diff --git a/authentication/AzureAD/README.md b/authentication/AzureAD/README.md index 6da109f5..228ee3a7 100644 --- a/authentication/AzureAD/README.md +++ b/authentication/AzureAD/README.md @@ -140,7 +140,16 @@ After activating your account by email, you should have access to your Aure AD i ![New Web Application](images/RegisterApp.png) -2. Generate an OpenID client secret. +2. Retrieve Tenant and Client information. + + In **Azure Active Directory** / **App Registration**, select **ODM Application** and click **Overview**: + + * Application (client) ID: **Client ID**. It will be referenced as `CLIENT_ID` in the next steps. + * Directory (tenant) ID: **Your Tenant ID**. It will be referenced as `TENANT_ID` in the next steps. + + ![Tenant ID](/images/AzureAD/GetTenantID.png) + +3. Generate an OpenID client secret. In **Azure Active Directory** / **App registrations**, select **ODM Application**: @@ -153,7 +162,7 @@ After activating your account by email, you should have access to your Aure AD i >Important: This client secret can not be revealed later. If you forgot to take note of it, you'll have to create another one. -3. Add Claims. +4. Add Claims. In **Azure Active Directory** / **App registrations**, select **ODM Application**, and in **Manage / Token Configuration**: @@ -178,37 +187,47 @@ After activating your account by email, you should have access to your Aure AD i * Check Security Groups * Click Add -4. API Permissions. +5. Create a custom claim named "identity" + + To allow ODM rest-api to use the password flow with email as user identifier and the client-credentials flow with client_id as user identifier, we need to create a new claim named "identity" that will take the relevant value according to the flow: + + In **Azure Active Directory** / **Enterprise applications**, select **ODM Application**, and in **Manage / Single sign-on**: + + * Click on Edit of the "Attributes & Claims" section + * Click + Add new claim + * Name: identity + * Fill 2 Claim conditions in the exact following order: + 1. User Type: Any / Scope Groups: 0 / Source: Attribute / Value: + 2. User Type: Members / Scope Groups: 0 / Source: Attribute / Value: user.mail + +6. API Permissions. In **Azure Active Directory** / **App Registration**, select **ODM Application**, and then click **API Permissions**. * Click Grant Admin Consent for Default Directory -5. Manifest change. +7. Manifest change. In **Azure Active Directory** / **App Registration**, select **ODM Application**, and then click **Manifest**. - As explained in [accessTokenAcceptedVersion attribute explanation](https://docs.microsoft.com/en-us/azure/active-directory/develop/reference-app-manifest#accesstokenacceptedversion-attribute), change the value to 2 and then click Save. + As explained in [accessTokenAcceptedVersion attribute explanation](https://docs.microsoft.com/en-us/azure/active-directory/develop/reference-app-manifest#accesstokenacceptedversion-attribute), change the value to 2. ODM OpenID Liberty configuration needs version 2.0 for the issuerIdentifier. See the [openIdWebSecurity.xml](templates/openIdWebSecurity.xml) file. -6. Retrieve Tenant and Client information. - In **Azure Active Directory** / **App Registration**, select **ODM Application** and click **Overview**: - - * Application (client) ID: **Client ID**. It will be referenced as `CLIENT_ID` in the next steps. - * Directory (tenant) ID: **Your Tenant ID**. It will be referenced as `TENANT_ID` in the next steps. + It is also necessary to set **acceptMappedClaims** to true to manage claims. Without this setting, you get the exception **AADSTS50146: This application is required to be configured with an application-specific signing key. It is either not configured with one, or the key has expired or is not yet valid.** when requesting a token. - ![Tenant ID](images/GetTenantID.png) -7. Check the configuration. + Then, click Save. + +8. Check the configuration. Download the [azuread-odm-script.zip](azuread-odm-script.zip) file to your machine and unzip it in your working directory. This .zip file contains scripts and templates to verify and set up ODM. - 7.1 Verify the Client Credential Token + 8.1 Verify the Client Credential Token You can request an access token using the Client-Credentials flow to verify the token format. - This token is used for the deployment between Decision Cennter and the Decision Server console: + This token is used for the deployment between Decision Center and the Decision Server console: ```shell $ ./get-client-credential-token.sh -i -x -n @@ -234,6 +253,7 @@ After activating your account by email, you should have access to your Aure AD i ```json { "aud": "", + "identity": "", ... "iss": "https://login.microsoftonline.com//v2.0", ... @@ -245,7 +265,7 @@ After activating your account by email, you should have access to your Aure AD i - *aud*: should be your CLIENT_ID - *iss*: should end with 2.0. otherwise you should verify the previous step **Manifest change** - 7.2 Verify the Client Password Token. + 8.2 Verify the Client Password Token. To check that it has been correctly taken into account, you can request an ID token using the Client password flow. @@ -270,6 +290,7 @@ After activating your account by email, you should have access to your Aure AD i "iss": "https://login.microsoftonline.com//v2.0", ... "email": "", + "identity": "", "groups": [ "" ], @@ -546,7 +567,7 @@ Get hands-on experience with IBM Operational Decision Manager in a container env To manage ODM runtime call on the next steps, we used the [Loan Validation Decision Service project](https://github.com/DecisionsDev/odm-for-container-getting-started/blob/master/Loan%20Validation%20Service.zip) -Import the **Loan Validation Service** in Decision Center connected as John Doe +Import the **Loan Validation Service** in Decision Center connected using *myodmuser*@YOURDOMAIN created at step 2 ![Import project](../Keycloak/images/import_project.png) diff --git a/authentication/AzureAD/azuread-odm-script.zip b/authentication/AzureAD/azuread-odm-script.zip index 3ead166f..14e45800 100644 Binary files a/authentication/AzureAD/azuread-odm-script.zip and b/authentication/AzureAD/azuread-odm-script.zip differ diff --git a/authentication/AzureAD/templates/openIdWebSecurity.xml b/authentication/AzureAD/templates/openIdWebSecurity.xml index 4ee4e6c5..d7b92fba 100644 --- a/authentication/AzureAD/templates/openIdWebSecurity.xml +++ b/authentication/AzureAD/templates/openIdWebSecurity.xml @@ -22,5 +22,5 @@ issuerIdentifier="${ServerHost}/v2.0" authorizationEndpointUrl="${ServerHost}/oauth2/v2.0/authorize" tokenEndpointUrl="${ServerHost}/oauth2/v2.0/token" - userIdentifier="aud" groupIdentifier="groups" audiences="ALL_AUDIENCES"/> - \ No newline at end of file + userIdentifier="identity" groupIdentifier="groups" audiences="ALL_AUDIENCES"/> + diff --git a/authentication/Keycloak/README_FINE_GRAIN_PERMISSION.md b/authentication/Keycloak/README_FINE_GRAIN_PERMISSION.md index a8001c8c..13feac86 100644 --- a/authentication/Keycloak/README_FINE_GRAIN_PERMISSION.md +++ b/authentication/Keycloak/README_FINE_GRAIN_PERMISSION.md @@ -263,6 +263,7 @@ oc exec -ti bash -- ldapsearch -x -Z -H ldap://ldap-service.