4.11.1 Providing linkage with an OpenID provider through single sign-on

This subsection describes how to provide linkage with an OpenID provider through single sign-on.

Note that the settings for OpenID authentication will take effect after JP1/IM - Manager is restarted. If you set up the linkage when JP1/IM - Manager is up and running, the settings are not applied yet when you go through the steps to step 6.

1. Register the Intelligent Integrated Management Base in the linked OpenID provider and get the client ID and client secret in the Intelligent Integrated Management Base client information.

   For details about how to register the client, see the specifications of the OpenID provider to be linked.

   • If you use OpenID authentication as a method to authenticate the REST API of the Intelligent Integrated Management Base, you need the login user name in the access token when mapping the JP1 user name to the user name registered in the OpenID provider. Therefore, if you use OpenID authentication, configure the linked OpenID provider so that the login user name for the OpenID provider is contained in the preferred_username claim of the access token. For details about OpenID authentication, see 5.2.8 Authentication methods for REST API in the manual JP1/Integrated Management 2 - Manager Command, Definition File and API Reference.

   • After the login or logout process via the OpenID provider is successful, the Web browser is redirected to the Intelligent Integrated Management Base. Therefore, allow the URI of the redirection URL specified for jp1.imdd.oidc.<key-name-of-the-OpenID-provider>.redirect-uri in the Intelligent Integrated Management Base and redirection of the login URI for the Intelligent Integrated Management Base.

2. Define the information on the linked OpenID provider in the Intelligent Integrated Management Base definition file (imdd.properties).

   For details about the properties you define, see Intelligent Integrated Management Base definition file (imdd.properties) in Chapter 2. Definition Files in the manual JP1/Integrated Management 2 - Manager Command, Definition File and API Reference.

   Obtain the configuration information from the OpenID provider and configure the setting values of the properties with the information. The OpenID provider provides its configuration information using the following URI path, based on the OpenID Connect specifications:

   /.well-known/openid-configuration

   For details, see the specifications of the OpenID provider to be linked.

3. Use the jddsetaccessuser command to set up the JP1 user used in the Intelligent Integrated Management Base.

   If the user has already been set up, you can skip this step.

   For details about the jddsetaccessuser command, see jddsetaccessuser in Chapter 1. Commands in the manual JP1/Integrated Management 2 - Manager Command, Definition File and API Reference.

4. Use the jddsetopinfo command to set up the client ID and client secret registered in the OpenID provider obtained in step 1.

   For details about the jddsetopinfo command, see jddsetopinfo in Chapter 1. Commands in the manual JP1/Integrated Management 2 - Manager Command, Definition File and API Reference.

5. If you connect the Intelligent Integrated Management Base with the OpenID provider via a proxy server, define proxy information in the Intelligent Integrated Management Base definition file (imdd.properties).

   If you do not have any proxy server, you can skip this step. If user authentication for the proxy server is required, proceed to step 6.

6. If user authentication for the proxy server is required, define user information in the Intelligent Integrated Management Base definition file (imdd.properties) and use the jddsetproxyuser command to set up authentication information.

   If no user authentication for the proxy server is required, you can skip this step.

   For details about the jddsetproxyuser command, see jddsetproxyuser in Chapter 1. Commands in the manual JP1/Integrated Management 2 - Manager Command, Definition File and API Reference.

7. Start the JP1/IM - Manager service.

   If the service is already running, restart it.

8. Define the mapping between the user name registered in the OpenID provider and the JP1 user name registered in JP1/Base, in the single sign-on mapping definition file.

   For details about the single sign-on mapping definition file, see Single sign-on mapping definition file (imdd_sso_mapping.properties) in Chapter 2. Definition Files in the manual JP1/Integrated Management 2 - Manager Command, Definition File and API Reference.

9. Use the jddupdatessomap command or the single sign-on mapping definition application API (im_api_v1_updateSsoMap) for the definition to take effect.

   For details about the jddupdatessomap command, see jddupdatessomap in Chapter 1. Commands in the manual JP1/Integrated Management 2 - Manager Command, Definition File and API Reference.

   For details about the single sign-on mapping definition application API (im_api_v1_updateSsoMap), see 5.14.1 Single sign-on mapping definition application in the manual JP1/Integrated Management 2 - Manager Command, Definition File and API Reference.

To Page Top