azureOidc.md

Set up Azure or Entra OIDC for WebSphere and Liberty clients

---

Description

Setting up Microsoft ®️ Azure™️ AD and Entra™️ ID as an OIDC OP for WebSphere™️ and Liberty clients. This document is indended as a fast path to get you started with using Microsoft Entra ID (formerly Azure AD) as your OpenID Connect provider (OP) for the WebSphere Application Server traditional and Liberty OIDC relying parties (RP).

You can use the Azure portal or the Entra ID admin center for this procedure.

References

Here are some links from Microsoft that contain more detailed configuration information:

• Quickstart: Set up a tenant
• Quickstart: Register an application with the Microsoft identity platform
• Quickstart: Configure an application to expose a web API
• Quickstart: Configure a client application to access a web API

Here is a link to an Entra ID setup that might be is less detailed, but includes using either Power Pages or Azure:

• Set up an OpenID Connect provider with Microsoft Entra ID

Background

The Azure AD application configuration and OIDC RP configurations work in concert with each other. The Azure config requires a redirect URL from the RP. The RP configuration requires the client ID, client secret, and discovery URL from the Azure configuration. Whichever configuration you choose to do first, you must go back and edit that configuration using information from the second. For instance, if you configure Azure first, after configuring the RP, you go back into your Azure config and add the redirect URL.

If the RP (WebSphere traditional or Liberty) and Azure administration roles are separated in your organization, it is best to perform the RP configuration first, then provide the redirect URL to your Azure administrator. The Azure administrator then returns the client ID, client secret, and discovery URL to you.

Before you begin

Configure your OIDC RP:

• For WebSphere Application Server Traditional, see Configuring an OpenID Connect Relying Party and OpenID Connect Relying Party custom properties.

  • On the Import the OpenID connect provider's SSL signer certificate to the WebSphere Application Server truststore step, use the following data:
    • host: login.microsoftonline.com
    • port: 443

• For Liberty, see Configuring an OpenID Connect Client in Liberty

  • On the step to Configure the truststore of the server to include the signer certificates of the OpenID Connect Providers that are supported using the Adding trusted certificates in Liberty topic in IBMDOCS, the signer certificate that you want is for the following endpoint:
    • https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
    • Where {tenant} is the name of your tenant.

• The Redirect URI that you will use for the RP when configuring Azure is https://(hostname):(port)/(contextRoot)/(identifier), where:

  • (hostname):(port):
    • The hostname and SSL port of the WebSphere or Liberty server.
  • (contextRoot):
    • Liberty :
      • Replace the value with oidcclient/redirect
    • WebSphere traditional:
      • The default value is oidcclient
      • This is the context root of WebsphereOIDCRP ear
      • To find the value, in the Administrative console, navigate to All Applications > WebsphereOIDCRP > Context Root for Web Modules
        • If you installed the OIDC ear using deployOidc.py for use with the admin console, then you want to look for WebsphereOIDCRP_Admin instead of WebsphereOIDCRP
  • (identifier)
    • Liberty: the value for the id attribute of your openidConnectClient configuration.
    • WebSphere traditional: the value for the provider_(id).identifier OIDC TAI custom property.
  • Examples :
    • Liberty: https://test.co:9443/oidcclient/redirect/RP1
    • Websphere traditional: https://test.co:9443/oidcclient/RP1

Create an Azure AD user account

• If you are working with a free Azure account and have not yet added any users, follow the steps to Create a user account on Quickstart: Create and assign a user account.
  • Caution: You won't be able to add a group as shown in the Assign a user account to an enterprise application section, so don't try it.

