Enabling single sign-on with OIDC for Microsoft Azure AD
Single sign-on is accomplished by setting up a trust relationship between the Connections server and Microsoft Azure Active Directory using the IBM WebSphere OpenID Connect Relying Party Trust Association Interceptor (OIDC Relying Party TAI).
For background on OIDC (OpenID Connect), you can see these topics in the IBM documentation for WebSphere Application Server:
Enabling this single sign-on in Connections involves completing three major steps:
- Adding an app for Connections in Azure
- Updating WebSphere to support single sign-on with Connections
- Configuring Connections to support Azure
Note: You will use values from WebSphere TAI when adding the Connections app in Azure. Then use some Azure application values to complete the WebSphere configuration.
- Adding an application in Azure AD for SSO with Connections
Part of setting up single sign-on with OIDC involves registering an application in Microsoft Azure Active Directory.
- Updating WebSphere to support Azure AD OIDC authentication for Connections
Single sign-on is accomplished by setting up a trust relationship between the Connections server and Microsoft Azure using the WebSphere OpenID Connect Relying Party Trust Association Interceptor (OIDC Relying Party TAI). This requires that the WebSphereOIDCRP application is installed on each cluster.
- Configuring Connections to support Azure OIDC single sign-on
Update TCL Connections configuration files to add the properties needed to support Microsoft Azure Active Directory OIDC single sign-on.
- Supporting Azure SSO for mobile clients
When using Azure SSO, the mobile clients will use token-based authentication to access Connections. Note that it's required that the Connections server endpoints accessed by the clients are configured with a trusted SSL certificate. Untrusted certificates such as self-signed are not supported.
Parent topic:Configuring single sign-on