diff --git a/.gitignore b/.gitignore index c6e4597b..d32c0a5f 100644 --- a/.gitignore +++ b/.gitignore @@ -1,17 +1,4 @@ *.iml output /.vscode - - -# Local .terraform directories -**/.terraform/* -# .tfstate files -*.tfstate -*.tfstate.* -*.terraform.lock.hcl -# Exclude all .tfvars files, which are likely to contain sentitive data, such as -# password, private keys, and other secrets. These should not be part of version -# control as they are data points which are potentially sensitive and subject -# to change depending on the environment. -# -# *.tfvars \ No newline at end of file +**/.bob diff --git a/.linkspector.yml b/.linkspector.yml index 9e6807cf..ad161509 100644 --- a/.linkspector.yml +++ b/.linkspector.yml @@ -8,6 +8,10 @@ ignorePatterns: - pattern: '^https://localhost*$' - pattern: '^https://dummyUrl$' - pattern: '^https://cognito-idp.COGNITO_REGION.amazonaws.com/COGNITO_USER_POOL_ID/.*$' + - pattern: '^https://xxx.xxx.xxx.xxx$' + - pattern: '^https://yyy.yyy.yyy.yyy$' + - pattern: '^https://zzz.zzz.zzz.zzz$' + - pattern: '^https://uuu.uuu.uuu.uuu$' replacementPatterns: - pattern: "https://www.ibm.com/docs" replacement: 'https://ibmdocs-test.dcs.ibm.com/docs' diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 50c1a6ea..b96dd6d3 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -10,7 +10,7 @@ repos: # You are encouraged to use static refs such as tags, instead of branch name # # Running "pre-commit autoupdate" automatically updates rev to latest tag - rev: 0.13.1+ibm.62.dss + rev: 0.13.1+ibm.64.dss hooks: - id: detect-secrets # pragma: whitelist secret # Add options for detect-secrets-hook binary. You can run `detect-secrets-hook --help` to list out all possible options. diff --git a/.secrets.baseline b/.secrets.baseline index d7b56c6a..30ebbc75 100644 --- a/.secrets.baseline +++ b/.secrets.baseline @@ -3,7 +3,7 @@ "files": "^.secrets.baseline$", "lines": null }, - "generated_at": "2025-11-06T09:35:40Z", + "generated_at": "2026-05-29T11:06:14Z", "plugins_used": [ { "name": "AWSKeyDetector" @@ -92,7 +92,7 @@ "hashed_secret": "eec26e61c2abc92979c2b5605b3afe5ca4e9e786", "is_secret": false, "is_verified": false, - "line_number": 50, + "line_number": 51, "type": "Secret Keyword", "verified_result": null }, @@ -100,7 +100,7 @@ "hashed_secret": "5a2ea68e9ea943ea31948fe51388c798e13346a9", "is_secret": false, "is_verified": false, - "line_number": 237, + "line_number": 238, "type": "Secret Keyword", "verified_result": null }, @@ -108,7 +108,7 @@ "hashed_secret": "fa9beb99e4029ad5a6615399e7bbae21356086b3", "is_secret": false, "is_verified": false, - "line_number": 508, + "line_number": 489, "type": "Secret Keyword", "verified_result": null }, @@ -116,7 +116,7 @@ "hashed_secret": "076a042dcb8e3b7be55cbbe95e1f18f577ef1ba5", "is_secret": false, "is_verified": false, - "line_number": 554, + "line_number": 535, "type": "Secret Keyword", "verified_result": null } @@ -126,7 +126,7 @@ "hashed_secret": "eec26e61c2abc92979c2b5605b3afe5ca4e9e786", "is_secret": false, "is_verified": false, - "line_number": 67, + "line_number": 68, "type": "Secret Keyword", "verified_result": null }, @@ -134,7 +134,7 @@ "hashed_secret": "5a2ea68e9ea943ea31948fe51388c798e13346a9", "is_secret": false, "is_verified": false, - "line_number": 156, + "line_number": 157, "type": "Secret Keyword", "verified_result": null }, @@ -142,17 +142,7 @@ "hashed_secret": "fa9beb99e4029ad5a6615399e7bbae21356086b3", "is_secret": false, "is_verified": false, - "line_number": 409, - "type": "Secret Keyword", - "verified_result": null - } - ], - "authentication/AzureAD/templates/OdmOidcProviders.json": [ - { - "hashed_secret": "8bdc201bacb0187176e791a4122a9d82b12afd9f", - "is_secret": false, - "is_verified": false, - "line_number": 10, + "line_number": 390, "type": "Secret Keyword", "verified_result": null } @@ -202,7 +192,7 @@ "hashed_secret": "94cf36b943ae0d08e06b0e19303d2730477fa710", "is_secret": false, "is_verified": false, - "line_number": 181, + "line_number": 182, "type": "Secret Keyword", "verified_result": null }, @@ -210,7 +200,7 @@ "hashed_secret": "5a2ea68e9ea943ea31948fe51388c798e13346a9", "is_secret": false, "is_verified": false, - "line_number": 400, + "line_number": 392, "type": "Secret Keyword", "verified_result": null }, @@ -218,15 +208,15 @@ "hashed_secret": "fa9beb99e4029ad5a6615399e7bbae21356086b3", "is_secret": false, "is_verified": false, - "line_number": 621, + "line_number": 611, "type": "Secret Keyword", "verified_result": null }, { - "hashed_secret": "12d3a2730ae9976303db72d424b3771221f90852", + "hashed_secret": "a89c300c924ca78c8d6e157f2f5ca27018acb6a1", "is_secret": false, "is_verified": false, - "line_number": 671, + "line_number": 661, "type": "Secret Keyword", "verified_result": null } @@ -236,7 +226,7 @@ "hashed_secret": "52b24ee5f215ade850875ac41ab9f0a38c8102f0", "is_secret": false, "is_verified": false, - "line_number": 10, + "line_number": 11, "type": "Secret Keyword", "verified_result": null } @@ -282,19 +272,11 @@ } ], "authentication/Keycloak/README.md": [ - { - "hashed_secret": "d033e22ae348aeb5660fc2140aec35850c4da997", - "is_secret": false, - "is_verified": false, - "line_number": 107, - "type": "Secret Keyword", - "verified_result": null - }, { "hashed_secret": "3bbbe1430e5b98ab3ed1a757d4059157d97b977c", "is_secret": false, "is_verified": false, - "line_number": 136, + "line_number": 129, "type": "Secret Keyword", "verified_result": null }, @@ -302,7 +284,7 @@ "hashed_secret": "5a2ea68e9ea943ea31948fe51388c798e13346a9", "is_secret": false, "is_verified": false, - "line_number": 378, + "line_number": 371, "type": "Secret Keyword", "verified_result": null }, @@ -310,7 +292,7 @@ "hashed_secret": "fa9beb99e4029ad5a6615399e7bbae21356086b3", "is_secret": false, "is_verified": false, - "line_number": 586, + "line_number": 579, "type": "Secret Keyword", "verified_result": null } @@ -432,7 +414,7 @@ "hashed_secret": "5a2ea68e9ea943ea31948fe51388c798e13346a9", "is_secret": false, "is_verified": false, - "line_number": 250, + "line_number": 251, "type": "Secret Keyword", "verified_result": null }, @@ -440,7 +422,7 @@ "hashed_secret": "fa9beb99e4029ad5a6615399e7bbae21356086b3", "is_secret": false, "is_verified": false, - "line_number": 413, + "line_number": 442, "type": "Secret Keyword", "verified_result": null }, @@ -448,66 +430,80 @@ "hashed_secret": "076a042dcb8e3b7be55cbbe95e1f18f577ef1ba5", "is_secret": false, "is_verified": false, - "line_number": 459, + "line_number": 488, "type": "Secret Keyword", "verified_result": null } ], - "authentication/Okta/templates/OdmOidcProviders.json": [ + "authentication/Okta/templates/openIdParameters.properties": [ { - "hashed_secret": "43615efcba5160697f497af85d6fba3749a7418a", + "hashed_secret": "5156bc909d473680606c26fd6c078884ece36a5b", "is_secret": false, "is_verified": false, - "line_number": 6, - "type": "Base64 High Entropy String", + "line_number": 7, + "type": "Secret Keyword", "verified_result": null - }, + } + ], + "authentication/Okta/templates/openIdWebSecurity.xml": [ { - "hashed_secret": "5e1e891145008d368a6f40e03e7fdf5fbf4f14e3", + "hashed_secret": "5156bc909d473680606c26fd6c078884ece36a5b", "is_secret": false, "is_verified": false, - "line_number": 7, - "type": "Base64 High Entropy String", + "line_number": 16, + "type": "Secret Keyword", "verified_result": null - }, + } + ], + "authentication/Okta/templates/webSecurity.xml": [ { - "hashed_secret": "eb002c727440c90d4cdeb7c8040933819ee0e6d3", + "hashed_secret": "fd1daf2e350a06b865f4a1e17bb39183b806c1e9", "is_secret": false, "is_verified": false, - "line_number": 8, - "type": "Base64 High Entropy String", + "line_number": 4, + "type": "Secret Keyword", + "verified_result": null + } + ], + "authentication/PingFederate/README.md": [ + { + "hashed_secret": "5a2ea68e9ea943ea31948fe51388c798e13346a9", + "is_secret": false, + "is_verified": false, + "line_number": 232, + "type": "Secret Keyword", "verified_result": null }, { - "hashed_secret": "5156bc909d473680606c26fd6c078884ece36a5b", + "hashed_secret": "fa9beb99e4029ad5a6615399e7bbae21356086b3", "is_secret": false, "is_verified": false, - "line_number": 11, + "line_number": 419, "type": "Secret Keyword", "verified_result": null } ], - "authentication/Okta/templates/openIdParameters.properties": [ + "authentication/PingFederate/templates/openIdParameters.properties": [ { - "hashed_secret": "5156bc909d473680606c26fd6c078884ece36a5b", + "hashed_secret": "13c925605c48ecbb56850c7e839aafb09c57aa07", "is_secret": false, "is_verified": false, - "line_number": 7, + "line_number": 9, "type": "Secret Keyword", "verified_result": null } ], - "authentication/Okta/templates/openIdWebSecurity.xml": [ + "authentication/PingFederate/templates/openIdWebSecurity.xml": [ { - "hashed_secret": "5156bc909d473680606c26fd6c078884ece36a5b", + "hashed_secret": "13c925605c48ecbb56850c7e839aafb09c57aa07", "is_secret": false, "is_verified": false, - "line_number": 16, + "line_number": 8, "type": "Secret Keyword", "verified_result": null } ], - "authentication/Okta/templates/webSecurity.xml": [ + "authentication/PingFederate/templates/webSecurity.xml": [ { "hashed_secret": "fd1daf2e350a06b865f4a1e17bb39183b806c1e9", "is_secret": false, @@ -793,6 +789,26 @@ "verified_result": null } ], + "contrib/HA-res-console/README.md": [ + { + "hashed_secret": "4059939a16dd643446b11e864785f733c96916cb", + "is_secret": false, + "is_verified": false, + "line_number": 128, + "type": "Secret Keyword", + "verified_result": null + } + ], + "contrib/HA-res-console/values.yaml": [ + { + "hashed_secret": "fd1daf2e350a06b865f4a1e17bb39183b806c1e9", + "is_secret": false, + "is_verified": false, + "line_number": 2, + "type": "Secret Keyword", + "verified_result": null + } + ], "contrib/monitor/mpmetrics/README.md": [ { "hashed_secret": "5a2ea68e9ea943ea31948fe51388c798e13346a9", @@ -828,7 +844,7 @@ "hashed_secret": "b11974a9da0d56698df935ab86e19b127804d6d4", "is_secret": false, "is_verified": false, - "line_number": 78, + "line_number": 77, "type": "Secret Keyword", "verified_result": null } @@ -856,7 +872,7 @@ "hashed_secret": "f4e7d43fd3a3d4f5460ab34a6798ecfb16191277", "is_secret": false, "is_verified": false, - "line_number": 175, + "line_number": 172, "type": "Secret Keyword", "verified_result": null }, @@ -864,7 +880,7 @@ "hashed_secret": "12d57965bd88277e9e9d69dc2b36aae2c0b7e316", "is_secret": false, "is_verified": false, - "line_number": 212, + "line_number": 209, "type": "Secret Keyword", "verified_result": null }, @@ -872,17 +888,7 @@ "hashed_secret": "a4bef0b0b094fb91226049efbb7303739d451543", "is_secret": false, "is_verified": false, - "line_number": 223, - "type": "Secret Keyword", - "verified_result": null - } - ], - "contrib/secrets-store/values-default-vault.yaml": [ - { - "hashed_secret": "e6a8430b6dc3747f44d258a127b11f4705d9ee01", - "is_secret": false, - "is_verified": false, - "line_number": 16, + "line_number": 220, "type": "Secret Keyword", "verified_result": null } @@ -974,7 +980,7 @@ "hashed_secret": "f4e7d43fd3a3d4f5460ab34a6798ecfb16191277", "is_secret": false, "is_verified": false, - "line_number": 123, + "line_number": 137, "type": "Secret Keyword", "verified_result": null }, @@ -982,7 +988,7 @@ "hashed_secret": "5a2ea68e9ea943ea31948fe51388c798e13346a9", "is_secret": false, "is_verified": false, - "line_number": 152, + "line_number": 166, "type": "Secret Keyword", "verified_result": null } @@ -1175,12 +1181,46 @@ "verified_result": null } ], + "platform/azure/README-GATEWAY.md": [ + { + "hashed_secret": "5a2ea68e9ea943ea31948fe51388c798e13346a9", + "is_secret": false, + "is_verified": false, + "line_number": 194, + "type": "Secret Keyword", + "verified_result": null + }, + { + "hashed_secret": "fd1daf2e350a06b865f4a1e17bb39183b806c1e9", + "is_secret": false, + "is_verified": false, + "line_number": 257, + "type": "Secret Keyword", + "verified_result": null + }, + { + "hashed_secret": "fdd2c8d00435385eab15778a22ada0694a0e6c36", + "is_secret": false, + "is_verified": false, + "line_number": 259, + "type": "Secret Keyword", + "verified_result": null + }, + { + "hashed_secret": "e6a8430b6dc3747f44d258a127b11f4705d9ee01", + "is_secret": false, + "is_verified": false, + "line_number": 281, + "type": "Secret Keyword", + "verified_result": null + } + ], "platform/azure/README.md": [ { "hashed_secret": "07596f183f5e91b1778d5e47b2752b8d42aa763d", "is_secret": false, "is_verified": false, - "line_number": 181, + "line_number": 193, "type": "Secret Keyword", "verified_result": null }, @@ -1188,7 +1228,7 @@ "hashed_secret": "3ea3f9802accf8817bacd6f3df46a73b93ccddec", "is_secret": false, "is_verified": false, - "line_number": 182, + "line_number": 194, "type": "Secret Keyword", "verified_result": null }, @@ -1196,7 +1236,7 @@ "hashed_secret": "12d57965bd88277e9e9d69dc2b36aae2c0b7e316", "is_secret": false, "is_verified": false, - "line_number": 281, + "line_number": 299, "type": "Secret Keyword", "verified_result": null }, @@ -1204,7 +1244,7 @@ "hashed_secret": "5a2ea68e9ea943ea31948fe51388c798e13346a9", "is_secret": false, "is_verified": false, - "line_number": 300, + "line_number": 318, "type": "Secret Keyword", "verified_result": null } @@ -1330,7 +1370,7 @@ "hashed_secret": "8b712744eee080d5fe6048e4f589235d00435559", "is_secret": false, "is_verified": false, - "line_number": 134, + "line_number": 148, "type": "Secret Keyword", "verified_result": null }, @@ -1338,7 +1378,17 @@ "hashed_secret": "b11974a9da0d56698df935ab86e19b127804d6d4", "is_secret": false, "is_verified": false, - "line_number": 158, + "line_number": 172, + "type": "Secret Keyword", + "verified_result": null + } + ], + "platform/eks/eks-gateway-values.yaml": [ + { + "hashed_secret": "fd1daf2e350a06b865f4a1e17bb39183b806c1e9", + "is_secret": false, + "is_verified": false, + "line_number": 2, "type": "Secret Keyword", "verified_result": null } @@ -1353,6 +1403,24 @@ "verified_result": null } ], + "platform/eks/eks-rds-gateway-values.yaml": [ + { + "hashed_secret": "fd1daf2e350a06b865f4a1e17bb39183b806c1e9", + "is_secret": false, + "is_verified": false, + "line_number": 2, + "type": "Secret Keyword", + "verified_result": null + }, + { + "hashed_secret": "aef505a4c9ac97451f163d4b5d27cc7e3c437dc3", + "is_secret": false, + "is_verified": false, + "line_number": 11, + "type": "Secret Keyword", + "verified_result": null + } + ], "platform/eks/eks-rds-nginx-values.yaml": [ { "hashed_secret": "fd1daf2e350a06b865f4a1e17bb39183b806c1e9", @@ -1404,7 +1472,7 @@ "hashed_secret": "dc081999b19ee322ee45e3d4451246b7c449db0a", "is_secret": false, "is_verified": false, - "line_number": 142, + "line_number": 150, "type": "Secret Keyword", "verified_result": null }, @@ -1412,7 +1480,43 @@ "hashed_secret": "5a2ea68e9ea943ea31948fe51388c798e13346a9", "is_secret": false, "is_verified": false, - "line_number": 184, + "line_number": 192, + "type": "Secret Keyword", + "verified_result": null + } + ], + "platform/gcloud/README_GATEWAY.md": [ + { + "hashed_secret": "dc081999b19ee322ee45e3d4451246b7c449db0a", + "is_secret": false, + "is_verified": false, + "line_number": 141, + "type": "Secret Keyword", + "verified_result": null + }, + { + "hashed_secret": "5a2ea68e9ea943ea31948fe51388c798e13346a9", + "is_secret": false, + "is_verified": false, + "line_number": 183, + "type": "Secret Keyword", + "verified_result": null + } + ], + "platform/gcloud/gcp-values-gateway.yaml": [ + { + "hashed_secret": "fd1daf2e350a06b865f4a1e17bb39183b806c1e9", + "is_secret": false, + "is_verified": false, + "line_number": 2, + "type": "Secret Keyword", + "verified_result": null + }, + { + "hashed_secret": "e6a8430b6dc3747f44d258a127b11f4705d9ee01", + "is_secret": false, + "is_verified": false, + "line_number": 15, "type": "Secret Keyword", "verified_result": null } @@ -1550,7 +1654,7 @@ } ] }, - "version": "0.13.1+ibm.62.dss", + "version": "0.13.1+ibm.64.dss", "word_list": { "file": null, "hash": null diff --git a/README.md b/README.md index a2362365..2df1147b 100644 --- a/README.md +++ b/README.md @@ -9,7 +9,7 @@ IBM Operational Decision Manager on Certified Kubernetes ## Deploying IBM Operational Decision Manager on a Certified Kubernetes Cluster -This repository centralizes materials to deploy [IBM® Operational Decision Manager](https://www.ibm.com/docs/en/odm/9.5.0) ODM on Certified Kubernetes. It is deployed in a clustered topology that uses WebSphere® Application Server Liberty on a Kubernetes cluster. +This repository centralizes materials to deploy [IBM® Operational Decision Manager](https://www.ibm.com/docs/en/odm/9.6.0) ODM on Certified Kubernetes. It is deployed in a clustered topology that uses WebSphere® Application Server Liberty on a Kubernetes cluster. ODM is a decisioning platform to automate your business policies. Business rules are used at the heart of the platform to implement decision logic on a business vocabulary and run it as web decision services. @@ -23,7 +23,8 @@ This repository provides materials for the following versions of IBM ODM: | ODM Version | |--------------| -| **[9.5 (Latest)](README.md)** | +| **[9.6 (Latest)](README.md)** | +| **[9.5.0.1](https://github.com/DecisionsDev/odm-docker-kubernetes/tree/9.5.0.1)** | | **[9.0.0.1](https://github.com/DecisionsDev/odm-docker-kubernetes/tree/9.0.0.1)** | | **[8.12.0.1](https://github.com/DecisionsDev/odm-docker-kubernetes/tree/8.12.0.1)** | | **[8.11.0.1](https://github.com/DecisionsDev/odm-docker-kubernetes/tree/8.11.0.1)** | @@ -48,6 +49,7 @@ To integrate with OpenID providers for authentication and authorization, follow - [Configure ODM with an Azure Active Directory service](authentication/AzureAD/README.md) - [Configure ODM with a Keycloak service](authentication/Keycloak/README.md) - [Configure ODM with a Cognito User Pool](authentication/Cognito/README.md) +- [Configure ODM with PingFederate](authentication/PingFederate/README.md) As an alternative to using OpenId Connect, it is also possible to execute Business Decisions securely using mTLS with or without authentication/authorization. Read more in [ODM Decision Server Runtime using mutual TLS](authentication/mutual-tls/README.md). @@ -77,7 +79,7 @@ To enable analytics and monitoring capabilities within your deployment, consider For issues relating specifically to the Dockerfiles and scripts, please use the [GitHub issue tracker](https://github.com/ODMDev/odm-docker-kubernetes/issues). For more general issue relating to IBM Operational Decision Manager you can [get help](https://community.ibm.com/community/user/automation/communities/community-home?communitykey=c0005a22-520b-4181-bfad-feffd8bdc022) through the ODMDev community or, if you have production licenses for Operational Decision Manager, via the usual support channels. We welcome contributions following [our guidelines](https://github.com/ODMDev/odm-docker-kubernetes/blob/master/CONTRIBUTING.md). # Notice -© Copyright IBM Corporation 2025. +© Copyright IBM Corporation 2026. ## License ```text diff --git a/authentication/AzureAD/README_WITH_CLIENT_SECRET.md b/authentication/AzureAD/README_WITH_CLIENT_SECRET.md index a14cb4b3..8d8b1a4c 100644 --- a/authentication/AzureAD/README_WITH_CLIENT_SECRET.md +++ b/authentication/AzureAD/README_WITH_CLIENT_SECRET.md @@ -19,6 +19,7 @@ - [Set up Rule Designer](#set-up-rule-designer) - [Getting Started with IBM Operational Decision Manager for Containers](#getting-started-with-ibm-operational-decision-manager-for-containers) - [Calling the ODM Runtime Service](#calling-the-odm-runtime-service) +- [Configuring post logout redirect](#configuring-post-logout-redirect) - [Troubleshooting](#troubleshooting) - [License](#license) @@ -249,26 +250,7 @@ Verify: ### Create secrets to configure ODM with Microsoft Entra ID -1. Create a secret with the Microsoft Entra ID Server certificate. - - To allow ODM services to access the Microsoft Entra ID Server, it is mandatory to provide the Microsoft Entra ID Server certificate. - You can create the secret as follows: - - ```shell - keytool -printcert -sslserver login.microsoftonline.com -rfc > microsoft.crt - kubectl create secret generic ms-secret --from-file=tls.crt=microsoft.crt - ``` - - Introspecting the Microsoft Entra ID login.microsoftonline.com certificate, you can see it has been signed by the Digicert Root CA authorithy. - - So we will also add the DigiCert Global Root CA from [this page](https://www.digicert.com/kb/digicert-root-certificates.htm): - - ```shell - curl --silent --remote-name https://cacerts.digicert.com/DigiCertGlobalRootCA.crt.pem - kubectl create secret generic digicert-secret --from-file=tls.crt=DigiCertGlobalRootCA.crt.pem - ``` - -2. Generate the ODM configuration file for Microsoft Entra ID. +1. Generate the ODM configuration file for Microsoft Entra ID. If you have not yet done so, download the [azuread-odm-script.zip](azuread-odm-script.zip) file to your machine. This archive contains the [script](generateTemplate.sh) and the content of the [templates](templates) directory. @@ -296,21 +278,20 @@ Verify: - openIdParameters.properties configures several features like allowed domains, logout, and some internal ODM OpenId features - OdmOidcProviders.json configures the client-credentials OpenId provider used by the Decision Center server configuration to connect Decision Center to the Decision Server console and Decision Center to Decision Runner -3. Create the Microsoft Entra ID authentication secret. +2. Create the Microsoft Entra ID authentication secret. ```shell kubectl create secret generic azuread-auth-secret \ - --from-file=OdmOidcProviders.json=./output/OdmOidcProviders.json \ --from-file=openIdParameters.properties=./output/openIdParameters.properties \ --from-file=openIdWebSecurity.xml=./output/openIdWebSecurity.xml \ --from-file=webSecurity.xml=./output/webSecurity.xml ``` -4. Create the secret allowing to synchronize Decision Center Users and Groups with Entra ID. +3. Create the secret allowing to synchronize Decision Center Users and Groups with Entra ID. This section is optional. - ODM Decision Center allows to [manage users and groups from the Business console](https://www.ibm.com/docs/en/odm/9.5.0?topic=center-enabling-users-groups) in order to set access security on specific projects. + ODM Decision Center allows to [manage users and groups from the Business console](https://www.ibm.com/docs/en/odm/9.6.0?topic=center-enabling-users-groups) in order to set access security on specific projects. The Groups and Users import can be done using an LDAP connection. But, if the openId server also provides a SCIM server, then it can also be managed using a SCIM connection. @@ -321,7 +302,7 @@ Verify: - [for users](https://learn.microsoft.com/en-us/graph/api/resources/users?view=graph-rest-1.0&preserve-view=true) - [for groups](https://learn.microsoft.com/en-us/graph/api/resources/groups-overview?view=graph-rest-1.0&tabs=http) - Then, it will generate a [group-security-configurations.xml](https://www.ibm.com/docs/en/odm/9.5.0?topic=access-optional-user-liberty-configurations#reference_w1b_xhq_2rb__title__3) file that will be consumed using the [Decision Center rest-api](https://www.ibm.com/docs/en/odm/9.5.0?topic=mufdc-creating-users-groups-roles-by-using-rest-api) to populate Groups and Users in the Administration Tab. + Then, it will generate a [group-security-configurations.xml](https://www.ibm.com/docs/en/odm/9.6.0?topic=access-optional-user-liberty-configurations#reference_w1b_xhq_2rb__title__3) file that will be consumed using the [Decision Center rest-api](https://www.ibm.com/docs/en/odm/9.6.0?topic=mufdc-creating-users-groups-roles-by-using-rest-api) to populate Groups and Users in the Administration Tab. In a kubernetes context, this script can be called by a CRON job. Using the new ODM sidecar container mechanism, it can also be managed by the Decision Center pod himself. @@ -350,7 +331,7 @@ Verify: ```shell helm search repo ibm-odm-prod NAME CHART VERSION APP VERSION DESCRIPTION - ibm-helm/ibm-odm-prod 25.1.0 9.5.0.1 IBM Operational Decision Manager + ibm-helm/ibm-odm-prod 26.0.0 9.6.0.0 IBM Operational Decision Manager ``` ### Run the `helm install` command @@ -359,7 +340,7 @@ You can now install the product. We will use the PostgreSQL internal database an #### a. Installation on OpenShift using Routes - See the [Preparing to install](https://www.ibm.com/docs/en/odm/9.5.0?topic=production-preparing-install-operational-decision-manager) documentation for additional information. + See the [Preparing to install](https://www.ibm.com/docs/en/odm/9.6.0?topic=production-preparing-install-operational-decision-manager) documentation for additional information. Get the [entraid-ocp-values.yaml](./entraid-ocp-values.yaml) file and run the command: ```shell @@ -422,7 +403,7 @@ You can now install the product. We will use the PostgreSQL internal database an 1. Get the ODM endpoints. - Refer to the [documentation](https://www.ibm.com/docs/en/odm/9.5.0?topic=tasks-configuring-external-access) to retrieve the endpoints. + Refer to the [documentation](https://www.ibm.com/docs/en/odm/9.6.0?topic=tasks-configuring-external-access) to retrieve the endpoints. For example, on OpenShift you can get the route names and hosts with: ```shell @@ -515,7 +496,7 @@ To be able to securely connect your Rule Designer to the Decision Server and Dec 4. Restart Rule Designer. -For more information, refer to the [documentation](https://www.ibm.com/docs/en/odm/9.5.0?topic=designer-importing-security-certificate-in-rule). +For more information, refer to the [documentation](https://www.ibm.com/docs/en/odm/9.6.0?topic=designer-importing-security-certificate-in-rule). ### Getting Started with IBM Operational Decision Manager for Containers @@ -535,7 +516,7 @@ Deploy the **Loan Validation Service** production_deployment ruleapps using the You can retrieve the payload.json from the ODM Decision Server Console or use [the provided payload](payload.json). -As explained in the ODM on Certified Kubernetes documentation [Configuring user access with OpenID](https://www.ibm.com/docs/en/odm/9.5.0?topic=access-configuring-user-openid), we advise to use basic authentication for the ODM runtime call for performance reasons and to avoid the issue of token expiration and revocation. +As explained in the ODM on Certified Kubernetes documentation [Configuring user access with OpenID](https://www.ibm.com/docs/en/odm/9.6.0?topic=access-configuring-user-openid), we advise to use basic authentication for the ODM runtime call for performance reasons and to avoid the issue of token expiration and revocation. You can realize a basic authentication ODM runtime call the following way: @@ -563,6 +544,41 @@ curl -H "Content-Type: application/json" -k --data @payload.json \ https:///DecisionService/rest/production_deployment/1.0/loan_validation_production/1.0 ``` +# Configuring post logout redirect + +This configuration is optional. +What is the interest of post logout redirect configuration ? + +When a user logs out: +- The session is cleared. +- Token is invalidated. +- Decision Center logout redirect to Decision Center +- Decision Server Console logout redirect to Decision Server Console + +To configure the post logout redirect, you have to add the following properties in the previously generated **./output/openIdParameters.properties** file: + +Using Routes: + + OPENID_LOGOUT_TOKEN_PARAM=id_token_hint + DC_OPENID_POST_LOGOUT_REDIRECT_URI=https:///decisioncenter/t/home + DS_OPENID_POST_LOGOUT_REDIRECT_URI=https:///res/home.jsp + +Using Ingress: + + OPENID_LOGOUT_TOKEN_PARAM=id_token_hint + DC_OPENID_POST_LOGOUT_REDIRECT_URI=https:///decisioncenter/t/home + DS_OPENID_POST_LOGOUT_REDIRECT_URI=https:///res/home.jsp + +Delete the azuread-auth-secret secret and recreate it as explained [Create secrets to configure ODM with Microsoft Entra ID](#create-secrets-to-configure-odm-with-microsoft-entra-id). + +```shell +kubectl delete secret azuread-auth-secret +kubectl create secret generic azuread-auth-secret \ + --from-file=openIdParameters.properties=./output/openIdParameters.properties \ + --from-file=openIdWebSecurity.xml=./output/openIdWebSecurity.xml \ + --from-file=webSecurity.xml=./output/webSecurity.xml +``` + # Troubleshooting If you encounter any issue, have a look at the [common troubleshooting explanation](/troubleshooting/OpenID/README.md) diff --git a/authentication/AzureAD/README_WITH_PRIVATE_KEY_JWT.md b/authentication/AzureAD/README_WITH_PRIVATE_KEY_JWT.md index cb36d381..5bed49db 100644 --- a/authentication/AzureAD/README_WITH_PRIVATE_KEY_JWT.md +++ b/authentication/AzureAD/README_WITH_PRIVATE_KEY_JWT.md @@ -25,6 +25,7 @@ For additional information regarding the implement in Liberty, please refer to t - [Set up Rule Designer](#set-up-rule-designer) - [Getting Started with IBM Operational Decision Manager for Containers](#getting-started-with-ibm-operational-decision-manager-for-containers) - [Calling the ODM Runtime Service](#calling-the-odm-runtime-service) +- [Configuring post logout redirect](#configuring-post-logout-redirect) - [Troubleshooting](#troubleshooting) - [License](#license) @@ -168,26 +169,7 @@ Then, click Save. ### Create secrets to configure ODM with Microsoft Entra ID -1. Create a secret with the Microsoft Entra ID Server certificate. - - To allow ODM services to access the Microsoft Entra ID Server, it is mandatory to provide the Microsoft Entra ID Server certificate. - You can create the secret as follows: - - ```shell - keytool -printcert -sslserver login.microsoftonline.com -rfc > microsoft.crt - kubectl create secret generic ms-secret --from-file=tls.crt=microsoft.crt - ``` - - Introspecting the Microsoft Entra ID login.microsoftonline.com certificate, you can see it has been signed by the Digicert Root CA authorithy. - - So we will also add the DigiCert Global Root CA from [this page](https://www.digicert.com/kb/digicert-root-certificates.htm): - - ```shell - curl --silent --remote-name https://cacerts.digicert.com/DigiCertGlobalRootCA.crt.pem - kubectl create secret generic digicert-secret --from-file=tls.crt=DigiCertGlobalRootCA.crt.pem - ``` - -2. Create a secret to provide the private and public certificate to manage the private_key_jwt authentication +1. Create a secret to provide the private and public certificate to manage the private_key_jwt authentication To allow ODM containers to generate a client_assertion, you have to provide them the private and public certificates with the following **myodmcompany** secret. Don't change this name with this tutorial as this name is linked to the openidConnectClient **keyAliasName="myodmcompany"** parameter of the private_key_jwt liberty configuration. @@ -195,7 +177,7 @@ Then, click Save. kubectl create secret generic myodmcompany --from-file=tls.key=myodmcompany.key --from-file=tls.crt=myodmcompany.crt ``` -3. Generate the ODM configuration file for Microsoft Entra ID. +2. Generate the ODM configuration file for Microsoft Entra ID. If you have not yet done so, download the [azuread-odm-script.zip](azuread-odm-script.zip) file to your machine. This archive contains the [script](generateTemplateForPrivateKeyJWT.sh) and the content of the [templates_for_privatekeyjwt](templates_for_privatekeyjwt) directory. @@ -222,11 +204,10 @@ Then, click Save. - openIdParameters.properties configures several features like allowed domains, logout, and some internal ODM OpenId features - OdmOidcProviders.json configures the client-credentials OpenId provider used by the Decision Center server configuration to connect Decision Center to the Decision Server console and Decision Center to the Decision Runner -4. Create the Microsoft Entra ID authentication secret. +3. Create the Microsoft Entra ID authentication secret. ```shell kubectl create secret generic azuread-auth-secret \ - --from-file=OdmOidcProviders.json=./outputPKeyJWT/OdmOidcProviders.json \ --from-file=openIdParameters.properties=./outputPKeyJWT/openIdParameters.properties \ --from-file=openIdWebSecurity.xml=./outputPKeyJWT/openIdWebSecurity.xml \ --from-file=webSecurity.xml=./outputPKeyJWT/webSecurity.xml @@ -246,7 +227,7 @@ Then, click Save. ```shell helm search repo ibm-odm-prod NAME CHART VERSION APP VERSION DESCRIPTION - ibm-helm/ibm-odm-prod 25.1.0 9.5.0.1 IBM Operational Decision Manager + ibm-helm/ibm-odm-prod 26.0.0 9.6.0.0 IBM Operational Decision Manager ``` ### Run the `helm install` command @@ -255,7 +236,7 @@ You can now install the product. We will use the PostgreSQL internal database an #### a. Installation on OpenShift using Routes - See the [Preparing to install](https://www.ibm.com/docs/en/odm/9.5.0?topic=production-preparing-install-operational-decision-manager) documentation for additional information. + See the [Preparing to install](https://www.ibm.com/docs/en/odm/9.6.0?topic=production-preparing-install-operational-decision-manager) documentation for additional information. Get the [entraid-pkjwt-ocp-values.yaml](./entraid-pkjwt-ocp-values.yaml) file and run the command: ```shell @@ -311,7 +292,7 @@ You can now install the product. We will use the PostgreSQL internal database an 1. Get the ODM endpoints. - Refer to the [documentation](https://www.ibm.com/docs/en/odm/9.5.0?topic=tasks-configuring-external-access) to retrieve the endpoints. + Refer to the [documentation](https://www.ibm.com/docs/en/odm/9.6.0?topic=tasks-configuring-external-access) to retrieve the endpoints. For example, on OpenShift you can get the route names and hosts with: ```shell @@ -416,7 +397,7 @@ To be able to securely connect your Rule Designer to the Decision Server and Dec 4. Restart Rule Designer. -For more information, refer to the [documentation](https://www.ibm.com/docs/en/odm/9.5.0?topic=designer-importing-security-certificate-in-rule). +For more information, refer to the [documentation](https://www.ibm.com/docs/en/odm/9.6.0?topic=designer-importing-security-certificate-in-rule). ### Getting Started with IBM Operational Decision Manager for Containers @@ -436,7 +417,7 @@ Deploy the **Loan Validation Service** production_deployment ruleapps using the You can retrieve the payload.json from the ODM Decision Server Console or use [the provided payload](payload.json). -As explained in the ODM on Certified Kubernetes documentation [Configuring user access with OpenID](https://www.ibm.com/docs/en/odm/9.5.0?topic=access-configuring-user-openid), we advise to use basic authentication for the ODM runtime call for performance reasons and to avoid the issue of token expiration and revocation. +As explained in the ODM on Certified Kubernetes documentation [Configuring user access with OpenID](https://www.ibm.com/docs/en/odm/6.0?topic=access-configuring-user-openid), we advise to use basic authentication for the ODM runtime call for performance reasons and to avoid the issue of token expiration and revocation. You can realize a basic authentication ODM runtime call the following way: @@ -457,7 +438,7 @@ openssl pkcs12 -export -out myodmcompany.p12 -inkey myodmcompany.key -in myodmco keytool -importkeystore -srckeystore myodmcompany.p12 -srcstoretype pkcs12 -srcalias 1 -srcstorepass changeme -destkeystore myodmcompany.jks -deststoretype jks -deststorepass changeme -destalias myalias ``` -Now you can generate the client_assertion following the [ODM documentation](https://www.ibm.com/docs/en/odm/9.5.0?topic=950-generating-json-web-token-client-assertion). +Now you can generate the client_assertion following the [ODM documentation](https://www.ibm.com/docs/en/odm/9.6.0?topic=960-generating-json-web-token-client-assertion). ```shell java -cp $DCLIB/jrules-teamserver.jar:$DCLIB/jose4j-0.9.5.jar:$DCLIB/slf4j-api-1.7.25.jar com.ibm.rules.oauth.ClientAssertionHelper -clientId -tokenEndpoint https://login.microsoftonline.com//oauth2/v2.0/token -keyAliasName myalias -keyStorePwd changeme -keyStoreLocation ./myodmcompany.jks @@ -478,6 +459,40 @@ curl -H "Content-Type: application/json" -k --data @payload.json \ -H "Authorization: Bearer " \ https:///DecisionService/rest/production_deployment/1.0/loan_validation_production/1.0 ``` +# Configuring post logout redirect + +This configuration is optional +What is the interest of post logout redirect configuration ? + +When a user logs out: +- The session is cleared. +- Token is invalidated. +- Decision Center logout redirect to Decision Center +- Decision Server Console logout redirect to Decision Server Console + +To configure the post logout redirect, you have to add the following properties in the previously generated ./output/openIdParameters.properties file: + +Using Routes: + + OPENID_LOGOUT_TOKEN_PARAM=id_token_hint + DC_OPENID_POST_LOGOUT_REDIRECT_URI=https:///decisioncenter/t/home + DS_OPENID_POST_LOGOUT_REDIRECT_URI=https:///res/home.jsp + +Using Ingress: + + OPENID_LOGOUT_TOKEN_PARAM=id_token_hint + DC_OPENID_POST_LOGOUT_REDIRECT_URI=https:///decisioncenter/t/home + DS_OPENID_POST_LOGOUT_REDIRECT_URI=https:///res/home.jsp + +Delete the azuread-auth-secret secret and recreate it as explained [Create secrets to configure ODM with Microsoft Entra ID](#create-secrets-to-configure-odm-with-microsoft-entra-id). + +```shell +kubectl delete secret azuread-auth-secret +kubectl create secret generic azuread-auth-secret \ + --from-file=openIdParameters.properties=./output/openIdParameters.properties \ + --from-file=openIdWebSecurity.xml=./output/openIdWebSecurity.xml \ + --from-file=webSecurity.xml=./output/webSecurity.xml +``` # Troubleshooting diff --git a/authentication/AzureAD/azuread-odm-script.zip b/authentication/AzureAD/azuread-odm-script.zip index 916fad59..b25f1730 100644 Binary files a/authentication/AzureAD/azuread-odm-script.zip and b/authentication/AzureAD/azuread-odm-script.zip differ diff --git a/authentication/AzureAD/entraid-nginx-values.yaml b/authentication/AzureAD/entraid-nginx-values.yaml index f56ab495..37bb42d3 100644 --- a/authentication/AzureAD/entraid-nginx-values.yaml +++ b/authentication/AzureAD/entraid-nginx-values.yaml @@ -1,10 +1,8 @@ oidc: enabled: true + disableLoginPanel: true customization: authSecretRef: azuread-auth-secret - trustedCertificateList: - - ms-secret - - digicert-secret image: repository: cp.icr.io/cp/cp4a/odm pullSecrets: diff --git a/authentication/AzureAD/entraid-ocp-values.yaml b/authentication/AzureAD/entraid-ocp-values.yaml index 206bb874..4f244799 100644 --- a/authentication/AzureAD/entraid-ocp-values.yaml +++ b/authentication/AzureAD/entraid-ocp-values.yaml @@ -1,11 +1,9 @@ oidc: enabled: true + disableLoginPanel: true customization: runAsUser: '' authSecretRef: azuread-auth-secret - trustedCertificateList: - - ms-secret - - digicert-secret image: repository: cp.icr.io/cp/cp4a/odm pullSecrets: diff --git a/authentication/AzureAD/entraid-pkjwt-nginx-values.yaml b/authentication/AzureAD/entraid-pkjwt-nginx-values.yaml index 87534ecd..0c196dd9 100644 --- a/authentication/AzureAD/entraid-pkjwt-nginx-values.yaml +++ b/authentication/AzureAD/entraid-pkjwt-nginx-values.yaml @@ -1,10 +1,8 @@ oidc: enabled: true + disableLoginPanel: true customization: authSecretRef: azuread-auth-secret - trustedCertificateList: - - ms-secret - - digicert-secret privateCertificateList: - myodmcompany image: diff --git a/authentication/AzureAD/entraid-pkjwt-ocp-values.yaml b/authentication/AzureAD/entraid-pkjwt-ocp-values.yaml index 43334a1e..7bdce239 100644 --- a/authentication/AzureAD/entraid-pkjwt-ocp-values.yaml +++ b/authentication/AzureAD/entraid-pkjwt-ocp-values.yaml @@ -1,11 +1,9 @@ oidc: enabled: true + disableLoginPanel: true customization: runAsUser: '' authSecretRef: azuread-auth-secret - trustedCertificateList: - - ms-secret - - digicert-secret privateCertificateList: - myodmcompany image: diff --git a/authentication/AzureAD/templates/OdmOidcProviders.json b/authentication/AzureAD/templates/OdmOidcProviders.json deleted file mode 100644 index 28cbda66..00000000 --- a/authentication/AzureAD/templates/OdmOidcProviders.json +++ /dev/null @@ -1,14 +0,0 @@ -{ - "providers": [ - { - "name": "azure_ad", - "grantType": "client_credentials", - "authorizationURL": "AZUREAD_SERVER_URL/oauth2/v2.0/authorize", - "tokenURL": "AZUREAD_SERVER_URL/oauth2/v2.0/token", - "scope": "AZUREAD_CLIENT_ID/.default", - "clientId": "AZUREAD_CLIENT_ID", - "clientSecret": "AZUREAD_CLIENT_SECRET", - "logoutURL": "AZUREAD_SERVER_URL/oauth2/v2.0/logout" - } - ] -} diff --git a/authentication/AzureAD/templates/openIdParameters.properties b/authentication/AzureAD/templates/openIdParameters.properties index cc4df570..ef8e821f 100644 --- a/authentication/AzureAD/templates/openIdParameters.properties +++ b/authentication/AzureAD/templates/openIdParameters.properties @@ -6,3 +6,5 @@ OPENID_CLIENT_ID=AZUREAD_CLIENT_ID OPENID_CLIENT_SECRET=AZUREAD_CLIENT_SECRET OPENID_LOGOUT_URL=AZUREAD_SERVER_URL/oauth2/v2.0/logout OPENID_ALLOWED_DOMAINS=login.microsoftonline.com +OPENID_GRANT_TYPE=client_credentials +OPENID_SCOPE=AZUREAD_CLIENT_ID/.default diff --git a/authentication/AzureAD/templates/webSecurity.xml b/authentication/AzureAD/templates/webSecurity.xml index 5703fd06..9ad71253 100644 --- a/authentication/AzureAD/templates/webSecurity.xml +++ b/authentication/AzureAD/templates/webSecurity.xml @@ -21,50 +21,10 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + diff --git a/authentication/AzureAD/templates_for_privatekeyjwt/OdmOidcProviders.json b/authentication/AzureAD/templates_for_privatekeyjwt/OdmOidcProviders.json deleted file mode 100644 index cb9991da..00000000 --- a/authentication/AzureAD/templates_for_privatekeyjwt/OdmOidcProviders.json +++ /dev/null @@ -1,14 +0,0 @@ -{ - "providers": [ - { - "name": "azure_ad", - "grantType": "client_credentials", - "clientAssertionAliasName": "myodmcompany", - "authorizationURL": "AZUREAD_SERVER_URL/oauth2/v2.0/authorize", - "tokenURL": "AZUREAD_SERVER_URL/oauth2/v2.0/token", - "scope": "AZUREAD_CLIENT_ID/.default", - "clientId": "AZUREAD_CLIENT_ID", - "logoutURL": "AZUREAD_SERVER_URL/oauth2/v2.0/logout" - } - ] -} diff --git a/authentication/AzureAD/templates_for_privatekeyjwt/openIdParameters.properties b/authentication/AzureAD/templates_for_privatekeyjwt/openIdParameters.properties index 20ce48b0..80105f4b 100644 --- a/authentication/AzureAD/templates_for_privatekeyjwt/openIdParameters.properties +++ b/authentication/AzureAD/templates_for_privatekeyjwt/openIdParameters.properties @@ -6,3 +6,5 @@ OPENID_CLIENT_ID=AZUREAD_CLIENT_ID OPENID_CLIENT_ASSERTION_ALIAS_NAME=myodmcompany OPENID_LOGOUT_URL=AZUREAD_SERVER_URL/oauth2/v2.0/logout OPENID_ALLOWED_DOMAINS=login.microsoftonline.com +OPENID_GRANT_TYPE=clients_credentials +OPENID_SCOPE=AZUREAD_CLIENT_ID/.default diff --git a/authentication/AzureAD/templates_for_privatekeyjwt/webSecurity.xml b/authentication/AzureAD/templates_for_privatekeyjwt/webSecurity.xml index 5703fd06..42be396e 100644 --- a/authentication/AzureAD/templates_for_privatekeyjwt/webSecurity.xml +++ b/authentication/AzureAD/templates_for_privatekeyjwt/webSecurity.xml @@ -21,50 +21,10 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/authentication/Cognito/README.md b/authentication/Cognito/README.md index e1aa8384..140fb481 100644 --- a/authentication/Cognito/README.md +++ b/authentication/Cognito/README.md @@ -79,7 +79,7 @@ The OAuth 2.0 Resource Owner Password Credentials (ROPC) grant flow, also named You need the following elements: -- [Helm v3](https://helm.sh/docs/intro/install/) +- [Helm v3](https://helm.sh/docs/v3/intro/install/) or [Helm v4](https://helm.sh/docs/intro/install/) - [Kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl) - Access to an Operational Decision Manager product - Access to a CNCF Kubernetes cluster @@ -93,7 +93,7 @@ The first step to integrate ODM with Cognito is to create a [Cognito User Pool]( ## Initiate the creation of the Cognito User Pool -To create the Cognito User Pool dedicated to ODM, we followed the [getting started](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-as-user-directory.html) by applying the following settings. It doesn't mean that with your production or demo application, you cannot apply different settings. But, for this tutorial, it's preferable to keep the name that we propose. +To create the Cognito User Pool dedicated to ODM, we followed the [getting started](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-as-user-directory.html) by applying the following settings. It does not mean that with your production or demo application, you cannot apply different settings. But, for this tutorial, it is preferable to keep the name that we propose. 1. Create an Amazon Cognito User pool @@ -133,6 +133,7 @@ To create the Cognito User Pool dedicated to ODM, we followed the [getting start * Click **Edit** in the **Password policy** pane * Select *Password policy mode* = **Cognito defaults** + * Click the **Save changes** button 4. Authentication > Sign-in @@ -186,7 +187,7 @@ To create the Cognito User Pool dedicated to ODM, we followed the [getting start * Under the **Login pages** tab * click **Edit** in the *Managed login pages configuration* pane - * *Allowed callback URLs* : to be filled up once ODM is deployed and the redirect URIs are known + * *Allowed callback URLs* : will be set later on once ODM is deployed and the redirect URIs are known * *Identity providers* = **Cognito user pool** * *OAuth 2.0 grant types* = **Authorization code grant** * *OpenID Connect Scopes* = **Email**, **OpenID**, **Phone** @@ -200,7 +201,7 @@ To create the Cognito User Pool dedicated to ODM, we followed the [getting start * Select **Users** under *User Management* in the left-hand pane: * Click on **Create user** - In **User information**: + * In **User information**: * **Invitation message**: * Select **Send an email invitation** * **Email address**: @@ -215,24 +216,24 @@ To create the Cognito User Pool dedicated to ODM, we followed the [getting start * Select **Groups** under *User Management* in the left-hand pane: * Click on **Create group** - In **Group information**: - * **Group name**: - * Enter the **odm-admin** name + * In **Group information**: + * **Group name**: + * Enter the **odm-admin** name + * Click on **Create group** + > [!WARNING] > Please do not use a different name than **odm-admin** - * Click on **Create group** - ## Add the created user to the **odm-admin** group * Select the **odmuserpool** User Pool: * Select the **Groups** tab: * Click on the **odm-admin** group - In the **Group members** part: + * In the **Group members** part: * Click on **Add user to group** - In the **User selection** part: + * In the **User selection** part: * Select the previously created user * Click on **Add** @@ -259,7 +260,7 @@ It will also enable the communication between Decision Center and Decision Runne * Click the **Login pages** tab and then the **Edit** button in the *Managed login pages configuration* pane * Keep *Identity providers* = **Cognito user pool** * Keep *OAuth 2.0 grant types* = **Client credentials** - * Take a note of the **default custom scope** + * Note down the **default custom scope** for later * Click the **Save changes** button ![Client-Credentials App](images/ClientCredentialsApp.png) @@ -268,94 +269,85 @@ It will also enable the communication between Decision Center and Decision Runne A custom claim needs to be added to both: * the id_token (issued during the authorization flow), and -* the access_token (issued for the client-credentials flow). - -Indeed, the existing **sub** claim is not be suitable because its value is an automatically generated unique identifier and we would rather have the user's name or email address displayed in ODM consoles UI instead. - -We will manage it the same way we do it with Azure AD creating an [**identity** custom claim](https://github.com/DecisionsDev/odm-docker-kubernetes/blob/master/authentication/AzureAD/README_WITH_CLIENT_SECRET.md#set-up-an-microsoft-entra-id-application-using-a-client-secret). +* the access_token (issued for the client-credentials flow) -[Since 2025](https://aws.amazon.com/blogs/security/how-to-customize-access-tokens-in-amazon-cognito-user-pools/), it is now possible to add custom claims to the Cognito access_token using the client-credentials flow. +This claim named **identity** will be equal to either: +- the **email** of the user authenticated when using authentication code flow, +- the CLIENT ID when using client credentials. -We will use the [pre token generation lambda trigger](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-token-generation.html) to add the **identity** claim inside the id_token that will take the **email** value when a user is connecting to an UI (Decision Center or RES Console) using the authentication flow, and inside the access_token using the client-credentials flow. -Here are the details about the [Pre token generation Lambda trigger flow](https://aws.amazon.com/blogs/security/how-to-customize-access-tokens-in-amazon-cognito-user-pools/). +To achieve that, we will use the [pre token generation lambda trigger](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-token-generation.html). +You can read more about the Pre token generation Lambda trigger flow [here](https://aws.amazon.com/blogs/security/how-to-customize-access-tokens-in-amazon-cognito-user-pools/). ![Pre Token Generation](images/pre-token-generation.png) > [!WARNING] -> The customization of the access token claims is not possible with the Lite plan. It's possible to manage it with the Essentials or Plus plan. -> You can change of plan using the Settings