Versions Compared

Old Version 2

changes.mady.by.user Robert Andelin

Saved on

compared with

New Version 3

changes.mady.by.user Chieko Sugizaki

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Published by Scroll Versions from space DTPDEVEL and version 2022.2

...

Table of Contents
maxLevel21

Basic Configuration

...


Configuration is required in User Administration, as well as in the OIDC server.


OIDC Server Configuration

  1. If you have not already done so,  register User Administration with your OpenID Connect identity provider.  You can get the values for the attributes used in the oidc.json file from the authorization server (Keycloak, connect2id, etc.).

  2. Register the necessary redirect URIs so that the OIDC server knows where to send the user after authentication. The <pstsec>/pstsec/login/oauth2/code/dtp URI should be registered.

...

License Server Configuration

Open the oidc.json file located in the <LS_INSTALL>/data/conf directory to configure the OIDC provider properties used by License Server.Note: For License Server deployed on a custom Tomcat Server, this oidc.json file is located in <TOMCAT_DIR>/LicenseServer/conf directory. 

Code Block
languagejs
titleDefault contents of the oidc.json file
{
"enabled": false,
"issuerUri": "your issuer uri",
"clientId": "your client id",
"clientSecret": "your client secret",
"scopes": ["openid", "profile", "email"],
"claimMappings":
	{ 
		"username": "preferred_username", 
		"firstName": "given_name", 
		"lastName": "family_name", 
		"email": "email" 
	},
"adminUsers": []
}

The oidc.json file should be configured prior to the admin users logging in for the first time, otherwise the users will be added to the database without the permissions necessary for performing administrative functions. 

...

Save your changes and restart License Server after configuring the file.


When you go to the License Server login page, you will be redirected to the OpenID Connect authentication interface.  After specifying your credentials, you will be logged in and redirected back to License Server.

...

This section only applies if you are deploying License Server to a custom Tomcat Server.

Open the oidc.json file located in the <TOMCAT_DIR>/webapps/pstsec/conf directory to configure the OIDC provider properties used by User Administration. The default contents of this file are same as License Server’s oidc.json file. Configure this file to be same as your License Server’s oidc.json file, then save your changes and restart Tomcat.

If you have not already logged into License Server, when you go to the User Administration login page, you will be redirected to the OpenID Connect authentication interface. After specifying your credentials, you will be logged in and redirected back to User Administration.to License Server.

Example Configurations

The following examples are intended to help you understand how to connect DTP to your identity access management system. Refer to the documentation for your software for implementation details.

Keycloak

The following configurations are prerequisites for configuring OpenID Connect for Keycloak as described in this example:

  • Keycloak should be using RS256 as the default signature algorithm.
  • The access token from Keycloak should include user information available that can also be retrieved from the Keycloak userinfo API endpoint.
  • The following redirect URIs should be registered:
    • host:port/* (default windows port is 80, linux port is 8080)
    • host:8314/*
    • host:8082/* (for Data Collector upload form) 
    If wildcards are not used, then individual URIs for Report Center, User Administration, Team Server, License Administration need to be added. See See OIDC Server Configuration for additional information about registering redirect URIs.

...

Refer to the Keycloak documentation for additional information.

Google

The following example demonstrates how to configure OpenID Connect for Google. In this example, two administrator users (admin1 and admin2) will be created.

...

Refer to Google's documentation for additional information. 

Connect2id

The following example demonstrates how to configure OpenID Connect for connect2id. Users must access User Administration  over HTTPS when using connect2id as the OpenID Connect provider.

In this example, c2id is the name of the realm. Two administrator users (admin1 and admin2) will be created. 

...

Refer to the connect2id documentation for additional information.

Known Limitations

The first time you log into DTP through connect2id, you may receive an "Invalid Request" error. To resolve the error, use a different browser or clear the cache of your current browser. 

Azure

As a prerequisite, you must configure authentication for the Azure app to allow the following web redirect URIs:

  • https://<DTP host and port>/grs/login/oauth2/code/dtp
  • https://<DTP host and port>/licenseserver/login/oauth2/code/dtp
  • https://<DTP host and port>/pst/login/oauth2/code/dtp
  • https://<DTP host and port>/pstsec/login/oauth2/code/dtp
  • https://<DTP host and port>/tcm/login/oauth2/code/dtp

The port is not required if the host uses the default HTTPS port 443.

...

Using APIs in OpenID Connect Mode


When User When User Administration is in OpenID Connect mode,you cannot access User Administration using basic authentication.Instead, you must pass an access token to the API endpoint in the request header using the Authorization property. The token is passed using the following format:

...