Supporting Azure SSO for mobile clients
When using Azure SSO, the mobile clients will use token-based authentication to access Connections. Note that it's required that the Connections server endpoints accessed by the clients are configured with a trusted SSL certificate. Untrusted certificates such as self-signed are not supported.
Steps involving both the Connections server and the Azure portal are provided in the following two procedures.
Procedure for the Connections server
- Follow the steps in Changing Mobile configuration property values to check out the mobile-config.xml file for updates.
-
Using a text editor, edit the mobile-config.xml file and locate the following section. Ensure that SecuritySettings enabled="true" and that the <AuthType> element is set to OAuth as shown:
<!-- SECURITY SETTINGS SECTION --> <SecuritySettings enabled="true"> <!-- Authentication mechanism for the server. One of TAM, SiteMinder, Form, Basic, SPNEGO, OAuth -->
<AuthType>OAuth</AuthType>
-
Find the value of provider_1.authorizeEndpointUrl, which was entered for the OIDC Relying Party provider in Table 1 of Updating WebSphere to support Azure AD OIDC authentication for Connections. Use this same value and insert it as the value of the <OAuthAuthorizationURL> element.
For example:
<OAuthAuthorizationURL>https://login.microsoftonline.com/b6c7fc02-7489-8729-a3c2-1af11e623345/oauth2/v2.0/authorize</OAuthAuthorizationURL>
-
Find the value of provider_1.tokenEndpointUrl, which was entered for the OIDC Relying Party provider in Table 1 of Updating WebSphere to support Azure AD OIDC authentication for Connections. Use this same value and insert it as the value of the <OAuthTokenURL> element.
For example:
<OAuthTokenURL>https://login.microsoftonline.com/b6c7fc02-7489-8729-a3c2-1af11e623345/oauth2/v2.0/authorize</OAuthTokenURL>
-
Find the value of provider_1.clientId, which was entered for the OIDC Relying Party provider in Table 1 of Updating WebSphere to support Azure AD OIDC authentication for Connections. Use this same value and insert it as the value of the <OAuthClientId> element.
For example:
<OAuthClientId>b850bc0a-0893-4cd7-7e22-9738a43c585d</OAuthClientId>
-
Find the value of provider_1.scope, which was entered for the OIDC Relying Party provider in Table 1 of Updating WebSphere to support Azure AD OIDC authentication for Connections. Use this same value but add the string “offline_access” to the list of scopes, with a space between the other scopes. Insert this combined string as the value of the <OAuthScopes> element.
For example:
<OAuthScopes>openid profile email api://b850bc0a-0893-4cd7-7e22-9738a43c585d/default offline_access</OAuthScopes>
-
Save mobile-config.xml and follow the steps for checking the file back into WebSphere Application Server.
- Perform a full synchronization of the nodes and restart the mobile application using the WebSphere administration console.
Procedure for the Azure administrator
- Log in to the Azure portal at https://portal.azure.com to edit the Connections application that was added previously in Adding an application in Azure AD for SSO with Connections.
- Under Azure Services, click App Registrations and select the app used by Connections.
- Under Manage, click the Authentication tab and select Add a platform. Click Mobile and desktop applications.
-
To add support for the Connections desktop plugin applications, under Custom redirect URIs, enter the following and then click Configure:
com.ibm.ibmscp://com.ibm.mobile.connections/token
-
Still on the Authentication tab, under Advanced settings, enable public client flows for mobile and desktop clients by setting the value to Yes.
- Save the registration.
Parent topic:Enabling single sign-on with OIDC for Microsoft Azure AD