM

    Hi Sudheesh,

    You're so very welcome.  I'm glad that I could help.

    There is one observation , after redirecting back from Azure AD the url to be accessed is asking my console username and pwd which I configured during the installation of IBM WAS. when I give the right credentials the URL is properly accessible . Is it an expected behaviour after redirect?

    No, this is not expected behavior.  

    I suspect that you either have a realm or username problem. 

    First check for a realm problem.  See: This realm is not the current realm, nor the admin realm, nor a trusted realm

      If the realm name isn't the error, the next thing to check is the user name.  

      Is the user name correct in this trace statement?

      If it is not, then you need to check the id_token that is received from the OP to find the claim that the username is in.  The default is the sub claim. 

      When you find the right claim, you set it on the provider_1.userIdentifier property (and probably provider_1.uniqueUserIdentifer too).

      To find the id_token claims, search the trace for "id token".  You'll find a trace statement that looks like this:



      ------------------------------
      Barbara Jensen
      ------------------------------



    • 18.  RE: Websphere and Azure AD

      Posted Tue April 04, 2023 11:05 AM

                  Hello Barbara,

      Thank you for the detailed explanation of how-to procedure for configuring OIDC provider.
      I configured it as you described and when I access the application it redirects me to https://login.microsoftonline.com/  landing page and I enter my credentials and I get my web application.

      I use spring boot 1.5.8.RELEASE with Spring Security 4.2.3.RELEASE.
      I need some example how I can configure my WebSecurityConfig  to use the configured provider in the WAS, so I can get the claims from the token. If you need some part of the my code let me know.

      Thank you in advance!



      ------------------------------
      Petre Petreski
      ------------------------------



    • 19.  RE: Websphere and Azure AD

      Posted Tue April 04, 2023 11:18 AM

                  Hello Barbara,

      Thank you for the detailed explanation of how-to procedure for configuring OIDC provider.
      I configured it as you described and when I access the application it redirects me to https://login.microsoftonline.com/  landing page and I enter my credentials and I get my web application.

      I use spring boot 1.5.8.RELEASE with Spring Security 4.2.3.RELEASE.
      I need some example how I can configure my WebSecurityConfig  to use the configured provider in the WAS, so I can get the claims from the token. If you need some part of the my code let me know.

      Thank you in advance!



      ------------------------------
      Petre Petreski
      ------------------------------



    • 20.  RE: Websphere and Azure AD

      Posted Tue April 04, 2023 12:03 PM

      Hi Petre,

      If you have the OIDC TAI configured in WebSphere Application Server and want to retrieve claims from an id token after login, you can use the com.ibm.websphere.security.oidc.util.OidcClientHelper class.  There is an example at the top of the page to show you how to get the claims from an id token as a Map:

           String idTokenJwt = OidcClientHelper.getIdTokenFromSubject();
           //get the claims string
           String idTokenClaims = OidcClientHelper.getJwtClaimsAsString(idtokenJwt);
           //-or- get the claims map
           Map<String,Object> claimsMap = OidcClientHelper.getJwtClaimsAsMap(idtokenJwt);


      ------------------------------
      Barbara Jensen
      ------------------------------



    • 21.  RE: Websphere and Azure AD

      Posted Mon April 10, 2023 12:22 AM

      Hello Barbara,

      Thank you very  much, following your instructions I successfully retrieved claims. Now I need another assistance from your side. Currently, we are using a federated LDAP repository for authentication, that is configured in WebSphere. As I mentioned, we preparing our environment to switch from LDAP to Microsoft Azure AD. For that purpose we configured OIDC provider in WAS. My question is about an LTPA token. Should we (if it is possible) remove its configuration from WAS or we will continue use it, despite of switching to AZure AD?

      Also should we change the current WebSecurityConfig ? Can you provide some similar example so we can follow it?

       @Bean
          public PreAuthenticatedAuthenticationProvider preAuthenticatedAuthenticationProvider() {
              final PreAuthenticatedAuthenticationProvider provider =
                      new PreAuthenticatedAuthenticationProvider();
              provider.setPreAuthenticatedUserDetailsService(customUserDetailsService);
              return provider;
          }

          @Bean
          public AccessDeniedHandler accessDeniedHandler() {
              return new CustomAccessDeniedExceptionHandler();
          }
          @Override
          protected void configure(HttpSecurity http) throws Exception {
              http.authenticationProvider(preAuthenticatedAuthenticationProvider());
              if (usesLoginForm) {
                  http.jee().and().csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
              } else {
                  http.cors().and().csrf().disable();
                  http.authorizeRequests().antMatchers("/").permitAll();
              }
              http.sessionManagement()
                      .sessionCreationPolicy(SessionCreationPolicy.NEVER).
                      sessionFixation().none();
              
              http.exceptionHandling().accessDeniedHandler(accessDeniedHandler());


          }


      Thank you in advance!