Procedure

Login to your identity provider portal

Do one of the following:

• Login to the Entra admin center

  1. Login to the Entra admin center at https://entra.microsoft.com/#view/Microsoft_AAD_IAM/EntraNav.ReactView.
  2. If you have access to multiple tenants, perform the following actions to choose the tenant in which you want to register the application:
     1. Click the settings icon    in the top menu to access the Directories + subscriptions filter menu.
     2. Switch to the tenant in which you want to register the application.
     3. After you select your tenant, click    in the top menu on the left to return to the Entra admin center menu.
     4. Under Identity in the menu on the left, click Applications, then App registrations

• Login to the Azure portal

  1. Login to the Azure portal at https://portal.azure.com.
  2. If you have access to multiple tenants, perform the following actions to choose the tenant in which you want to register the application:

     1. Click the settings icon    in the top menu to access the Directories + subscriptions filter menu.

     2. Switch to the tenant in which you want to register the application.

     3. After you select your tenant, click    in the top menu on the left to return to the Azure services menu.

     4. In the search box in the menu bar at the top, search for Azure Active Directory then click Microsoft Entra ID

        

     5. Under Manage in the menu on the left, click App Regsistrations

        

Register your application

1. In the action bar, click New registration

   

2. On the Register an application panel, provide the details for the application you are registering:

   • Name: The name of your application
   • Supported account type: Multitenant
     • If you need your application to use Oauth V2.0 endpoints, select Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts
   • The Redirect URI field is optional on this page; instructions are provided later in this document for setting the Redirect URI
     • If you enter it now, be sure to select Web as the platform

3. Click Register

   • Note values to use when when configuring WebSphere or Liberty later in this task.
     • Your discovery URL is https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration
       • where {tenant} is the name of your tenant.
       • you can see this URL if you click the Endpoints link at the top of the **App registrations page. It is in the the OpenID Connect metadata document field.
     • The generated for the client ID and tenant ID
       • All your client secrets use the same client ID.

4. Create a client secret

   1. Next to Client credentials, click Add a certificate or secret

   2. Click New client secret

      

   3. Enter a description for your new secret and the expiration, then click Add

      

   4. Caution: Be sure to note the value that is generated for the client secret to use when configuring WebSphere or Liberty later in this task. You cannot view this value again later.

      

Add permissions

1. Under Manage, click API Permissions, then Add a permission

   

2. Click Microsoft Graph

   

3. Click Delegated permissions

   

4. Check the Openid permissions, then click Add permissions:

   • openid
   • profile
   • (Optional) Check any other permissions that your application might require.

   

5. Click Grant admin consent, then click Yes

   

Expose an API

1. Under Manage, click Expose an API > Add a scope > Save and Continue

   

2. Fill in the required fields, then click Add scope:

   • Scope name = default
   • Who can consent = Admins and users
   • Admin consent display name
   • Admin consent description
   • State = Enabled

Add a redirect URI:

1. Under Manage, click Authentication > Add a platform > Web

   

2. Fill in the information on the Configure Web panel:

   1. Redirect URI: https://(hostname):(port)/(contextRoot)/(identifier)
      • If you have your redirect URI, enter it now. a
      • Otherwise, see the Before you begin section for how to determine your redirect URI.
   2. Implicit grant and hybrid flows:
      • Check both Access tokens and ID tokens

3. Click Configure

What to do next

1. Use the client ID, client secret, and discovery URL to complete your OIDC configuration on WebSphere or Liberty

   • For WebSphere Application Server Traditional, see OpenID Connect Relying Party custom properties.
   • For Liberty, see Configuring an OpenID Connect Client in Liberty.

2. (Optional): If your RP is WebSphere traditional:

   • See the Configuring the OIDC TAI to perform RP-Initiated Logout task in IBMDOCs to determine if you want to use RP-Initiated logout.

   • If you want to perform RP-Initiated logout, perform the configuration on WebSphere, then use the provider_(id).endSessionRedirectUrl to complete configuration in Azure:

     1. Login to the Azure portal at https://portal.azure.com.

     2. If you have access to multiple tenants, perform the following actions to choose the in which your application definition resides:

        • Click    in the top menu to access the Directories + subscriptions filter menu.
        • Switch to the tenant in which your application definition resides.
        • After you select your tenant, click    in the top menu on the left to return to the Azure services menu.

     3. Click More services > Azure Active Directory

     4. Under Manage, click App registrations

     5. Click the application that you want to update.

     6. Under Manage, click Authentication.

     7. In the Platform configurations panel, enter your endSessionRedirectUrl in the Front-channel logout URL field, then click Save.