tab +> The customization of the access token claims is not possible with the 'Lite' feature plan. This is only possible with the 'Essentials' or 'Plus' feature plans. +> You can change of plan by clicking 'Feature Plan' under the 'Settings' tab ![Cognito Plan](images/CognitoPlan.png) 1. Add a Pre token generation Lambda trigger -We will use the pre token generation lambda trigger feature to the **identity** claim in in id_token by pushing the user email value. - -Select the **odmuserpool** User Pool: +* Select the **odmuserpool** User Pool: * Click **Extensions** under *Authentication* in the left-hand pane * On the **Lambda triggers** section: * Click the **Add Lambda trigger** button -In **Lambda triggers**: - * Select **Authentication** - In **Authentication**: - * Select **Pre token generation trigger** (Modify claims in ID and access tokens.) - In **Trigger event version** - * Select **Basic features + access token customization for user and machine identities - Recommended** (Your user pool sends a version 3 event to your Lambda function. You can customize access tokens for M2M. +* In **Lambda triggers**: + * In **Trigger type** + * Select **Authentication** + * In **Authentication**: + * Select "**Pre token generation trigger** Modify claims in ID and access tokens." + * In **Trigger event version** + * Select "**Basic features + access token customization for user and machine identities - Recommended** Your user pool sends a version 3 event to your Lambda function. You can customize access tokens for M2M." ) -In **Lambda function**: +* In **Lambda function**: * Click on the **Create Lambda function** button 2. Create a Lambda Function Now, you are in the **AWS Lambda** service dashboard. -Select **Functions** in the left menu: +* Select **Functions** in the left menu: * Click on the **Create function** button -In the **Create function** section: +* In the **Create function** section: * choose **Author from scratch** -In **Basic information**: +* In **Basic information**: * In **function name** * Enter **odmLambdaFunction** -Click on the **Create function** button +* Click the **Create function** button -In the **Code>Code source** section: - * Replace the default index.jms code with the code below +* In the **Code > Code source** section: + * Replace the default index.mjs code with the code below -``` -export const handler = function(event, context) { +```javascript +export const handler = async (event, context) => { console.debug("enter in ODM lambda"); - // Allow to get debug information in the Watcher - console.debug("context"); - console.debug(context); - - console.debug("event"); - console.debug(event); - console.debug("clientId"); - console.debug(event.callerContext.clientId); + console.debug("context=", context); + console.debug("event=", event); + console.debug("clientId=", event.callerContext.clientId); + console.debug("userAttributes=", event.request.userAttributes); - console.debug("userAttributes"); - console.debug(event.request.userAttributes); - - var identity_for_access_token = event.callerContext.clientId; + var identity_for_access_token; if (event.request.userAttributes.email != undefined) { - console.debug("user email is defined. Use user email as claim identity for the access_token - Rule Designer Context"); + console.debug("user email is defined. Using user email as claim identity for the access_token - Rule Designer Context"); identity_for_access_token = event.request.userAttributes.email } else { - console.debug("user email is undefined. Use clienId as claim identity for the access_token - M2M Context with client-credentials"); + console.debug("user email is undefined. Using clienId as claim identity for the access_token - M2M Context with client-credentials"); + identity_for_access_token = event.callerContext.clientId } - console.debug(identity_for_access_token); + console.debug("identity=", identity_for_access_token); event.response = { "claimsAndScopeOverrideDetails": { "idTokenGeneration": { "claimsToAddOrOverride": { "identity": event.request.userAttributes.email - } + } }, "accessTokenGeneration": { "claimsToAddOrOverride": { @@ -364,19 +356,18 @@ export const handler = function(event, context) { }, } }; - // Return to Amazon Cognito - context.done(null, event); + return event; }; ``` > [!WARNING] -> Do not forget to click on the **Deploy** button ! +> Do not forget to click the **Deploy** button ! 3. Associate the Lamda function to the Pre token generation Lambda trigger -Back to the **Pre token generation Lambda trigger** creation dashboard - * Click on the **Assign Lambda function** Refresh button +* Back to the **Pre token generation Lambda trigger** creation dashboard + * Click the Refresh Icon button under **Assign Lambda function** * Select **odmLambdaFunction** - * Click on the **Add Lambda trigger** button + * Click the **Add Lambda trigger** button ![Add Lambda Trigger](images/AddLambdaTrigger.png) @@ -388,6 +379,7 @@ Back to the **Pre token generation Lambda trigger** creation dashboard ### Create a secret to use the Entitled Registry +Log in to [MyIBM Container Software Library](https://myibm.ibm.com/products-services/containerlibrary) with the IBMid and password that are associated with the entitled software. In the **Container software library** tile, verify your entitlement on the **View library** page, and then go to **Get entitlement key** to retrieve the key. @@ -430,7 +422,7 @@ In the **Container software library** tile, verify your entitlement on the **Vie ``` Where: - *COGNITO_REGION* is the region where the COGNITO User Pool is deployed - - *COGNITO_DOMAIN_NAME_PREFIX* is the prefix name of the COGNITO User Pool Domain that you can retrieve at Amazon Cognito > User pools > odmuserpool > Domain (odm in our tutorial) + - *COGNITO_DOMAIN_NAME_PREFIX* is the prefix name of the COGNITO User Pool Domain that you can retrieve at Amazon Cognito > User pools > odmuserpool > Domain 3. Generate the ODM configuration file for Cognito @@ -454,9 +446,9 @@ In the **Container software library** tile, verify your entitlement on the **Vie ``` - *COGNITO_USER_POOL_ID* is the COGNITO User Pool ID retrieved at Amazon Cognito > User pools > odmuserpool > Overview > User pool ID - - *COGNITO_DOMAIN_NAME_PREFIX* is the prefix name of the COGNITO User Pool Domain that you can retrieve at Amazon Cognito > User pools > odmuserpool > Domain (odm in our tutorial) + - *COGNITO_DOMAIN_NAME_PREFIX* is the prefix name of the COGNITO User Pool Domain that you can retrieve at Amazon Cognito > User pools > odmuserpool > Domain > [!WARNING] -> only the prefix of the domain ('odm' in our tutorial) should be provided and not the entire value .auth..amazoncognito.com +> only the prefix of the domain should be provided and not the entire value .auth..amazoncognito.com - *COGNITO_REGION* is the region where the COGNITO User Pool is deployed - *COGNITO_APP_CLIENT_ID* is the COGNITO ODM App Client ID retrieved at Amazon Cognito > User pools > odmuserpool > App integration > odm > Client ID @@ -469,7 +461,7 @@ In the **Container software library** tile, verify your entitlement on the **Vie ``` ./generateTemplate.sh \ -u odmuserpool \ - -d odm \ + -d eu-west-3nixardgf9 \ -r eu-west-3 \ -i 7qo....................... \ -s rrt................................................ \ @@ -480,22 +472,22 @@ In the **Container software library** tile, verify your entitlement on the **Vie The four files below are generated into a directory named `output` (generated by the script): - - webSecurity.xml contains the mapping between Liberty J2EE ODM roles and Cognito User Pool groups and users: - * rtsAdministrators/resAdministrators/resExecutors ODM roles are given to the CLIENT_ID (which is seen as a user) to manage the client-credentials flow - - openIdWebSecurity.xml contains two openIdConnectClient Liberty configurations: + - `webSecurity.xml` contains the mapping between Liberty J2EE ODM roles and Cognito User Pool groups and users: + * `rtsAdministrators`/`resAdministrators`/`resExecutors` ODM roles are given to the CLIENT_ID (which is seen as a user) to manage the client-credentials flow + - `openIdWebSecurity.xml` contains two openIdConnectClient Liberty configurations: * for web access to Decision Center an Decision Server consoles using userIdentifier="client_id" with the Authorization Code flow * for the rest-api call using userIdentifier="client_id" with the client-credentials flow - - openIdParameters.properties configures several features like allowed domains, logout, and some internal ODM openid features - - OdmOidcProviders.json configures the connection to the RES Console using the Client Credentials grant type + - `openIdParameters.properties` configures several features like allowed domains, logout, and some internal ODM openid features + - `OdmOidcProviders.json` configures the connection to the RES Console using the Client Credentials grant type 4. Create the Cognito authentication secret ``` kubectl create secret generic cognito-auth-secret \ + --from-file=OdmOidcProviders.json=./output/OdmOidcProviders.json \ --from-file=openIdParameters.properties=./output/openIdParameters.properties \ --from-file=openIdWebSecurity.xml=./output/openIdWebSecurity.xml \ - --from-file=webSecurity.xml=./output/webSecurity.xml \ - --from-file=OdmOidcProviders.json=./output/OdmOidcProviders.json + --from-file=webSecurity.xml=./output/webSecurity.xml ``` @@ -512,7 +504,7 @@ In the **Container software library** tile, verify your entitlement on the **Vie ```shell helm search repo ibm-odm-prod NAME CHART VERSION APP VERSION DESCRIPTION - ibm-helm/ibm-odm-prod 25.1.0 9.5.0.1 IBM Operational Decision Manager + ibm-helm/ibm-odm-prod 26.0.0 9.6.0.0 IBM Operational Decision Manager ``` ### 3. Run the `helm install` command @@ -520,15 +512,15 @@ In the **Container software library** tile, verify your entitlement on the **Vie #### a. Installation on OpenShift using Routes - See the [Preparing to install](https://www.ibm.com/docs/en/odm/9.5.0?topic=production-preparing-install-operational-decision-manager) documentation for more information. Inspect [cognito-values.yaml](cognito-values.yaml) for the parameters that have been defined for this installation. + See the [Preparing to install](https://www.ibm.com/docs/en/odm/9.6.0?topic=production-preparing-install-operational-decision-manager) documentation for more information. Inspect [cognito-values.yaml](cognito-values.yaml) for the parameters that have been defined for this installation. ```shell helm install my-odm-release ibm-helm/ibm-odm-prod -f cognito-values.yaml ``` > **Note:** -> This command installs the **latest available version** of the chart. -> If you want to install a **specific version**, add the `--version ` option, eg. `--version 25.0.0` +> This command installs the **latest available version** of the chart (possibly an interim fix). +> If you want to install a **specific version**, add the `--version ` option, eg. `--version 26.0.0` > #### b. Installation using Ingress @@ -538,7 +530,7 @@ In the **Container software library** tile, verify your entitlement on the **Vie - [Amazon Elastic Kubernetes Service](../../platform/eks/README-NGINX.md) - [Google Kubernetes Engine](../../platform/gcloud/README_NGINX.md) - When the NGINX Ingress Controller is ready, you can install the ODM release using [cognito-nginx-values.yaml](cognito-nginx-values.yaml). Take note of the `service.ingress.annotations` values that have been defined in this file.: + When the NGINX Ingress Controller is ready, you can install the ODM release using [cognito-nginx-values.yaml](cognito-nginx-values.yaml) (See the `service.ingress.annotations`): ``` helm install my-odm-release ibm-helm/ibm-odm-prod -f cognito-nginx-values.yaml @@ -546,12 +538,11 @@ In the **Container software library** tile, verify your entitlement on the **Vie ## Complete post-deployment tasks -### Register the ODM redirect URL +### Access the ODM services + Refer to [this documentation](https://www.ibm.com/docs/en/odm/9.6.0?topic=tasks-configuring-external-access) to retrieve the endpoints. -1. Get the ODM endpoints. - Refer to [this documentation](https://www.ibm.com/docs/en/odm/9.5.0?topic=tasks-configuring-external-access) to retrieve the endpoints. - For example, on OpenShift you can get the route names and hosts by running `oc get routes`: + - on OpenShift