      ------------------------------
      Petre Petreski
      ------------------------------



    • 22.  RE: Websphere and Azure AD

      Posted Mon April 10, 2023 12:54 PM

      Hi Petre,

      Do you mean the LtpaToken2 browser cookie?  The LtpaToken2 browser cookie tracks the user that is logged into WebSphere; it doesn't have anything to do with a specific registry that WebSphere can use.  If you want your WebSphere environment to behave as it did before, I suggest that you not change your use of the LtpaToken2 browser cookie.



      ------------------------------
      Barbara Jensen
      ------------------------------



    • 23.  RE: Websphere and Azure AD

      Posted Tue April 11, 2023 07:12 AM

      Hi Barbara,

      Yes, I mean the LtpaToken2. I am asking you, since currently it does not behave as I expect. For example even the user signs out (ibm_security_logout?logoutExitPage=logon.jsp,  or request.logout()), the LtpaToekn2 remains active, it is not destroyed in the server. For example if I take the LtpaToken2 value and  log out after that, I can use the LtpaToken2 value as a cookie and can construct and do valid http request (even I am logged out). I do not know if it is a bug.. (WebSphere 8.5.5.20).   That's why I thought that now when we are switching to Azure AD session tracking will be done by it. For sure for me is better to keep the current configuration and will appreciate if you can suggest how the LtpaToken2 cookie can be destroyed in the server.

      Thank you!
       



      ------------------------------
      Petre Petreski
      ------------------------------



    • 24.  RE: Websphere and Azure AD

      Posted Tue April 11, 2023 09:35 AM
      Edited by Barbara Jensen Tue April 11, 2023 10:05 AM

      Hi Petre,

      Oh, so...logout.  Your problem with logout is not with the LTPA cookie, but with the OIDC session cookie.  There is a problem with ibm_security_logout not calling the TAI logout methods (APAR PH48145).  PH48145 is included in 8.5.5.23 and 9.0.5.14; since the APAR is part of core security and not OIDC, it is not included in the OIDC 1.4.0 ifix.  To fix this issue, you must install one of those fix packs or later.

      And then after you get PH48145 fixed, since you are using Azure AD, when the user clicks login, they'll still be able to access your application without having to provide credentials.  Why? Although the user is logged out of WebSphere, they are not logged out of Azure.  When a new request is sent to WebSphere, it detects that the user is not logged in.  The TAI sends a request to Azure and Azure responds with access and id_token without requiring credentials from the user.  

      You can configure the OIDC TAI to logout of Azure when the user logs out of WebSphere.  This is called RP-Initiated logout.  However, you shouldn't take making the decision to logout of Azure lightly.  Doing this circumvents some of the usefulness of SSO.  You ordinarily want to do this only with sensitive apps.  For example, banking apps on the internet.  If you are on an intranet and have multiple applications that use the same Azure AD, if you logout of your application and have it perform RP-Initiated logout, the user is logged out of all applications (at least in that browser).  That could be a negative user experience.

      If you want to configure the TAI for RP-Initiated logout, see Configuring the OIDC TAI to perform RP-initiated logout.  RP-Initiated logout was implemented in APAR PH48083 and is also included in 8.5.5.23 and 9.0.5.14.

      Here is something that is not noted in either PH48083 or the RP-Initiated logout instructions., but it is in the PH48145 closing text as instructions to TAI developers:

      =======================

      logout_exit_page is set to a normalized value of the logoutExitPage parameter if core security deems the value for logoutExitPage valid, otherwise it is not set.  Note that the value of logout_exit_page parameter might be a relative reference.  If your custom TAI uses the value for logout_exit_page and requires an absolute URI, your TAI must take this into account.

      Core security only allows a URI to the current JVM for the logoutExitPage parameter for the ibm_security_logout method when the com.ibm.websphere.security.allowAnyLogoutExitPageHost security custom property is set to false (the default).
      =======================

      Your logoutExitPage is a relative reference.  The OIDC TAI uses the value for the logoutExitPage as-is.  This will not fly with Azure AD, so you will need to set the provider_1.endSessionRedirectUrl and not  provider_1.endSessionUseLogoutExitPage=true so that Azure can address the URL.


