Configuring an OpenID Relying Party

You can configure a WebSphere® Application Server to function as an OpenID Relying Party (RP or client) to take advantage of web single sign-on using an OpenID Provider as an identity provider.

Before you begin

Read OpenID authentication overview for more information on OpenID.

Review the properties you must configure for OpenID Relying Party configuration options. Read OpenID Relying Party custom properties for more information.

About this task

Configure a WebSphere Application Server to act as an OpenID Relying Party by performing the following steps:

Procedure

  1. In the administrative console, click Security > Global security > Web and SIP security > Trust association.
  2. Click Interceptors.
  3. Click New to add a new interceptor.
  4. Enter the interceptor class name: com.ibm.ws.security.openid20.client.OpenIDRelyingPartyTAI,
  5. Add custom properties for your environment. Read OpenID Relying Party custom properties for a list of the properties.
  6. Click Apply and Save the configuration updates.
    Important: Do not click Save without clicking Apply first or the custom properties are discarded.
  7. Under Global Security > Trust Association, select the Enable Trust Association check box.
  8. Click Security > Global security and then click Custom properties.
  9. Click New and define the following custom property information under General properties: 
        Name: com.ibm.websphere.security.performTAIForUnprotectedURI
    Value: true
    Note: This property should be set only if it there is a need for TAI to intercept a request to an unprotected URI.
  10. Import the OpenID provider's SSL signer certificate to the WebSphere Application Server's truststore.
    1. In the administrative console, click Security > SSL certificate and key management > Key stores and certificates > NodeDefaultTrustStore > Signer certificates.
      Use CellDefaultTrustStore instead of NodeDefaultTrustStore for a deployment manager.
    2. Click Add.
  11. In the administrative console, add the trusted realm.
    1. Click Global Security.
    2. Under user account repository, click Configure.
    3. Click Trusted authentication realms – inbound.
    4. Click Add External Realm,

      The RP by default uses the name OpenIDDefaultRealm. If that default is not modified during the configuration of the RP, the same name should be added as a trusted realm.

      Make sure that the realmName property configured in the RP is added as a trusted realm.

  12. Restart WebSphere Application Server.

Results

These steps establish the minimum configuration required to configure a WebSphere Application server as an OpenID Relying Party capable of communicating with an OpenID Provider.