Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Published by Scroll Versions from space DTPDEVEL and version 2024.1

...

  1. If you have not already done so, register User Administration License Server with your OpenID Connect identity provider.  You can get the values for the attributes used  While registering, note the following values which will be used in the oidc.json file from the authorization server (Keycloak, connect2id, and so on).:

    • issuerUri
    • clientId
    • clientSecret
  2. Register the necessary redirect URIs so that the OIDC server knows where to send the user after authentication.  The <pstsec>The following URIs should be registered:

    • http(s)://<HOST>:<PORT>/licenseserver/login/oauth2/code/dtp
    • http(s)://<HOST>:<PORT>/pstsec/login/oauth2/code/dtp
     URI should be registered.

Anchor
LicenseServerConfig
LicenseServerConfig
License Server Configuration

...

Note: For License Server deployed on a custom Tomcat Server, this oidc.json file is located in <TOMCAT_DIR>/LicenseServer/conf directory.

...

Code Block
languagejs
titleDefault contents of the oidc.json file
{
"enabled": false,
"issuerUri": "your issuer uri",
"clientId": "your client id",
"clientSecret": "your client secret",
"scopes": ["openid", "profile", "email"],
"claimMappings":
	{ 
		"username": "preferred_username", 
		"firstName": "given_name", 
		"lastName": "family_name", 
		"email": "email" 
	},
"adminUsers": []
}

...

If you have not already logged into License Server, when you go to the User Administration login page, you will be redirected to the OpenID Connect authentication interface. After specifying your credentials, you will be logged in and redirected back to User Administration.

Advanced Configuration

Enabling Basic Authentication for Automation (CLI) Users

There are two ways that automation users can authenticate with License Server via OIDC:

  • Device code authentication
  • Certification authentication

Your organization may want a simpler way for automation users to authenticate with License Server.

 You can do this by enabling basic authentication for automation users. To do so:

  1. Create automation user(s) in User Administration with a username and password.
  2. Enable basic authentication by adding "enableBasicAuth": true to the oidc.json file.

Restart License Server to apply your changes.

When basic authentication is enabled:

  • License Server UI will still enforce OIDC authentication
  • License Server REST API will accept both OIDC and basic authentication
    • Automation users will call License Server REST API using basic authentication

Example Configurations

The following examples are intended to help you understand how to connect DTP to your identity access management system. Refer to the documentation for your software for implementation details.

Keycloak

The following configurations are prerequisites for configuring OpenID Connect for Keycloak as described in this example:

...

.

...

Keycloak

...

...

In this example,  demo is the name of the realm, and two administrator users (admin1 and admin2) will be created.

...

Refer to the Keycloak documentation for additional information.

...

Azure (Microsoft Entra ID)

The following example demonstrates how to configure OpenID Connect for GoogleAzure.  In In this example,  two two administrator users (admin1 and admin2[email protected] and [email protected]) will be created.

Code Block
No Format
languagetext
{
    "enabled": true,
    "issuerUri": "https://accountslogin.googlemicrosoftonline.com/<tenantId>/v2.0",
    "clientId": "<clientId-from-google>Azure>",
    "clientSecret": "<clientSecret-from-google>Azure>",
    "scopes": ["openid", "profile", "email"],
    "claimMappings":
	{ 
		 {
        "username": "given_nameemail", 
		
        "firstName": "given_name", 
		
        "lastName": "family_name", 
		
        "email": "email"
 
	   },
    "adminUsers": ["admin1","admin2"] 
        "[email protected]",
        "[email protected]"
    ]
} 

The claimMappings uses fields from the response to https://graph.microsoft.com/oidc/userinfo, which contains a limited set of fields.  The following contains an example response for the user with the email address [email protected].

Code Block
languagetext
{
  "sub": "<unique value for user>",
  "name": "Jane Jones",
  "given_name": "Jane",
  "family_name": "Jones",
  "picture": "https://graph.microsoft.com/v1.0/me/photo/$value",
  "email": "[email protected]"
} 

Refer to Microsoft's documentation for additional information.Refer to Google's documentation for additional information. 

Connect2id

The following example demonstrates how to configure OpenID Connect for connect2id. Users must access User Administration over HTTPS when using connect2id as the OpenID Connect provider.In this example, c2id is the name of the realm. Two administrator users (admin1 and admin2) will be created. 

...

The first time you log into DTP through connect2id, you may receive an "Invalid Request" error. To resolve the error, use a different browser or clear the cache of your current browser. 

Azure

As a prerequisite, you must configure authentication for the Azure app to allow the following web redirect URIs:

  • https://<DTP_HOST>:<PORT>/grs/login/oauth2/code/dtp
  • https://<DTP_HOST>:<PORT>/licenseserver/login/oauth2/code/dtp
  • https://<DTP_HOST>:<PORT>/pst/login/oauth2/code/dtp
  • https://<DTP_HOST>:<PORT>/pstsec/login/oauth2/code/dtp

The port is not required if the host uses the default HTTPS port 443.

Google

The The following example demonstrates how to configure OpenID Connect for AzureGoogle. In  In this example, two  two administrator users ([email protected] and [email protected]admin1 and admin2) will be created.

No Format
Code Block
languagetext
{
    "enabled": true,
    "issuerUri": "https://loginaccounts.microsoftonlinegoogle.com/<tenantId>/v2.0",
    "clientId": "<clientId-from-Azure>google>",
    "clientSecret": "<clientSecret-from-Azure>google>",
    "scopes": ["openid", "profile", "email"],
    "claimMappings":
	{ {
        
		"username": "emailgiven_name",
         
		"firstName": "given_name",
         
		"lastName": "family_name",
         
		"email": "email" 
    	},
    "adminUsers": [
        "[email protected]",
        "[email protected]"
    ]
} 

The claimMappings uses fields from the response to https://graph.microsoft.com/oidc/userinfo, which contains a limited set of fields.  The following contains an example response for the user with the email address [email protected].

Code Block
languagetext
{
  "sub": "<unique value for user>",
  "name": "Jane Jones",
  "given_name": "Jane",
  "family_name": "Jones",
  "picture": "https://graph.microsoft.com/v1.0/me/photo/$value",
  "email": "[email protected]"
} 
"admin1","admin2"] 

Refer to Google's documentation for additional information. Refer to Microsoft's documentation for additional information.

Logout Configuration

DTP uses end_session_endpoint from the OIDC issuer to log out the user from the OIDC server. This property must be defined in the <OIDC_ISSUER_URL>/.well-known/openid-configuration payload.

...