      EDIT:
      To the Configuring the OIDC TAI to perform RP-initiated logout topic in IBMDOCS, the following text will be added below the example in step 4:
      ================================
      When provider_<id>.endSessionUseLogoutExitPage=true, the OIDC TAI uses the value for the logoutExitPage as-is. If it is a relative value, a relative value is sent in the logout request to the OP.

      A new optional step 5 will be added:
      ================================
      Optional: If any of your applications use form logout and the value for the provider_<id>.endSessionRedirectUrl property is a URL that does not address the current JVM, make sure the following core security custom property is set to true:
      com.ibm.websphere.security.allowAnyLogoutExitPageHost
      To find or set the com.ibm.websphere.security.allowAnyLogoutExitPageHost property, navigate to Security > Global security > Custom properties in the administrative console.

      These updates won't show up until the next fix pack.

      ------------------------------
      Barbara Jensen
      ------------------------------



    • 25.  RE: Websphere and Azure AD

      Posted Mon April 24, 2023 05:08 AM

      Hi Barbara,

      thank you very much for the thorough explanation. For the logout function I had in mind in the current 8.5.5.20 version that it does not work well (LTPA token remains active even after ibm_security_logout?logoutExitPage=logon.jsp), but it is good to know how it can be fixed with the OIDC session cookie. Is there any fix pack for 8.5.5.20 that fixes this?

      OK above is regarding the LTPA cookie if you have some suggestion will be grateful.

      I have a question about the OIDC provider. Is it possible somehow when I Open the root url (ex: https://localhost/) to check if there is no active session (user is not logged in)  to redirect me to let say https://localhost/logon.jsp ? Is there any custom properties for that, or any suggestion how we can do it? Before we switch  to OIDC we were using filter classes descripted in web.xml but now since it is interceptop this web.xml is skipped, I beleive..


      Thank you!




      ------------------------------
      Petre Petreski
      ------------------------------



    • 26.  RE: Websphere and Azure AD

      Posted Tue April 25, 2023 07:13 PM

      Hi Petre,

      Do you mean that, when you perform a form logout 1) your LTPA cookie is persisting after logout, or 2) you can access your protected resource again without creds after logout?  

      If your logins are protected using OIDC, your LTPA cookie should be deleted upon form logout, but prior to 8.5.5.23, the OIDC session cookie is not.  The result of this behavior is that, when you navigate to your protected resource again, the OIDC TAI thinks that the user is still logged in and lets the request pass without redirecting to the OP.  This is happening because core security is not redirecting the form logout request to the configured TAIs, thus not giving the OIDC TAI the opportunity to delete its session cookie.

      If your LTPA cookie is not being deleted upon a form logout, that is not expected and is a problem.

      If you upgrade to 8.5.5.23 and get the OIDC TAI to delete its session cookie, unless you also configure RP-Initiated logout, it is likely that you will still be able to navigate to the protected resource without creds.  This is because your OP is probably also tracking the logged in user in the browser.  For instance, this is very common with Google and Facebook (although FB is not OIDC, but you get the idea). The user is logs out of WebSphere.  Upon re-login, OIDC sends a login request to the OP, then the OP sends a response without requiring creds (instead of WebSphere not requiring creds; a subtle difference that produces the same external result).

      > I have a question about the OIDC provider.
      Do you mean a question about the OIDC TAI?

      > check if there is no active session (user is not logged in)
      Do you mean if there is a user logged in to WebSphere?

      I don't think that you could do that.  Because you might be using OIDC and turn of LTPA.  You might have an LTPA cookie, but the protected resource is not the one for which the cookie was written.  This is a complicated matter.

      ==> In summary, if you have a resource that is protected by OIDC, and that resource uses form logout, if you want the logout to work correctly, you need to use 8.5.5.23 or later. I don't see any other way around it.  There are no interim fixes for PH48145 for any fix pack at this time.



      ------------------------------
      Barbara Jensen
      ------------------------------



    • 27.  RE: Websphere and Azure AD

      Posted Wed April 26, 2023 02:29 PM

      Hi Barbara,

      OK it's clear if I want to log out from WebSphere & Azure I need to upgrade the WAS to 8.5.5.23 and configure RP-Initiated logout.

