Versions Compared

Old Version 27

changes.mady.by.user Robert Andelin

Saved on

compared with

New Version Current

changes.mady.by.user Robert Andelin

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Published by Scroll Versions from space DTPDEVEL and version 2024.1

You can configure DTP to accept authentication from an OpenID Connect identity provider.  This enables you to manage user authentication outside of Parasoft. Support for OpenID Connect is disabled by default.

In this section:

Table of Contents
maxLevel2

Basic Configuration

Complete OIDC Server Configuration, then complete DTP Configuration.

Anchor
OIDCServerConfig
OIDCServerConfig
OIDC Server Configuration

  1. If you have not already done so, register DTP with your OpenID Connect identity provider.
    • issuerUri
    • clientId
    • clientSecret
  2. Register the necessary redirect URIs so that the OIDC server knows where to send the user after authentication. The following URIs should be registered:

    Required

    • http(s)://<HOST>:<PORT>/pst/login/oauth2/code/dtp
    • http(s)://<HOST>:<PORT>/pstsec/login/oauth2/code/dtp (User Administration)
    • http(s)://<HOST>:<PORT>/grs/login/oauth2/code/dtp (Required for Report Center/Enterprise Pack)

    Optional (The following redirect URIs are optional and only need to be registered to enable log in directly through individual applications.)

    • http(s)://<HOST>:<PORT>/licenseserver/login/oauth2/code/dtp (License Server)
    • http(s)://<DATA_COLLECTOR_URL>/login/oauth2/code/dtp (Data Collector)

Anchor
DTPConfig
DTPConfig
DTP Configuration

Open the oidc.json file located in the <DTP_DATA_DIR>/conf directory to configure the OIDC provider properties used by DTP.

Code Block
languagejs
titleDefault contents of the oidc.json file
{
"enabled": false,
"issuerUri": "your issuer uri",
"clientId": "your client id",
"clientSecret": "your client secret",
"scopes": ["openid", "profile", "email"],
"claimMappings":
	{ 
		"username": "preferred_username", 
		"firstName": "given_name", 
		"lastName": "family_name", 
		"email": "email" 
	},
"adminUsers": []
}

The oidc.json file should be configured prior to the admin users logging in for the first time, otherwise the users will be added to the database without the permissions necessary for performing administrative functions. 

All attributes in the file are required when the enabled element is set to true. There are two ways to define the client secret attribute, either encrypted or not. The unencrypted version (clientSecret) is used by default, but you can exchange it for the encrypted version (encryptedClientSecret) if you wish. The following table describes all elements in the file:

AttributeValueDescription
enabled booleanEnables or disables OIDC authentication. Default is false.
issuerUri stringSpecifies the value of the issureUri parameter is the URI of the Authorization Server. The URI will be appended with /.well-known/openid-configuration to build the complete discovery endpoint when file is processed.
clientId string

Specifies the public identifier registered for DTP with your OIDC provider.

clientSecret string

Specifies the client secret for DTP.

encryptedClientSecretstring

Specifies the client secret for DTP as an encrypted string. You can use this attribute instead of clientSecret. If both are included, clientSecret takes precedence.

This value can be encoded using the -encodepass  CLI option included with any Parasoft tool (for example, jtestcli.exe -encodepass <client secret>.

scopes array of strings

Defines the set of user information that the OIDC server will provide to the client. DTP primarily uses values specified in the array to gain access to the user claims. The following array is defined by default:

["openid", "profile", "email"], 

claimMappings objectRepresents information about users.

username stringSpecifies the value mapped to the username claimed in OIDC. Default is preferred_username.

firstName stringSpecifies the value mapped to the first name claimed in OIDC. Default is given_name

lastName stringSpecifies the value mapped to the last name claimed in OIDC. Default is family_name

email stringSpecifies the value mapped to the email claimed in OIDC. Default is email
adminUsers array of stringsSpecifies existing users in your organization that should be granted administrator privileges upon logging in. 

Save your changes and restart DTP services after configuring the file.

When you go to the DTP login page, you will be redirected to the OpenID Connect authentication interface. After specifying your credentials, you will be logged in and redirected back to DTP.

Advanced Configuration

Enabling Basic Authentication for Automation (CLI) Users

There are two ways that automation users can authenticate with DTP via OIDC:

  • Device code authentication
  • Certification authentication

Your organization may want a simpler way for automation users to authenticate with DTP.

 You can do this by enabling basic authentication for automation users. To do so:

  1. Create automation user(s) in User Administration with a username and password.
  2. Enable basic authentication by adding "enableBasicAuth": true to the oidc.json file.

