Page History

You can configure DTP to accept authentication from an OpenID Connect identity provideridentity provider. This  This enables you to manage user authentication outside of Parasoft. Support for OpenID Connect is disabled by default.

...

Basic Configuration

Complete OIDC Server Configuration, then complete DTP Configuration.

Anchor
OIDCServerConfig OIDCServerConfig

OIDC Server Configuration

1. Register the necessary redirect URIs so that the OIDC server knows where to send the user after authentication.   The following redirect URIs that should be registered:

   Required: 

   • http(s)://<DTP_INSTALL>HOST>:<PORT>/pst/login/oauth2/code/dtp
   • http(s)://<DTP_INSTALL>HOST>:<PORT>/pstsec/login/oauth2/code/dtp (User Administration)
   • http(s)://<DTP_INSTALL>HOST>:<PORT>/grs/login/oauth2/code/dtp (Required for Report Center/Enterprise Pack)

   Optional. The following redirect URIs are optional and only need to be registered to enable log in directly through individual applications:

   • http(s)://<DTP_INSTALL>HOST>:<PORT>/licenseserver/login/oauth2/code/dtp (License Server)
   • http(s)://<DATA_COLLECTOR>COLLECTOR_URL>/login/oauth2/code/dtp (Data Collector)

Anchor
DTPConfig DTPConfig

DTP Configuration

Open the oidc.json file located in the <DTP_DATA_DIR>/conf directory to configure the OIDC provider properties used by DTP. 

...

When you go to the DTP login page, you will be redirected to the OpenID Connect authentication interface.  After After specifying your credentials, you will be logged in and redirected back to DTP.to DTP. If there are errors during login or with the configuration, you will be redirected to an error page with more details.

Advanced Configuration

Enabling Basic Authentication for Automation (CLI) Users

There are two ways that automation users can authenticate with DTP via OIDC:

• Device code authentication
• Certification authentication

Your organization may want a simpler way for automation users to authenticate with DTP.

 You can do this by enabling basic authentication for automation users. To do so:

1. Create automation user(s) in User Administration with a username and password.
2. Enable basic authentication by adding "enableBasicAuth": true to the oidc.json file.

Restart DTP to apply your changes.

When basic authentication is enabled:

• DTP UI will still enforce OIDC authentication
• DTP REST API will accept both OIDC and basic authentication
  • Automation users will call DTP REST API using basic authentication

Example Configurations

The following examples are intended to help you understand how to connect DTP to your identity access management system. Refer to the documentation for your software for implementation details.

...

• Keycloak should be using RS256 as the default signature algorithm.
• The access token from Keycloak should include user information available that can also be retrieved from the Keycloak userinfo API endpoint.The following redirect URIs should be registered:
  
  • <HOST>:<PORT>/* (default windows port is 80, linux port is 8080)
  • <HOST>:8314/*
  • <HOST>:8082/* (for Data Collector upload form) 
  If wildcards are not used, then individual URIs for Report Center, User Administration, License Administration need to be added. See OIDC Server Configuration for additional information about registering redirect URIs.

In this example, demo is the name of the realm, and two administrator users (admin1 and admin2) will be created.

...

Refer to the Keycloak documentation for additional information.

...

Azure (Microsoft Entra ID)

The following example demonstrates how to configure OpenID Connect for GoogleAzure.  In In this example,  two two administrator users (admin1 and admin2[email protected] and [email protected]) will be created.

{
    

"enabled": true,
    "issuerUri": "https://accountslogin.googlemicrosoftonline.com/<tenantId>/v2.0",
    "clientId": "<clientId-from-google>Azure>",
    "clientSecret": "<clientSecret-from-google>Azure>",
    "scopes": ["openid", "profile", "email"],
    "claimMappings":
	{ 
		 {
        "username": "given_nameemail", 
		
        "firstName": "given_name", 
		
        "lastName": "family_name", 
		
        "email": "email"
 
	   },
    "adminUsers": ["admin1","admin2"] 
        "[email protected]",
        "[email protected]"
    ]
} 

The claimMappings uses fields from the response to https://graph.microsoft.com/oidc/userinfo, which contains a limited set of fields.  The following contains an example response for the user with the email address [email protected].

{
  "sub": "<unique value for user>",
  "name": "Jane Jones",
  "given_name": "Jane",
  "family_name": "Jones",
  "picture": "https://graph.microsoft.com/v1.0/me/photo/$value",
  "email": "[email protected]"
} 

Refer to Microsoft's documentation for additional information.Refer to Google's documentation for additional information. 

Connect2id

The following example demonstrates how to configure OpenID Connect for connect2id. Users must access DTP over HTTPS when using connect2id as the OpenID Connect provider.In this example, c2id is the name of the realm. Two administrator users (admin1 and admin2) will be created. 

...

Refer to the connect2id documentation for additional information.

Known Limitations

The first time you log into DTP through connect2id, you may receive an "Invalid Request" error. To resolve the error, use a different browser or clear the cache of your current browser. 

Azure

As a prerequisite, you must configure authentication for the Azure app to allow the following web redirect URIs:

• https://<DTP_HOST>:<PORT>/grs/login/oauth2/code/dtp
• https://<DTP_HOST>:<PORT>/licenseserver/login/oauth2/code/dtp
• https://<DTP_HOST>:<PORT>/pst/login/oauth2/code/dtp
• https://<DTP_HOST>:<PORT>/pstsec/login/oauth2/code/dtp

The port is not required if the host uses the default HTTPS port 443.

Google

The The following example demonstrates how to configure OpenID Connect for AzureGoogle. In  In this example, two  two administrator users ([email protected] and [email protected]admin1 and admin2) will be created.

{
    "enabled": true,
    "issuerUri": "https://loginaccounts.microsoftonlinegoogle.com/<tenantId>/v2.0",
    "clientId": "<clientId-from-Azure>google>",
    "clientSecret": "<clientSecret-from-Azure>google>",
    "scopes": ["openid", "profile", "email"],
    "claimMappings":
	{ {
        
		"username": "emailgiven_name",
         
		"firstName": "given_name",
         
		"lastName": "family_name",
         
		"email": "email" 
    	},
    "adminUsers": [
        "[email protected]",
        "[email protected]"
    ]
} 

The claimMappings uses fields from the response to https://graph.microsoft.com/oidc/userinfo, which contains a limited set of fields.  The following contains an example response for the user with the email address [email protected].

{
  "sub": "<unique value for user>",
  "name": "Jane Jones",
  "given_name": "Jane",
  "family_name": "Jones",
  "picture": "https://graph.microsoft.com/v1.0/me/photo/$value",
  "email": "[email protected]"
} 

"admin1","admin2"] 

Refer to Google's documentation for additional information. Refer to Microsoft's documentation for additional information.

Logout Configuration

DTP uses end_session_endpoint from the OIDC issuer to log out the user from the OIDC server. This property must be defined in the <OIDC_ISSUER_URL>/.well-known/openid-configuration payload.DTP does not support The OIDC Backchannel Logout as the logout mechanismURI for DTP is <DTP_INSTALL>/pstsec/logout/connect/back-channel/dtp. The logout token submitted to this URI must include a session ID (SID) claim.

Using APIs in OpenID Connect Mode

When DTP is in OpenID Connect mode, you cannot access either DTP or Enterprise Pack APIs using basic authentication.Instead, you must pass an access token to the API endpoint in the request header using the Authorization property. The token is passed using the following format:

...