You can configure DTP to accept authentication from an OpenID Connect identity provider. You can configure User Administration to accept authentication from an OpenID Connect identity provider. This enables you to manage user authentication outside of Parasoft. Support for OpenID Connect is disabled by default.
...
Complete OIDC Server Configuration, then complete DTP Configuration.Complete OIDC Server Configuration, then complete License Server Configuration. If you are deploying License Server to a custom Tomcat Server, you also have to complete User Administration Configuration.
Anchor OIDCServerConfig OIDCServerConfig
OIDC Server Configuration
| OIDCServerConfig | |
| OIDCServerConfig |
...
- If you have not already done so, register License Server DTP with your OpenID Connect identity provider.While registering, note the following values which will be used in the oidc.json file:
- issuerUri
- clientId
- issuerUri
- clientId
- clientSecret
- Register the necessary redirect URIs so that the OIDC server knows where to send the user after authentication. The following URIs should be registered:
Required
http(s)://<HOST>:<PORT>/
pst/login/oauth2/code/dtphttp(s)://<HOST>:<PORT>/pstsec/login/oauth2/code/dtp
- If you have not already done so, register DTP with your OpenID Connect identity provider.
- issuerUri
- clientId
- clientSecret
- (User Administration)
http(s)://<HOST>:<PORT>/grs/login/oauth2/code/dtp(Required for Report Center/Enterprise Pack)
Optional (The following redirect URIs are optional and only need to be registered to enable log in directly through individual applications.)
Register the necessary redirect URIs so that the OIDC server knows where to send the user after authentication. The following URIs should be registered:Required
http(s)://<HOST>:<PORT>/pst/login/oauth2/code/dtphttp(s)://<HOST>:<PORT>/pstseclicenseserver/login/oauth2/code/dtp(User AdministrationLicense Server)http(s)://<HOST>:<PORT>/grs<DATA_COLLECTOR_URL>/login/oauth2/code/dtp(Required for Report Center/Enterprise Pack)
Optional (The following redirect URIs are optional and only need to be registered to enable log in directly through individual applications.)
http(s)://<HOST>:<PORT>/licenseserver/login/oauth2/code/dtp(License Server)http(s)://<DATA_COLLECTOR_URL>/login/oauth2/code/dtp(Data Collector)
...
Open the oidc.json file located in the <LS_INSTALL>/data/conf directory to configure the OIDC provider properties used by License Server.
Note: For License Server deployed on a custom Tomcat Server, this oidc.json file is located in <TOMCAT_DIR>/LicenseServer/conf directory.
...
- Data Collector)
Anchor DTPConfig DTPConfig
DTP Configuration
| DTPConfig | |
| DTPConfig |
Open the oidc.json file located in the <DTP_DATA_DIR>/conf directory to configure the OIDC provider properties used by DTP.
| Code Block | ||||
|---|---|---|---|---|
| ||||
{
"enabled": false,
"issuerUri": "your issuer uri",
"clientId": "your client id",
"clientSecret": "your client secret",
"scopes": ["openid", "profile", "email"],
"claimMappings":
|
...
Open the oidc.json file located in the <DTP_DATA_DIR>/conf directory to configure the OIDC provider properties used by DTP.
| Code Block | ||||
|---|---|---|---|---|
| ||||
{ "enabled": false, "issuerUri": "your issuer uri", "clientId": "your client id", "clientSecret": "your client secret", "scopes": ["openid", "profile", "email"], "claimMappings": { "username": "preferred_username", "firstName": "given_name", "lastName": "family_name", "email": "email" }, "adminUsers": [] } |
The oidc.json file should be configured prior to the admin users logging in for the first time, otherwise the users will be added to the database without the permissions necessary for performing administrative functions.
All attributes in the file are required when the enabled element is set to true. There are two ways to define the client secret attribute, either encrypted or not. The unencrypted version (clientSecret) is used by default, but you can exchange it for the encrypted version (encryptedClientSecret) if you wish. The following table describes all elements in the file:
...
Specifies the public identifier registered for DTP with your OIDC provider.Specifies the public identifier registered for License Server with your OIDC provider.
...
Specifies the client secret for DTP.Specifies the client secret for License Server.
...
Specifies the client secret for DTP as an encrypted string. Specifies the client secret for License Server as an encrypted string. You can use this attribute instead of clientSecret. If both are included, clientSecret takes precedence.
This value can be encoded using the -encodepass CLI option included with any Parasoft tool (for example, jtestcli.exe -encodepass <client secret>.
...
Defines the set of user information that the OIDC server will provide to the client. DTP primarily uses values specified in the array to gain access to the user claims.License Server primarily uses values specified in the array to gain access to the user claims. The following array is defined by default:
["openid", "profile", "email"],
...
} |
The oidc.json file should be configured prior to the admin users logging in for the first time, otherwise the users will be added to the database without the permissions necessary for performing administrative functions.