you can get the route names and hosts by running `oc get routes`: ``` NAME HOST/PORT @@ -561,37 +552,39 @@ In the **Container software library** tile, verify your entitlement on the **Vie my-odm-release-odm-ds-runtime-route ``` - Using an Ingress, the endpoint is the address of the ODM ingress and is the same for all components. You can get it with: + - When using an Ingress, the endpoint is the address of the ODM ingress and is the same for all components. You can get it with: ``` kubectl get ingress my-odm-release-odm-ingress ``` - You get the following ingress address: + You get the following ingress address: ``` NAME CLASS HOSTS ADDRESS PORTS AGE my-odm-release-odm-ingress * 80 14d ``` -2. Register the redirect URIs into your Cognito App Client. +### Register the ODM redirect URL - The redirect URIs are built in the following way: +Register the redirect URIs into your Cognito App Client. - Using Routes: + - The redirect URIs are built in the following way: + + - Using Routes: - Decision Center redirect URI: `https:///decisioncenter/openid/redirect/odm` - Decision Runner redirect URI: `https:///DecisionRunner/openid/redirect/odm` - Decision Server Console redirect URI: `https:///res/openid/redirect/odm` - Decision Server runtime redirect URI: `https:///DecisionService/openid/redirect/odm` - Rule Designer redirect URI: `https://127.0.0.1:9081/oidcCallback` - Using Ingress: + - Using Ingress: - Decision Center redirect URI: `https:///decisioncenter/openid/redirect/odm` - Decision Runner redirect URI: `https:///DecisionRunner/openid/redirect/odm` - Decision Server Console redirect URI: `https:///res/openid/redirect/odm` - Decision Server Runtime redirect URI: `https:///DecisionService/openid/redirect/odm` - Rule Designer redirect URI: `https://127.0.0.1:9081/oidcCallback` - From the Cognito admin console, in **odmuserpool** / **App clients** / **odm** + - From the Cognito admin console, in **odmuserpool** / **App clients** / **odm** - Select the **Login pages** tab - Click the **Edit** button in the *Managed login pages configuration* - Add all five redirect URIs in the **Allowed callback URLs** field for all components. @@ -601,9 +594,6 @@ In the **Container software library** tile, verify your entitlement on the **Vie > Do not forget to replace with your actual host name -### Access the ODM services - - ### Set up Rule Designer @@ -627,7 +617,7 @@ In the **Container software library** tile, verify your entitlement on the **Vie 4. Restart Rule Designer. -For more information, refer to [this documentation](https://www.ibm.com/docs/en/odm/9.5.0?topic=designer-importing-security-certificate-in-rule). +For more information, refer to [this documentation](https://www.ibm.com/docs/en/odm/9.6.0?topic=designer-importing-security-certificate-in-rule). ### Getting Started with IBM Operational Decision Manager for Containers @@ -647,29 +637,29 @@ Deploy the **Loan Validation Service** production_deployment ruleapps using the You can retrieve the payload.json from the ODM Decision Server Console or use [the provided payload](payload.json). -As explained in the ODM on Certified Kubernetes documentation [Configuring user access with OpenID](https://www.ibm.com/docs/en/odm/9.5.0?topic=access-configuring-user-openid), we advise you to use basic authentication for the ODM runtime call for better performance and to avoid token expiration and revocation. +As explained in the ODM on Certified Kubernetes documentation [Configuring user access with OpenID](https://www.ibm.com/docs/en/odm/9.6.0?topic=access-configuring-user-openid), we advise you to use basic authentication for the ODM runtime call for better performance and to avoid token expiration and revocation. You perform a basic authentication ODM runtime call in the following way: ``` $ curl -H "Content-Type: application/json" -k --data @payload.json \ - -H "Authorization: Basic b2RtQWRtaW46b2RtQWRtaW4=" \ + -u "odmAdmin:odmAdmin" \ https:///DecisionService/rest/production_deployment/1.0/loan_validation_production/1.0 ``` Where: - - `b2RtQWRtaW46b2RtQWRtaW4=` is the base64 encoding of the current username:password odmAdmin:odmAdmin + - `odmAdmin:odmAdmin` has the following format: `:` If you want to perform a bearer authentication ODM runtime call using the Client Credentials flow, you need to get a bearer access token before invoking the execution of the ruleset as follows (You need to set up `jq` beforehand and set the four environment variables): - ``` + ``` bash # /bin/bash -export DS_RUNTIME_HOST= -export COGNITO_SERVER_URL= -export CC_CLIENT_ID= -export CC_CLIENT_SECRET= -export CC_DEFAULT_CUSTOM_SCOPE= +export DS_RUNTIME_HOST= # eg. k8s-default-odm2302o-ed3c5eee99-301488862.eu-west-3.elb.amazonaws.com +export COGNITO_SERVER_URL= # eg. https://odm.auth.eu-west-3.amazoncognito.com +export CC_CLIENT_ID= +export CC_CLIENT_SECRET= +export CC_DEFAULT_CUSTOM_SCOPE= curl -k -X POST -H "Content-Type: application/x-www-form-urlencoded" \ -d "client_id=$CC_CLIENT_ID&scope=$CC_DEFAULT_CUSTOM_SCOPE&client_secret=$CC_CLIENT_SECRET&grant_type=client_credentials" \ diff --git a/authentication/Cognito/cognito-nginx-values.yaml b/authentication/Cognito/cognito-nginx-values.yaml index 13a9348a..c983c605 100644 --- a/authentication/Cognito/cognito-nginx-values.yaml +++ b/authentication/Cognito/cognito-nginx-values.yaml @@ -9,7 +9,6 @@ internalDatabase: persistence: enabled: false populateSampleData: true - runAsUser: '' decisionCenter: disableAllAuthenticatedUser: true @@ -19,13 +18,12 @@ customization: trustedCertificateList: - cognito-idp-cert-secret - cognito-domain-cert-secret - runAsUser: '' oidc: enabled: true + disableLoginPanel: true service: - enableRoute: true ingress: annotations: kubernetes.io/ingress.class: nginx diff --git a/authentication/Cognito/cognito-values.yaml b/authentication/Cognito/cognito-values.yaml index 2694b115..037d0ba2 100644 --- a/authentication/Cognito/cognito-values.yaml +++ b/authentication/Cognito/cognito-values.yaml @@ -23,6 +23,7 @@ customization: oidc: enabled: true + disableLoginPanel: true service: enableRoute: true diff --git a/authentication/Cognito/odmLambdaFunction.js b/authentication/Cognito/odmLambdaFunction.js index 6de33c0f..da6b4907 100644 --- a/authentication/Cognito/odmLambdaFunction.js +++ b/authentication/Cognito/odmLambdaFunction.js @@ -1,31 +1,25 @@ -export const handler = function(event, context) { +export const handler = async (event, context) => { console.debug("enter in ODM lambda"); - // Allow to get debug information in the Watcher - console.debug("context"); - console.debug(context); - - console.debug("event"); - console.debug(event); - console.debug("clientId"); - console.debug(event.callerContext.clientId); + console.debug("context=", context); + console.debug("event=", event); + console.debug("clientId=", event.callerContext.clientId); + console.debug("userAttributes=", event.request.userAttributes); - console.debug("userAttributes"); - console.debug(event.request.userAttributes); - - var identity_for_access_token = event.callerContext.clientId; + var identity_for_access_token; if (event.request.userAttributes.email != undefined) { - console.debug("user email is defined. Use user email as claim identity for the access_token - Rule Designer Context"); - identity_for_access_token = event.request.userAttributes.email + console.debug("user email is defined. Using user email as claim identity for the access_token - Rule Designer Context"); + identity_for_access_token = event.request.userAttributes.email } else { - console.debug("user email is undefined. Use clienId as claim identity for the access_token - M2M Context with client-credentials"); + console.debug("user email is undefined. Using clienId as claim identity for the access_token - M2M Context with client-credentials"); + identity_for_access_token = event.callerContext.clientId; } - console.debug(identity_for_access_token); + console.debug("identity=", identity_for_access_token); event.response = { "claimsAndScopeOverrideDetails": { "idTokenGeneration": { "claimsToAddOrOverride": { "identity": event.request.userAttributes.email - } + } }, "accessTokenGeneration": { "claimsToAddOrOverride": { @@ -34,6 +28,5 @@ export const handler = function(event, context) { }, } }; - // Return to Amazon Cognito - context.done(null, event); -}; + return event; +}; \ No newline at end of file diff --git a/authentication/Cognito/templates/OdmOidcProviders.json b/authentication/Cognito/templates/OdmOidcProviders.json index 266638a1..51e3f21d 100644 --- a/authentication/Cognito/templates/OdmOidcProviders.json +++ b/authentication/Cognito/templates/OdmOidcProviders.json @@ -5,10 +5,11 @@ "grantType": "client_credentials", "authorizationURL": "https://COGNITO_DOMAIN_NAME.auth.COGNITO_REGION.amazoncognito.com/oauth2/authorize", "tokenURL": "https://COGNITO_DOMAIN_NAME.auth.COGNITO_REGION.amazoncognito.com/oauth2/token", - "logoutURL": "https://COGNITO_DOMAIN_NAME.auth.COGNITO_REGION.amazoncognito.com/oauth2/logout", + "logoutURL": "https://COGNITO_DOMAIN_NAME.auth.COGNITO_REGION.amazoncognito.com/logout", + "logoutTokenParam": "id_token_hint", "clientId": "COGNITO_CC_CLIENT_ID", "clientSecret": "COGNITO_CC_CLIENT_SECRET", "scope": "COGNITO_CC_DEFAULT_CUSTOM_SCOPE" } ] -} +} \ No newline at end of file diff --git a/authentication/Cognito/templates/openIdParameters.properties b/authentication/Cognito/templates/openIdParameters.properties index 321ead4f..3202ee64 100644 --- a/authentication/Cognito/templates/openIdParameters.properties +++ b/authentication/Cognito/templates/openIdParameters.properties @@ -5,3 +5,5 @@ OPENID_CLIENT_ID=COGNITO_APP_CLIENT_ID OPENID_CLIENT_SECRET=COGNITO_APP_CLIENT_SECRET OPENID_AUTHORIZATION_URL=https://COGNITO_DOMAIN_NAME.auth.COGNITO_REGION.amazoncognito.com/oauth2/auth OPENID_TOKEN_URL=https://COGNITO_DOMAIN_NAME.auth.COGNITO_REGION.amazoncognito.com/oauth2/token +OPENID_SCOPE=COGNITO_CC_DEFAULT_CUSTOM_SCOPE +OPENID_GRANT_TYPE=client_credentials \ No newline at end of file diff --git a/authentication/Cognito/templates/openIdWebSecurity.xml b/authentication/Cognito/templates/openIdWebSecurity.xml index cfd87f32..befd28a7 100644 --- a/authentication/Cognito/templates/openIdWebSecurity.xml +++ b/authentication/Cognito/templates/openIdWebSecurity.xml @@ -9,7 +9,7 @@ userIdentifier="identity" groupIdentifier="cognito:groups" audiences="ALL_AUDIENCES"/> - diff --git a/authentication/Cognito/templates/webSecurity.xml b/authentication/Cognito/templates/webSecurity.xml index 012ab5df..a62213c8 100644 --- a/authentication/Cognito/templates/webSecurity.xml +++ b/authentication/Cognito/templates/webSecurity.xml @@ -28,13 +28,4 @@ - - - - - - - - - diff --git a/authentication/Keycloak/README.md b/authentication/Keycloak/README.md index e10921e3..236f5913 100644 --- a/authentication/Keycloak/README.md +++ b/authentication/Keycloak/README.md @@ -100,14 +100,7 @@ If you already have an Openshift cluster, you can skip the section [Before you s ```shell oc new-project keycloak ``` -- To install Keycloak on Openshift, continue from the section [Start Keycloak](https://www.keycloak.org/getting-started/getting-started-openshift#_start_keycloak) using the file [keycloak.yaml](keycloak.yaml) instead of the one online as suggested at the first step (which may prevent from accessing the console behind a proxy), ie.: - ```shell - oc process -f keycloak.yaml \ - -p KEYCLOAK_ADMIN=admin \ - -p KEYCLOAK_ADMIN_PASSWORD=admin \ - -p NAMESPACE=keycloak \ - | oc create -f - - ``` +- To install Keycloak on Openshift, continue from the section [Start Keycloak](https://www.keycloak.org/getting-started/getting-started-openshift#_start_keycloak). - If you want to install Keycloak on another Kubernetes platform than Openshift, follow these instructions: [Get started with Keycloak on Kubernetes](https://www.keycloak.org/getting-started/getting-started-kube). @@ -175,7 +168,7 @@ In the Menu **Manage** / **Realm roles**: * resDeployers * resExecutors - For more information about ODM groups and roles, refer to the [ODM on Kubernetes documentation](https://www.ibm.com/docs/en/odm/9.5.0?topic=access-user-roles-groups). + For more information about ODM groups and roles, refer to the [ODM on Kubernetes documentation](https://www.ibm.com/docs/en/odm/9.6.0?topic=access-user-roles-groups). ### 2. Create a group for ODM administrators. @@ -459,7 +452,7 @@ In the Menu **Manage** / **Users**: The output should look like: ```shell NAME CHART VERSION APP VERSION DESCRIPTION - ibm-helm/ibm-odm-prod 25.1.0 9.5.0.1 IBM Operational Decision Manager + ibm-helm/ibm-odm-prod 26.0.0 9.6.0.0 IBM Operational Decision Manager ``` ### 3. Run the `helm install` command @@ -482,7 +475,7 @@ You can now install the product. We will use the PostgreSQL internal database an #### a. Installation on OpenShift using Routes - See the [Preparing to install](https://www.ibm.com/docs/en/odm/9.5.0?topic=production-preparing-install-operational-decision-manager) documentation for more information. Inspect [keycloak-values.yaml](keycloak-values.yaml) for the parameters that have been defined for this installation. + See the [Preparing to install](https://www.ibm.com/docs/en/odm/9.6.0?topic=production-preparing-install-operational-decision-manager) documentation for more information. Inspect [keycloak-values.yaml](keycloak-values.yaml) for the parameters that have been defined for this installation. ```shell helm install my-odm-release ibm-helm/ibm-odm-prod -f keycloak-values.yaml @@ -507,7 +500,7 @@ You can now install the product. We will use the PostgreSQL internal database an 1. Get the ODM endpoints. - Refer to [this documentation](https://www.ibm.com/docs/en/odm/9.5.0?topic=tasks-configuring-external-access) to retrieve the endpoints. + Refer to [this documentation](https://www.ibm.com/docs/en/odm/9.6.0?topic=tasks-configuring-external-access) to retrieve the endpoints. For example, on OpenShift you can get the route names and hosts with: ```shell @@ -569,7 +562,7 @@ Well done! You can now connect to ODM using the endpoints you got [earlier](#re ### Set up Rule Designer -First set up Rule Designer following [these instructions](https://www.ibm.com/docs/en/odm/9.5.0?topic=designer-installing-rule-online). +First set up Rule Designer following [these instructions](https://www.ibm.com/docs/en/odm/9.6.0?topic=designer-installing-rule-online). To be able to securely connect your Rule Designer to the Decision Server and Decision Center services that are running in Certified Kubernetes, you need to establish a TLS connection through a security certificate in addition to the OpenID configuration. @@ -592,7 +585,7 @@ To be able to securely connect your Rule Designer to the Decision Server and Dec 4. Restart Rule Designer. -For more information, refer to [this documentation](https://www.ibm.com/docs/en/odm/9.5.0?topic=designer-importing-security-certificate-in-rule). +For more information, refer to [this documentation](https://www.ibm.com/docs/en/odm/9.6.0?topic=designer-importing-security-certificate-in-rule). ### Getting Started with IBM Operational Decision Manager for Containers @@ -612,7 +605,7 @@ Deploy the **Loan Validation Service** production_deployment ruleapp using the * You can retrieve the payload.json from the ODM Decision Server Console or use [the provided payload](payload.json). -As explained in the ODM on Certified Kubernetes documentation [Configuring user access with OpenID](https://www.ibm.com/docs/en/odm/9.5.0?topic=access-configuring-user-openid), we advise you to use basic authentication for the ODM runtime call for better performance and to avoid token expiration and revocation. +As explained in the ODM on Certified Kubernetes documentation [Configuring user access with OpenID](https://www.ibm.com/docs/en/odm/9.6.0?topic=access-configuring-user-openid), we advise you to use basic authentication for the ODM runtime call for better performance and to avoid token expiration and revocation. You perform a basic authentication ODM runtime call in the following way: diff --git a/authentication/Keycloak/README_FINE_GRAIN_PERMISSION.md b/authentication/Keycloak/README_FINE_GRAIN_PERMISSION.md index ab707add..9825e812 100644 --- a/authentication/Keycloak/README_FINE_GRAIN_PERMISSION.md +++ b/authentication/Keycloak/README_FINE_GRAIN_PERMISSION.md @@ -27,7 +27,7 @@ # Introduction -ODM Decision Center allows to [manage users and groups from the Business console](https://www.ibm.com/docs/en/odm/9.5.0?topic=center-managing-users-groups-from-business-console) in order to set access security on specific projects. +ODM Decision Center allows to [manage users and groups from the Business console](https://www.ibm.com/docs/en/odm/9.6.0?topic=center-managing-users-groups-from-business-console) in order to set access security on specific projects. Groups and Users can be imported using an LDAP connection or a SCIM connection (as Keycloak can feature a SCIM server). Keycloak does not provide a SCIM server off the shelf, but this feature can be added using a plugin called *SCIM for Keycloak* which comes @@ -399,7 +399,7 @@ Make sure that you finish [Complete post-deployment tasks](README.md#complete-po # Manage Security on ODM Decision Service Project -ODM Decision Center allows to [manage users and groups from the Business console](https://www.ibm.com/docs/en/odm/9.5.0?topic=center-managing-users-groups-from-business-console) in order to set access security on specific projects. +ODM Decision Center allows to [manage users and groups from the Business console](https://www.ibm.com/docs/en/odm/9.6.0?topic=center-managing-users-groups-from-business-console) in order to set access security on specific projects. Now, we will manage the following scenario. We will load the "Loan Validation Service" and "Miniloan Service" projects that are available at the getting started repository. We will only provide access to the "Loan Validation Service" project for users belonging to the `TaskAuditors` group. We will only provide access to the "Miniloan Service" project for users belonging to the `TaskUsers` group. @@ -499,4 +499,4 @@ Let us also assign the `rtsUsers` role to the `TaskAuditors` and `TaskUsers` gro All these changes are performed using the Keycloak dashboard and then reflected inside Decision Center, either manually using the Decision Center Synchronize button or using the automatic synchronization (scheduled every 2 hours by default). - You can read more about configuring the automatic synchronization in the documentation page [Importing users and groups from LDAP directories](https://www.ibm.com/docs/en/odm/9.5.0?topic=ldap-importing-users-groups-from-directories). + You can read more about configuring the automatic synchronization in the documentation page [Importing users and groups from LDAP directories](https://www.ibm.com/docs/en/odm/9.6.0?topic=ldap-importing-users-groups-from-directories). diff --git a/authentication/Keycloak/keycloak-odm-script.zip b/authentication/Keycloak/keycloak-odm-script.zip index 4a4e12de..0ec75cd6 100644 Binary files a/authentication/Keycloak/keycloak-odm-script.zip and b/authentication/Keycloak/keycloak-odm-script.zip differ diff --git a/authentication/Keycloak/keycloak-values.yaml b/authentication/Keycloak/keycloak-values.yaml index 20369346..f80f3590 100644 --- a/authentication/Keycloak/keycloak-values.yaml +++ b/authentication/Keycloak/keycloak-values.yaml @@ -22,6 +22,7 @@ customization: oidc: enabled: true + disableLoginPanel: true service: enableRoute: true diff --git a/authentication/Keycloak/keycloak.yaml b/authentication/Keycloak/keycloak.yaml deleted file mode 100644 index 856abead..00000000 --- a/authentication/Keycloak/keycloak.yaml +++ /dev/null @@ -1,130 +0,0 @@ -kind: Template -apiVersion: template.openshift.io/v1 -metadata: - name: keycloak - annotations: - description: An example template for trying out Keycloak on OpenShift - iconClass: icon-sso - openshift.io/display-name: Keycloak - tags: keycloak - version: 26.0.5 -objects: - - apiVersion: v1 - kind: Service - metadata: - annotations: - description: The web server's http port. - labels: - application: '${APPLICATION_NAME}' - name: '${APPLICATION_NAME}' - spec: - ports: - - port: 8080 - targetPort: 8080 - selector: - deploymentConfig: '${APPLICATION_NAME}' - - apiVersion: v1 - id: '${APPLICATION_NAME}' - kind: Route - metadata: - annotations: - description: Route for application's service. - labels: - application: '${APPLICATION_NAME}' - name: '${APPLICATION_NAME}' - spec: - host: '${HOSTNAME}' - tls: - termination: edge - to: - name: '${APPLICATION_NAME}' - - apiVersion: v1 - kind: DeploymentConfig - metadata: - labels: - application: '${APPLICATION_NAME}' - name: '${APPLICATION_NAME}' - spec: - replicas: 1 - selector: - deploymentConfig: '${APPLICATION_NAME}' - strategy: - type: Recreate - template: - metadata: - labels: - application: '${APPLICATION_NAME}' - deploymentConfig: '${APPLICATION_NAME}' - name: '${APPLICATION_NAME}' - spec: - containers: - - env: - - name: KEYCLOAK_ADMIN - value: '${KEYCLOAK_ADMIN}' - - name: KEYCLOAK_ADMIN_PASSWORD - value: '${KEYCLOAK_ADMIN_PASSWORD}' - - name: KC_PROXY - value: 'edge' - - name: KC_PROXY_HEADERS - value: 'forwarded' - image: quay.io/keycloak/keycloak:26.0.5 - livenessProbe: - failureThreshold: 100 - httpGet: - path: / - port: 8080 - scheme: HTTP - initialDelaySeconds: 60 - name: '${APPLICATION_NAME}' - ports: - - containerPort: 8080 - protocol: TCP - readinessProbe: - failureThreshold: 300 - httpGet: - path: / - port: 8080 - scheme: HTTP - initialDelaySeconds: 30 - securityContext: - privileged: false - volumeMounts: - - mountPath: /opt/keycloak/data - name: empty - args: ["start-dev"] - volumes: - - name: empty - emptyDir: {} - triggers: - - type: ConfigChange -parameters: - - name: APPLICATION_NAME - displayName: Application Name - description: The name for the application. - value: keycloak - required: true - - name: KEYCLOAK_ADMIN - displayName: Keycloak Administrator Username - description: Keycloak Server administrator username - generate: expression - from: '[a-zA-Z0-9]{8}' - required: true - - name: KEYCLOAK_ADMIN_PASSWORD - displayName: Keycloak Administrator Password - description: Keycloak Server administrator password - generate: expression - from: '[a-zA-Z0-9]{8}' - required: true - - name: HOSTNAME - displayName: Custom Route Hostname - description: >- - Custom hostname for the service route. Leave blank for default hostname, - e.g.: -. - - name: NAMESPACE - displayName: Namespace used for DNS discovery - description: >- - This namespace is a part of DNS query sent to Kubernetes API. This query - allows the DNS_PING protocol to extract cluster members. This parameter - might be removed once https://issues.jboss.org/browse/JGRP-2292 is - implemented. - required: true diff --git a/authentication/Okta/README.md b/authentication/Okta/README.md index 5ddd17e2..26598e58 100644 --- a/authentication/Okta/README.md +++ b/authentication/Okta/README.md @@ -19,11 +19,12 @@ - [Create secrets to configure ODM with Okta](#create-secrets-to-configure-odm-with-okta) - [Install your ODM Helm release](#install-your-odm-helm-release) - [Complete post-deployment tasks](#complete-post-deployment-tasks) - - [Register the ODM redirect URLs](#register-the-odm-redirect-urls) + - [Register the ODM redirect URIs](#register-the-odm-redirect-uris) - [Access the ODM services](#access-the-odm-services) - [Set up Rule Designer](#set-up-rule-designer) - [Getting Started with IBM Operational Decision Manager for Containers](#getting-started-with-ibm-operational-decision-manager-for-containers) - [Calling the ODM Runtime Service](#calling-the-odm-runtime-service) +- [Configuring post logout redirect](#configuring-post-logout-redirect) - [Troubleshooting](#troubleshooting) - [License](#license) @@ -71,7 +72,7 @@ Auth Code flow width: First, install the following software on your machine: -- [Helm v3](https://helm.sh/docs/intro/install/) +- [Helm v3](https://helm.sh/docs/v3/intro/install/) or [Helm v4](https://helm.sh/docs/intro/install/) - [Kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl) - Access to an Operational Decision Manager product - A CNCF Kubernetes cluster @@ -295,12 +296,30 @@ In this step, we augment the token with meta-information that is required by the The files are generated into a directory named `output`. -#### 4. Create the Okta authentication secret. +#### 4. Add the consoles logout redirect URIs in ODM configuration files (Optional) + +This step is optional. If you implement it: + + 1. When logging out the Business Console or the RES console, OKTA logging page will be displayed + 1. If the user logs in the OKTA logging page, they will be redirected back to