Configure an OpenID Relying Party

We can configure a WebSphere Application Server to function as an OpenID Relying Party (RP or client) to take advantage of web single sign-on using an OpenID Provider as an identity provider.

Configure a WAS to act as an OpenID Relying Party

1. Add a new interceptor...
   Security > Global security > Web and SIP security > Trust association > Interceptors > New

2. Enter the interceptor class name:
   com.ibm.ws.security.openid20.client.OpenIDRelyingPartyTAI

3. Add custom properties for the environment.

4. Click Apply and Save the configuration updates.

   Important: Do not click Save without clicking Apply first or the custom properties are discarded.

5. Select...
   Global Security > Trust Association > Enable Trust Association check box

6. Click...
   Security > Global security > Custom properties > New

   ...and define the following custom property information under General properties:

   Name: com.ibm.websphere.security.performTAIForUnprotectedURI
   Value: true

   This property should be set only if it there is a need for TAI to intercept a request to an unprotected URI.

7. Import the OpenID provider's SSL signer certificate to the WAS's truststore.

   1. In the administrative console, click
      Security > SSL certificate and key management > Key stores and certificates > NodeDefaultTrustStore > Signer certificates

      Use CellDefaultTrustStore instead of NodeDefaultTrustStore for a deployment manager.

   2. Click Add.

8. Add the trusted realm.
   Global Security > user account repository > Configure > Trusted authentication realms - inbound > Add External Realm

   The RP by default uses the name OpenIDDefaultRealm. If that default is not modified during the configuration of the RP, the same name should be added as a trusted realm. Verify the realmName property configured in the RP is added as a trusted realm.

9. Restart WAS.

These steps establish the minimum configuration required to configure a WebSphere Application server as an OpenID Relying Party capable of communicating with an OpenID Provider.

Related:

OpenID authentication overview

OpenID Relying Party custom properties