All attributes in the file are required when the enabled element is set to true. There are two ways to define the client secret attribute, either encrypted or not. The unencrypted version (clientSecret) is used by default, but you can exchange it for the encrypted version (encryptedClientSecret) if you wish. The following table describes all elements in the file:
| Attribute | Value | Description | |
|---|---|---|---|
enabled | boolean | Enables or disables OIDC authentication. Default is false. | |
issuerUri | string | Specifies the value of the issureUri parameter is the URI of the Authorization Server. The URI will be appended with /.well-known/openid-configuration to build the complete discovery endpoint when file is processed. | |
clientId | string | Specifies the public identifier registered for DTP with your OIDC provider. | |
clientSecret | string | Specifies the client secret for DTP. | |
encryptedClientSecret | string | Specifies the client secret for DTP as an encrypted string. You can use this attribute instead of This value can be encoded using the | |
scopes | array of strings | Defines the set of user information that the OIDC server will provide to the client. DTP primarily uses values specified in the array to gain access to the user claims. The following array is defined by default:
| |
claimMappings | object | Represents information about users. | |
username | string | Specifies the value mapped to the username claimed in OIDC. Default is preferred_username. | |
firstName | string | Specifies the value mapped to the first name claimed in OIDC. Default is given_name. | |
lastName | string | Specifies the value mapped to the last name claimed in OIDC. Default is family_name. | |
email | string | Specifies the value mapped to the email claimed in OIDC. Default is email. | |
adminUsers | array of strings | Specifies existing users in your organization that should be granted administrator privileges upon logging in. | |
Save your changes and restart DTP services after configuring the file.
When you go to the DTP
Save your changes and restart DTP services after configuring the file.
When you go to the DTP login page, you will be redirected to the OpenID Connect authentication interface. After specifying your credentials, you will be logged in and redirected back to DTP. If there are errors during login or with the configuration, you will be redirected to an error page with more details.
Save your changes and restart License Server after configuring the file.
When you go to the License Server login page, you will be redirected to the OpenID Connect authentication interface. After specifying your credentials, you will be logged in and redirected back to License Server. If there are errors during login or with the configuration, you will be redirected to an error page with more details.
...
This section only applies if you are deploying License Server to a custom Tomcat Server.
Open the oidc.json file located in the <TOMCAT_DIR>/webapps/pstsec/conf directory to configure the OIDC provider properties used by User Administration. The default contents of this file are same as License Server’s oidc.json file. Configure this file to be same as your License Server’s oidc.json file, then save your changes and restart Tomcat.
If you have not already logged into License Server, when you go to the User Administration login page, you will be redirected to the OpenID Connect authentication interface. After specifying your credentials, you will be logged in and redirected back to User AdministrationDTP. If there are errors during login or with the configuration, you will be redirected to an error page with more details.
Advanced Configuration
Enabling Basic Authentication for Automation (CLI) Users
There are two ways that automation users can authenticate with DTP via OIDC:There are two ways that automation users can authenticate with License Server via OIDC:
- Device code authentication
- Certification authenticationauthentication
Your organization may want a simpler way for automation users to authenticate with DTP.Your organization may want a simpler way for automation users to authenticate with License ServerDTP.
You can do this by enabling basic authentication for automation users. To do so:
- Create automation user(s) in User Administration with a username and password.
- Enable basic authentication by adding
"enableBasicAuth": trueto the oidc.json file.
Restart DTP to apply your changes.
When basic authentication is enabled:
- DTP UI will still enforce OIDC authentication
- DTP REST API will accept both OIDC and basic authentication
- Automation users will call DTP REST API using basic authentication
- username and password.
- Enable basic authentication by adding
"enableBasicAuth": trueto the oidc.json file.
Restart DTP Restart License Server to apply your changes.
When basic authentication is enabled:
- License Server DTP UI will still enforce OIDC authentication
- License Server DTP REST API will accept both OIDC and basic authentication
- Automation users will call License Server DTP REST API using basic authentication
...
The following example demonstrates how to configure OpenID Connect for connect2id. Users must access DTP over HTTPS when using connect2id as the OpenID Connect provider.Users must access User Administration over HTTPS when using connect2id as the OpenID Connect provider.In this example, c2id is the name of the realm. Two administrator users (admin1 and admin2) will be created.
...
DTP uses end_session_endpoint from the OIDC issuer to log out the user from the OIDC server. This property must be defined in the <OIDC_ISSUER_URL>/.well-known/openid-configuration payload.The OIDC Backchannel Logout URI for DTP is <DTP_INSTALL>/pstsec/logout/connect/back-channel/dtp. The logout token submitted to this URI must include a session ID (SID) claim.The OIDC Backchannel Logout URI for License Server is <PSTSEC>/pstsec/logout/connect/back-channel/dtp. The logout token submitted to this URI must include a session ID (SID) claim.
...
When DTP is in OpenID Connect mode, you cannot access either DTP or Enterprise Pack APIs using basic authentication.When User Administration is in OpenID Connect mode, you cannot access User Administration using basic authentication.Instead, you must pass an access token to the API endpoint in the request header using the Authorization property. The token is passed using the following format:
...