      My question about OIDC TAI was:


      I have a logon.jsp page that is excluded from the pathFilter

      provider_1.excludedPathFilter
      /logon.jsp


      and I want when I try to open https://localhost/   if I am not logged in in Azure to be redirected to https://localhost/logon.jsp, so the user will have a form with "Sign in" button there, and when they click on it will be redirected to microsoft login page..

      Or it is not possible, the whole link https://localhost/logon.jsp should be provided to the user,, and this is the only way to access this form.






      ------------------------------
      Petre Petreski
      ------------------------------



    • 28.  RE: Websphere and Azure AD

      Posted Thu April 27, 2023 04:31 AM

      Hi Barbara,

      I would like to add one more clarification on the topic. I can do the redirection in my web.xml file in my application with filter-mapping and url-pattern but it is being bypassed now by the OIDC TAI .. I saw that in WAS_HOMEconfig\cells\petrespeNode01Cell\applications\WebSphereOIDCRP.ear.ear\deployments\WebSphereOIDCRP.ear\com.ibm.ws.security.oidc.servlet.war\WEB-INF in the web.xml file the following configuration:

      <security-constraint>
              <web-resource-collection>
                  <web-resource-name>General</web-resource-name>
                  <url-pattern>/*</url-pattern>
              </web-resource-collection>
              <auth-constraint>
                  <role-name>Admin</role-name>
              </auth-constraint>
          </security-constraint>
          <security-role id="SecurityRole_1">
              <description>Users with this role are allowed</description>
              <role-name>Admin</role-name>
          </security-role>
          <login-config>
              <auth-method>BASIC</auth-method>
              <realm-name>default</realm-name>
          </login-config>
      </web-app>

      I tried to remove /* from the provider_1.interceptedPathFilter  but when I try to open https://localhost it prompts fro basic authentication (needs usr/pass)
      How I can use my web.xml file so I can do the filtering and redirection ..?









      ------------------------------
      Petre Petreski
      ------------------------------



    • 29.  RE: Websphere and Azure AD

      Posted Thu April 27, 2023 10:51 AM
      Edited by Barbara Jensen Thu April 27, 2023 11:14 AM

      Hi Petre,
      (Unfortunately I read this 2nd and 3rd post first, then saw the first.  I don't know how to answer that question and asked a colleague to address it.  This post only covers intercepting all requests to the server.)

      The WebSphereOIDCRP.ear web.xml:
      The WebSphereOIDCRP.ear is only the special callback endpoint for the OP.  The /* in that web.xml is for all methods within its context root, which by default is oidcrp.  If you mess with the web.xml for WebSphereOIDCRP.ear, you run the risk of OIDC not working completely because the callback from the OP won't be routed to the OIDC TAI.

      Your URL without a port:
      When you hit any https URL that does not include the port, it will go to the default SSL port, which is 443.  This means that your app server's SSL must be 443.   You must already have this since you are getting the basicauth prompt.

      Intercepting all requests:
      If you set your provider_(id).interceptedPathFilter (not filter) OIDC TAI property to /*, you should intercept all protected requests to the application server.  In addition, if you set the security custom property com.ibm.websphere.security.performTAIForUnprotectedURI to true, all requests should be intercepted.  Be careful what you wish for because you might end up intercepting the admin console and wsadmin.  You could take care of the anomalies with provider_(id).excludedPathFilter.

      Again, if you are already getting the basicauth panel when you hit https://localhost, then you don't need to setperformTAIForUnprotectedURI performTAIForUnprotectedURI to true.



      ------------------------------
      Barbara Jensen
      ------------------------------



    • 30.  RE: Websphere and Azure AD

      Posted Tue April 11, 2023 02:40 AM

      Hi Barbara Jensen,
      Now the admin console issue after OIDC authentcation has been removed . Thank you so much for all your help.:)

      before the fix the snoop servlet had value for User Principal as below , as it was my admin console Username

      User Principal Sudheesh



      After fix the value is

      User Principal xU2ShsDR7zaLUfidV0lJZtHe0Dt9prJeUaxn62rk9W0


      some encrypted value for username from AAD

      I also need to get the token and claims of the logged in user, as you have already given the hintsto Petre I also would follow the same in a separate servlet application and will let you know the result.

