Configuring Connections to support Azure OIDC single sign-on
Update TCL Connections configuration files to add the properties needed to support Microsoft Azure Active Directory OIDC single sign-on.
Before you begin
Update WebSphere to support Azure AD OIDC authentication for Connections
Updating Connections configuration files
For background on how to edit the LotusConnections-config.xml file, see Common configuration properties and Changing common configuration property values.
The useSSO property is similar to the properties discussed in Security token properties.
-
In the
LotusConnections-config.xml
file, add the generic property as follows:<genericProperty name="com.hcl.connections.rte.acceptIncomingOAuthTokens">true</genericProperty>
-
In the
opensocial-config.xml
file, update the useSSO property to true:<connections-ee-settings useSSO="true" preloadJS="false" preloadJSSafari="true" />
Adding rewrite rules in web server/reverse proxy
Since some Connections login urls are not protected and intercepted by the OIDC Provider add Rewrite Rules in reverse proxy to redirect these requests to a protected url.
- Go to /http_server_root/HTTPServer/conf
-
Edit the
ihs-upload-rewrite.conf
file, adding the following rules:Redirect /communities/login /communities/service/html/login Redirect /homepage/login /homepage/ Redirect /homepage/auth/login.jsp /homepage/ Redirect /activities/auth/login.jsp /activities Redirect /profiles/login /profiles/html/myProfileView.do RedirectMatch /profiles/profile.do(.*) /profiles/html/myprofile.do$1 Redirect /forums/auth/login /forums/html/my Redirect /blogs/login /blogs/roller-ui/myblogs/edit Redirect /mobileAdmin/login /mobileAdmin/console
-
OIDC discovery for the Azure server:
Redirect "/.well-known/openid-configuration" https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration
Note: Use the value for {tenant} from step 3 of Adding an application in Azure AD for SSO with Connections.
Updating the SameSite cookie attribute
Chrome and other browsers are changing to require the SameSite cookie attribute.
On the web server or load balancer, add a rule to add SameSite=None to cookie attributes. For example, in the httpd.conf file, add this line to set the cookie SameSite attributes to None through the Header directive.
Header edit Set-Cookie ^(.*)$ "$1; SameSite=None;Secure"
Parent topic:Enabling single sign-on with OIDC for Microsoft Azure AD