Restart DTP to apply your changes.

When basic authentication is enabled:

  • DTP UI will still enforce OIDC authentication
  • DTP REST API will accept both OIDC and basic authentication
    • Automation users will call DTP REST API using basic authentication

Example Configurations

The following examples are intended to help you understand how to connect DTP to your identity access management system. Refer to the documentation for your software for implementation details.

Keycloak

In this example, demo is the name of the realm, and two administrator users (admin1 and admin2) will be created.

No Format
"enabled": true,
"issuerUri": "https://host:8095/auth/realms/demo/",
"clientId": "pstsec",
"clientSecret": "4d35ef23-aec5-44d7-9c59-18092bd619e8",
"scopes": ["openid","profile","email"],
"claimMappings":
	{ 
		"username": "preferred_name", 
		"firstName": "given_name", 
		"lastName": "family_name", 
		"email": "email" 
	}
"adminUsers": ["admin1","admin2"]

Refer to the Keycloak documentation for additional information.

Azure (Microsoft Entra ID)

The following example demonstrates how to configure OpenID Connect for Azure. In this example, two administrator users ([email protected] and [email protected]) will be created.

Code Block
languagetext
{
    "enabled": true,
    "issuerUri": "https://login.microsoftonline.com/<tenantId>/v2.0",
    "clientId": "<clientId-from-Azure>",
    "clientSecret": "<clientSecret-from-Azure>",
    "scopes": ["openid", "profile", "email"],
    "claimMappings": {
        "username": "email",
        "firstName": "given_name",
        "lastName": "family_name",
        "email": "email"
    },
    "adminUsers": [
        "[email protected]",
        "[email protected]"
    ]
}

The claimMappings uses fields from the response to https://graph.microsoft.com/oidc/userinfo, which contains a limited set of fields.  The following contains an example response for the user with the email address [email protected].

Code Block
languagetext
{
  "sub": "<unique value for user>",
  "name": "Jane Jones",
  "given_name": "Jane",
  "family_name": "Jones",
  "picture": "https://graph.microsoft.com/v1.0/me/photo/$value",
  "email": "[email protected]"
}

Refer to Microsoft's documentation for additional information.

Connect2id

The following example demonstrates how to configure OpenID Connect for connect2id. Users must access DTP over HTTPS when using connect2id as the OpenID Connect provider.In this example, c2id is the name of the realm. Two administrator users (admin1 and admin2) will be created. 

No Format
"enabled": true,
"issuerUri": "https://host:port/c2id",
"clientId": "<clientId-from-c2id>",
"clientSecret": "<clientSecret-from-c2id>",
"scopes": ["openid","profile","email"],
"claimMappings":
	{ 
		"username": "sub", 
		"firstName": "given_name", 
		"lastName": "family_name", 
		"email": "email" 
	}
"adminUsers": ["admin1","admin2"]

Refer to the connect2id documentation for additional information.

Known Limitations

The first time you log into DTP through connect2id, you may receive an "Invalid Request" error. To resolve the error, use a different browser or clear the cache of your current browser. 

Google

The following example demonstrates how to configure OpenID Connect for Google. In this example, two administrator users (admin1 and admin2) will be created.

No Format
"enabled": true,
"issuerUri": "https://accounts.google.com",
"clientId": "<clientId-from-google>",
"clientSecret": "<clientSecret-from-google>",
"scopes": ["openid","profile","email"],
"claimMappings":
	{ 
		"username": "given_name", 
		"firstName": "given_name", 
		"lastName": "family_name", 
		"email": "email" 
	}
"adminUsers": ["admin1","admin2"]

Refer to Google's documentation for additional information. 

Logout Configuration

DTP uses end_session_endpoint from the OIDC issuer to log out the user from the OIDC server. This property must be defined in the <OIDC_ISSUER_URL>/.well-known/openid-configuration payload.

DTP does not support OIDC Backchannel Logout as the logout mechanism.

Using APIs in OpenID Connect Mode


When DTP is in OpenID Connect mode, you cannot access either DTP or Enterprise Pack APIs using basic authentication.Instead, you must pass an access token to the API endpoint in the request header using the Authorization property. The token is passed using the following format:

Authorization: Bearer <access token>

Refer to your identity access management software for information on how to obtain an access token.

You must pass the token for every API call, regardless of the method. In the following example, a token with the value 1234567890 is passed to the DTP build API endpoint.

Code Block
languagebash
curl -X GET -H "Authorization: Bearer 1234567890" http://dtp.host.com/grs/api/v1.7/builds?limit=1000&offset=0