      Hope I must get access token and claims such as name, email, phone for TAI OIDC authenticated user in my protected  servlet


      Thanks,
      Sudheesh



      ------------------------------
      sudheesh krishna
      ------------------------------



    • 31.  RE: Websphere and Azure AD

      Posted Tue April 11, 2023 08:38 AM
      Edited by Barbara Jensen Tue April 11, 2023 08:39 AM

      Hi Sudheesh,

      After logging in, search the trace for id token[.  When you find it, you see a trace entry that looks similar to this:

      [1/25/17 11:40:24:188 CST] 0000008c SessionData 3 id token[header[{"alg":"HS256"}], claims[{"iss":"","iat":1485366024,"groupIds":["group1","group2"],"sub":"testuser","exp":1485366054,"aud":"app_a","realmName":"BasicRealm","uniqueSecurityName":"testuser","at_hash":"Xc-ZgD8CCX3guWd1-VLdzA"}]]

      • This is the id_token that was received from the OP.  These are all the claims that are available to map to the WebSphere principal name. 
        • This also the claims String or Map that you receive when you call one of the OidcClientHelper methods to retrieve claims.
      • By default, the OIDC TAI uses the sub claim for the principal name and the uniqueSecurityName claim for the unique security name in the Subject.
      • If you see a claim other than sub that you want to use as your principal name, set the provider_1.userIdentifier property to the claim name that you want to use.
      • If you do not see a claim that you want to use as your principal name, you have two options:
        1. Update your AD to return a claim that has the information that you want. See Microsoft identity platform ID tokens and Provide optional claims to your app. I don't think that you can change the sub claim, but I'm not sure.
        2. Settle with the username that you have.



      ------------------------------
      Barbara Jensen
      ------------------------------



    • 32.  RE: Websphere and Azure AD

      Posted Tue April 11, 2023 12:24 PM

      Hi Peter ,
      Where do you download the jar for 
      com.ibm.websphere.security.oidc.util.oidchelper ? Is it available with IBM websphere installation under lib or plugin directory?

      Thanks
      Sudheesh 



      ------------------------------
      sudheesh krishna
      ------------------------------



    • 33.  RE: Websphere and Azure AD

      Posted Tue April 11, 2023 12:46 PM
      Edited by Andres Parada Tue April 11, 2023 04:18 PM

      Hi Sudheesh,

      The  com.ibm.websphere.security.oidc.util.OidcClientHelper API is avalable in the following jar files in the application server:

      • (wasHome)/dev/was_public.jar
      • (wasHome)/plugins/com.ibm.ws.security.oidc.client.jar


      I'm assuming that you meant the OidcClientHelper class.  There is an OidcHelper class, but it has a different package name than OidcClientHelper: com.ibm.ws.security.oidc.util.OidcHelper and it is not a public API.

      ------------------------------
      Barbara Jensen
      ------------------------------



    • 34.  RE: Websphere and Azure AD

      Posted Wed August 09, 2023 03:27 PM

      Hi i have the same problem as sudheesh krishna.
      I can only filter the calls that go through port 9043 but not the others. In particular I would like to match calls to port 9443 to secure maximo. Please can you give me the directions you privately provided to sudheesh krishna?
      I thank you in advance.



      ------------------------------
      Emanuele Principato
      ------------------------------



    • 35.  RE: Websphere and Azure AD

      Posted Thu August 10, 2023 10:58 AM

      Hi Emanuele, is 9443 your secure port and 9043 your unsecure port?  If so, you can set the com.ibm.websphere.security.performTAIForUnprotectedURI security custom property to true.

      This will send all requests through the TAI and let you intercept them whether the endpoint is protected or not.



      ------------------------------
      Barbara Jensen
      ------------------------------



    • 36.  RE: Websphere and Azure AD

      Posted Thu August 10, 2023 11:05 AM

      Hi Barbara, thanks for the reply. I solved this problem but now I have another one.
      I manage to redirect to my OP (keycloak) and I can log in correctly. 

      Once logged in, however, the Maximo login page appears, which I assume is incorrect.

      I don't get any realm or user errors on the trace.
      On the snoope application everything works fine. Is there any Maximo setting that I need to change?

      I leave you some screens with my configurations. I would be very grateful if you could give me a hand.



      ------------------------------
      Emanuele Principato
      ------------------------------



    • 37.  RE: Websphere and Azure AD

      Posted Thu August 10, 2023 11:53 AM

      Hi Emanuele,

      First, edit you message to remove the properties picture.  You might have sensitive data in it.  

      Second, I recommend some configuration adjustments; many of these properties require specific fixpacks.  If you can't download and install the latest OIDC, I've indicated the fixpack required for a property.  I'm assuming that you're running v9.  If you're not, you can check the v855 doc to find the fixpack required for the property or value.

