Skip to content

Configuring Connections to support Keycloak OIDC Authentication

Update HCL Connections configuration files to add the properties needed to support Keycloak OIDC authentication.

Before you begin

Update WebSphere to support Keycloak OIDC Authentication for Connections

Updating Connections configuration files

For background on how to edit the LotusConnections-config.xml file, see Common configuration properties and Changing common configuration property values.

  1. In the LotusConnections-config.xml file, update the oidc_op service with the property below:
    keycloak_config_oidc_op.jpg

  2. In the LotusConnections-config.xml file, add the generic property as follows:

    <genericProperty name="com.hcl.connections.rte.acceptIncomingOAuthTokens">true</genericProperty>

  3. In the opensocial-config.xml file, update the useSSO property to true:

    <connections-ee-settings useSSO="true" preloadJS="false" preloadJSSafari="true" />
    Note: The useSSO property is similar to the properties discussed in Security token properties

Adding rewrite rules in web server/reverse proxy

Since some Connections login urls are not protected and intercepted by the OIDC Provider add Rewrite Rules in reverse proxy to redirect these requests to a protected url.

  1. Go to /http_server_root/HTTPServer/conf

  2. Edit the ihs-upload-rewrite.conf file, adding the following rules:

    Redirect /communities/login /communities/service/html/login
Redirect /homepage/login /homepage/ 
Redirect /homepage/auth/login.jsp /homepage/
Redirect /activities/auth/login.jsp /activities
Redirect /profiles/login /profiles/html/myProfileView.do
RedirectMatch /profiles/profile.do(.*) /profiles/html/myprofile.do$1
Redirect /forums/auth/login /forums/html/my
Redirect /blogs/login /blogs/roller-ui/myblogs/edit
Redirect /mobileAdmin/login /mobileAdmin/console

  3. Add redirect for the OIDC discovery for the Keycloak server:

    Redirect "/.well-known/openid-configuration"  
"https://{your keycloack server}/auth/realms/{realm}/.well-known/openid-configuration"
Redirect "/auth/realms/{realm}/.well-known/openid-configuration"  
"https://{your keycloak server}/auth/realms/{realm}/.well-known/openid-configuration"

    Note: Use the value for {realm} from Step 1 of Configuring KeyCloak as an OIDC provider for Connections.

Updating the SameSite cookie attribute

Chrome and other browsers are changing to require the SameSite cookie attribute. This interferes with the CORs conversation between Keycloak and the WebSphere TAI.

On the web server or load balancer, add a rule to add SameSite=None to cookie attributes. For example, in the httpd.conf file, add this line to set the cookie SameSite attributes to None through the Header directive.

Header edit Set-Cookie ^(.*)$ "$1; SameSite=None;Secure"

Parent topic: Enabling Keycloak as an OIDC provider for Connections