Implement OpenID Connect with PPM Center
This section provides information on how to implement OpenID Connect single sign-on (OICD SSO) with PPM.
Setting up OICD SSO with PPM
-
Register PPM as Relaying Party (RP) in OpenID Provider (OP) with parameters:
Callback URI: <PPM_BASE_URL>/itg/web/sso/oidc_callback.jsp
Post Logout URI: <PPM_BASE_URL>/itg/web/sso/loggedout.jsp
Remember the oAuth Client Key and oAuth Client Secret
-
Edit the PPM server.conf file as follows:
Add or change
com.kintana.core.server.SINGLE_SIGN_ON_PLUGIN=com.kintana.sc.security.auth.OIDCSingleSignOn
-
Edit <PPM_HOME>/integration/sso/oidc_sso.conf:
- Add
discovery_file=<path to OP metadata file>
ordiscovery_uri=<URI of OP metadata file>
- Add
client_id=<oAuth Client Key for PPM>
- If PPM cannot access OP directly, configure the proxy:
proxy=<proxy_dns or proxy_ip>:<proxy_port>
-
If OP uses self-signed certification for https, add:
disable_ssl=true
Only use this option in development or test environments. Never use it in a production environment.
- Add
- Restart PPM user instances.
Troubleshooting
- To troubleshoot SSO, check the <ppm_server>/log/serverLog.txt file.
-
For more debug information, in <PPM_HOME>/conf/logging.conf:
Set
com.kintana.core.logging.SYSTEM_THRESHOLD = DEBUG
Add
com.kintana.core.logging.PRODUCT_FUNCTION_LOGGING_LEVEL = com.kintana.sc.authentication, DEBUG
Advanced Configuration
You can override the default settings or parameters for RP metadata in the oidc_sso.conf file:
Override OP metadata in discovery_file or discovery_uri (see above):
Parameter name |
Description |
---|---|
issuer |
The issuer identifier for the OpenID Provider. |
authorization_endpoint |
The authorization endpoint is the endpoint on the authorization server where the resource owner logs in, and grants authorization to the client application. |
token_endpoint |
The token endpoint is the endpoint on the authorization server where the client application exchanges the authorization code, client ID and client secret, for an id token. |
jwks_uri |
Jwks_uri is a metadata entry expressed as a URI for the OpenID Connect Identity Provider (IDP)'s JWK Set which contains a JSONArray of the JSON Web Keys (JWK) used for JSON Web Signature. If empty, id token’s signatures are not verified. |
end_session_endpoint |
The end session endpoint can be used to trigger single sign-out. If empty, sign-out is disabled. |
Override default settings:
Parameter name |
Description |
---|---|
flow |
Allowed Values: AUTHORIZATION CODE or IMPLICIT Default value: PPM automatically choose the most appropriate flow. |
audience |
The audience of ID Token issued by OP. Default value: aAuth Client ID of PPM Application. |
user_id_claim |
The claim in ID Token used for user id in PPM. Default Value: sub |
leeway |
Specify a leeway window in which the ID Token should still be considered valid. Default Value: 0 |
post_logout_redirect_uri |
The redirect URI after OP successfully logs out Default Value: <PPM_BASE_URL>/itg/sso/loggedout.jsp |
token_endpoint_auth_method |
The authentication method when the client application (PPM) exchanges the authorization code, client ID and client secret, for an id token from OP token endpoint. Allowed values: client_secret_basic or client_secret_post Default value: client_secret_basic |
Limitations
- Only AUTHORIZATION CODE flow or IMPLICIT flow are supported.
- token_endpoint_auth_method can only be either
client_secret_basic
orclient_secret_post