      1. Make sure that you're running the latest OIDC runtime.
        1. If you are able to download it, install OIDC 1.5.0
        2. This ifix is on Fix Central and requires entitlement to download it.
      2. Use your OP's discovery endpoint if it has one:
        1. In a browser, navigate to (your issuer identifier value)/.well-known/openid-configuration
        2. If you get output that is similar to this: https://accounts.google.com/.well-known/openid-configuration , then switch to discovery:
          1. Set provider_1.useDiscovery to true (9.0.5.4)
          2. This makes the runtime ignore some properties, so remove them to prevent confusion.  Using discovery prevents mis-configuration by typo or missing properties:
            1. authorizeEndpointUrl
            2. tokenEndpointUrl
            3. jwkEndpointUrl
          3. set provider_1.endSessionEndpointEnabled to false (9.0.5.14)
          4. set provider_1.userinfoEndpointEnabled to false (9.0.5.5)
      3. Instead of hardcoding the local realm, let the runtime figure it out:
        1. set provider_1.useRealm to WAS_DEFAULT (9.0.5.13)
      4. Allow the OP to dictate the signature algorithm:
        1. Remove the provider_1.signatureAlgorithm property, or set the value to HEADER (9.0.5.13)

      After you have made these changes, try again.  

      There are many reasons why you might be getting this behavior that you describe.   You can use the OIDC troubleshooting document to help you eliminate some things.  I'd start with this one:

      The OIDC TAI is configured to intercept my requests, but the requests are going directly to my application and not redirected to the OP



      ------------------------------
      Barbara Jensen
      ------------------------------



    • 38.  RE: Websphere and Azure AD

      Posted Fri August 11, 2023 04:45 AM

      Hi Barbara, thank you for your availability.
      Don't worry about the TAIs in the screen, this is a local test environment only, there are no sensitive data.
      I did everything you recommended, including the fixes but unfortunately the result is always the same. I manage to intercept the call to maximo, I am correctly redirected to my OP, I log in correctly but then I am redirected to the Maximo login page, while I would like to be inside maximo. There are no errors in the trace file, so I can't quite figure out what it could be. With the /snoop application it works correctly, so I think it's something strictly related to IBM Maximo. Do you have any suggestions for Maximo?



      ------------------------------
      Emanuele Principato
      ------------------------------



    • 39.  RE: Websphere and Azure AD

      Posted Fri September 01, 2023 10:11 AM

      Hi Barbara,

      I have been searching to configure Azure Active Directory as IDp to my WAS for but I'm trying to achieve this by following the document attached in this link "https://www.ibm.com/support/pages/node/6517674"

      from this doc it says to configure SAML. 

      Please let me know if it works or not.

      Thanks,

      Siraj Shaik.



      ------------------------------
      Shaik Khaja Siraj
      ------------------------------



    • 40.  RE: Websphere and Azure AD

      Posted Sat September 02, 2023 12:04 AM

      Hi Barbara,

      Received your reply, thanks.

      I want to use SAML.

      Regards,

      Siraj Shaik



      ------------------------------
      Shaik Khaja Siraj
      ------------------------------



    • 41.  RE: Websphere and Azure AD

      Posted Fri February 16, 2024 10:52 AM

      hello Sudheesh ,

        We are trying to do same setup oidc on websphere for our application using azure ad . we need more information on azure ad side on the setting to do specific for wesphere clients. if you can please share your azure ad oidc client setup . 

      Appericate any information you share.

      Thanks.

      Nalini.



      ------------------------------
      nalini mansani
      ------------------------------



    • 42.  RE: Websphere and Azure AD

      Posted Fri February 16, 2024 11:11 AM
      Edited by Barbara Jensen Fri February 16, 2024 11:13 AM

      Hi Nalini,

      Here two documents that might help you set up Azure to use WebSphere as an OIDC client:

      Set up Azure or Entra OIDC for WebSphere and Liberty clients

      Modify Azure OIDC for WebSphere and Liberty clients

      The first is if you are starting with an Azure tenant that has no OIDC provider yet, and the 2nd link is for modifying an existing OIDC provider in an Azure tenant.

      Also, besides the step-by-step Azure instructions with pictures, the beginning of both documents tell you how to go through the setup steps on the WebSphere side specific for an Azure OP.



      ------------------------------
      Barbara Jensen
      ------------------------------