the console they left (either the Business console or RES console). + + Do the following: + - add the lines below in the file `openIdParameters.properties` generated at the previous step: + ``` + DC_OPENID_POST_LOGOUT_REDIRECT_URI=https://DC_HOST/decisioncenter + DS_OPENID_POST_LOGOUT_REDIRECT_URI=https://DS_CONSOLE_HOST/res/home.jsp + ``` + Where: + - *DC_HOST* should be replaced by the fully qualified hostname of Decision Center + - *DS_CONSOLE_HOST* should be replaced by the fully qualified hostname of Decision Server Console (aka RES console) + + Alternatively, if you do not know the *DC_HOST* and *DS_CONSOLE_HOST* yet at this point, you can skip this part for now to deploy ODM without logout redirect URIs, and add them later on and redeploy ODM. This is what is explained in [Configuring post logout redirect](#configuring-post-logout-redirect). + +#### 5. Create the Okta authentication secret. - run the command below to create a secret containing the configuration files generated at the previous step: ``` kubectl create secret generic okta-auth-secret \ - --from-file=OdmOidcProviders.json=./output/OdmOidcProviders.json \ --from-file=openIdParameters.properties=./output/openIdParameters.properties \ --from-file=openIdWebSecurity.xml=./output/openIdWebSecurity.xml \ --from-file=webSecurity.xml=./output/webSecurity.xml @@ -322,7 +341,7 @@ In this step, we augment the token with meta-information that is required by the ``` ``` NAME CHART VERSION APP VERSION DESCRIPTION - ibm-helm/ibm-odm-prod 25.1.0 9.5.0.1 IBM Operational Decision Manager + ibm-helm/ibm-odm-prod 26.0.0 9.6.0.0 IBM Operational Decision Manager ``` 3. Run the `helm install` command. @@ -338,7 +357,7 @@ In this step, we augment the token with meta-information that is required by the > ``` > --set internalDatabase.runAsUser='' --set customization.runAsUser='' --set service.enableRoute=true > ``` - > - See [Preparing to install](https://www.ibm.com/docs/en/odm/9.5.0?topic=production-preparing-install-operational-decision-manager) documentation for additional information. + > - See [Preparing to install](https://www.ibm.com/docs/en/odm/9.6.0?topic=production-preparing-install-operational-decision-manager) documentation for additional information. > > - The above command installs the **latest available version** of the chart. > If you want to install a **specific version**, add the `--version` option: @@ -355,10 +374,10 @@ In this step, we augment the token with meta-information that is required by the ## Complete post-deployment tasks -### Register the ODM redirect URLs +### Register the ODM redirect URIs 1. Get the ODM endpoints. - You can refer to the [documentation](https://www.ibm.com/docs/en/odm/9.5.0?topic=tasks-configuring-external-access) to retrieve the ODM endpoints. + You can refer to the [documentation](https://www.ibm.com/docs/en/odm/9.6.0?topic=tasks-configuring-external-access) to retrieve the ODM endpoints. For example, on OpenShift you can get the route names and hosts with: ``` @@ -375,7 +394,7 @@ In this step, we augment the token with meta-information that is required by the 2. Register the redirect URIs into your Okta application. - The redirect URIs are built in the following way: + The Sign-in redirect URIs are built in the following way: - Decision Center redirect URI: `https:///decisioncenter/openid/redirect/odm` - Decision Runner redirect URI: `https:///DecisionRunner/openid/redirect/odm` @@ -383,18 +402,28 @@ In this step, we augment the token with meta-information that is required by the - Decision Server Runtime redirect URI: `https:///DecisionService/openid/redirect/odm` - Rule Designer redirect URI: `https://127.0.0.1:9081/oidcCallback` + The Sign-out redirect URIs are built in the following way: + + - Decision Center post-logout redirect URI: `https:///decisioncenter` + - Decision Server Console post-logout redirect URI: `https:///res/home.jsp` + + >Note: + >Those two Sign-out redirect URIs must match the URIs defined at the step [4. Add the consoles logout redirect URIs in ODM configuration files (Optional)](#4-add-the-consoles-logout-redirect-uris-in-odm-configuration-files-optional) + In **Applications** / **Applications**: - Select **ODM Application**. - In the **General** tab, click **Edit** on the **General Settings** section. - - In the **LOGIN** section, click **+ Add URI** in the **Sign-in redirect URIs** section and add the Decision Center redirect URI you got earlier (`https:///decisioncenter/openid/redirect/odm` -- do not forget to replace by your actual host name!) - - Repeat the previous step for all other redirect URIs. + - In the **LOGIN** section, click **+ Add URI** in the **Sign-in redirect URIs** section and add the Sign-in redirect URI `https:///decisioncenter/openid/redirect/odm` (do not forget to replace by your actual host name!) + - Repeat the previous step for all other redirect URIs. + - In the **LOGIN** section, click **+ Add URI** in the **Sign-out redirect URIs** section and add the Sign-out redirect URI `https:///decisioncenter` (do not forget to replace by your actual host name!) + - Repeat the previous step for the Decision Server Console post-logout redirect URI: `https:///res/home.jsp` (do not forget to replace by your actual host name!) - Click **Save** at the bottom of the **General Settings** section. ![Sign-in redirect URIs](images/Sign-in_redirect_URIs.png) ### Access the ODM services -Well done! You can now connect to ODM using the endpoints you got [earlier](#register-the-odm-redirect-urls), and log in as an ODM admin with the account you created in [the first step](#manage-groups-and-users). +Well done! You can now connect to ODM using the endpoints you got [earlier](#register-the-odm-redirect-uris), and log in as an ODM admin with the account you created in [the first step](#manage-groups-and-users). ### Set up Rule Designer @@ -419,7 +448,7 @@ To be able to securely connect your Rule Designer to the Decision Server and Dec 4. Restart Rule Designer. -For more information, refer to the [documentation](https://www.ibm.com/docs/en/odm/9.5.0?topic=designer-importing-security-certificate-in-rule). +For more information, refer to the [documentation](https://www.ibm.com/docs/en/odm/9.6.0?topic=designer-importing-security-certificate-in-rule). ### Getting Started with IBM Operational Decision Manager for Containers @@ -440,7 +469,7 @@ Deploy the **Loan Validation Service** production_deployment ruleapps using the You can retrieve the payload.json from the ODM Decision Server Console or use [the provided payload](payload.json) -As explained in the ODM on Certified Kubernetes documentation [Configuring user access with OpenID](https://www.ibm.com/docs/en/odm/9.5.0?topic=access-configuring-user-openid), we advise to use basic authentication for the ODM runtime call for performance reasons and to avoid the issue of token expiration and revocation. +As explained in the ODM on Certified Kubernetes documentation [Configuring user access with OpenID](https://www.ibm.com/docs/en/odm/9.6.0?topic=access-configuring-user-openid), we advise to use basic authentication for the ODM runtime call for performance reasons and to avoid the issue of token expiration and revocation. You can realize a basic authentication ODM runtime call in the following way: @@ -468,6 +497,30 @@ But if you want to execute a bearer authentication ODM runtime call using the Cl https:///DecisionService/rest/production_deployment/1.0/loan_validation_production/1.0 ``` +# Configuring post logout redirect + +This configuration is optional, and you might have already configured post logout redirect URIs at this point if you followed the instructions at the step [4. Add the consoles logout redirect URIs in ODM configuration files (Optional)](#4-add-the-consoles-logout-redirect-uris-in-odm-configuration-files-optional) + +To configure the post logout redirect URIs, you need to: + +- add the following properties in the previously generated `./output/openIdParameters.properties` file: + ``` + DC_OPENID_POST_LOGOUT_REDIRECT_URI=https:///decisioncenter + DS_OPENID_POST_LOGOUT_REDIRECT_URI=https:///res/home.jsp + ``` + +- delete the okta-auth-secret secret and recreate it as explained in [Create secrets to configure ODM with Okta](#create-secrets-to-configure-odm-with-okta). + + ```shell + kubectl delete secret okta-auth-secret + kubectl create secret generic okta-auth-secret \ + --from-file=openIdParameters.properties=./output/openIdParameters.properties \ + --from-file=openIdWebSecurity.xml=./output/openIdWebSecurity.xml \ + --from-file=webSecurity.xml=./output/webSecurity.xml + ``` + +- define the post logout redirect URIs in Okta as explained in [Register the ODM redirect URIs](#register-the-odm-redirect-uris) + # Troubleshooting If you encounter any issue, have a look at the [common troubleshooting explanation](/troubleshooting/OpenID/README.md) diff --git a/authentication/Okta/images/Sign-in_redirect_URIs.png b/authentication/Okta/images/Sign-in_redirect_URIs.png index cd0af57b..35b75734 100644 Binary files a/authentication/Okta/images/Sign-in_redirect_URIs.png and b/authentication/Okta/images/Sign-in_redirect_URIs.png differ diff --git a/authentication/Okta/okta-odm-script.zip b/authentication/Okta/okta-odm-script.zip index 62cf551b..f673f982 100644 Binary files a/authentication/Okta/okta-odm-script.zip and b/authentication/Okta/okta-odm-script.zip differ diff --git a/authentication/Okta/okta-values.yaml b/authentication/Okta/okta-values.yaml index 57834626..dcf29abb 100644 --- a/authentication/Okta/okta-values.yaml +++ b/authentication/Okta/okta-values.yaml @@ -12,6 +12,7 @@ internalDatabase: oidc: enabled: true + disableLoginPanel: true customization: authSecretRef: okta-auth-secret diff --git a/authentication/Okta/templates/OdmOidcProviders.json b/authentication/Okta/templates/OdmOidcProviders.json deleted file mode 100644 index a2f7915a..00000000 --- a/authentication/Okta/templates/OdmOidcProviders.json +++ /dev/null @@ -1,16 +0,0 @@ -{ - "providers": [ - { - "name": "okta_clientcredentials", - "grantType": "client_credentials", - "authorizationURL": "OKTA_SERVER_URL/oauth2/default/v1/authorize", - "tokenURL": "OKTA_SERVER_URL/oauth2/default/v1/token", - "introspectionURL": "OKTA_SERVER_URL/oauth2/default/v1/introspect", - "scope": "OKTA_API_SCOPE", - "clientId": "OKTA_CLIENT_ID", - "clientSecret": "OKTA_CLIENT_SECRET", - "logoutURL": "OKTA_SERVER_URL/oauth2/default/v1/logout", - "logoutTokenParam": "id_token_hint" - } - ] -} diff --git a/authentication/Okta/templates/openIdParameters.properties b/authentication/Okta/templates/openIdParameters.properties index 44434858..8f83c648 100644 --- a/authentication/Okta/templates/openIdParameters.properties +++ b/authentication/Okta/templates/openIdParameters.properties @@ -8,3 +8,5 @@ OPENID_CLIENT_SECRET=OKTA_CLIENT_SECRET OPENID_LOGOUT_URL=OKTA_SERVER_URL/oauth2/default/v1/logout OPENID_ALLOWED_DOMAINS=okta.com OPENID_LOGOUT_TOKEN_PARAM=id_token_hint +OPENID_SCOPE=OKTA_API_SCOPE +OPENID_GRANT_TYPE=client_credentials \ No newline at end of file diff --git a/authentication/PingFederate/README.md b/authentication/PingFederate/README.md new file mode 100644 index 00000000..cd6efd1d --- /dev/null +++ b/authentication/PingFederate/README.md @@ -0,0 +1,482 @@ +# Configuration of ODM with PingFederate + + + +- [Introduction](#introduction) + - [What is PingFederate?](#what-is-pingfederate) + - [About this task](#about-this-task) + - [ODM OpenID flows](#odm-openid-flows) + - [Prerequisites](#prerequisites) + - [Install a PingFederate instance](#install-a-pingfederate-instance) +- [Configure a PingFederate instance for ODM (Part 1)](#configure-a-pingfederate-instance-for-odm-part-1) + - [Log into the PingFederate Admin Console](#log-into-the-pingfederate-admin-console) + - [Create some users and groups](#create-some-users-and-groups) + - [Create an ODM Resource and dedicated scope](#create-an-odm-resource-and-dedicated-scope) + - [Create an ODM Application](#create-an-odm-application) + - [Check the configuration](#check-the-configuration) +- [Deploy ODM on a container configured with PingFederate (Part 2)](#deploy-odm-on-a-container-configured-with-pingfederate-part-2) + - [Prepare your environment for the ODM installation](#prepare-your-environment-for-the-odm-installation) + - [Create a secret to use the Entitled Registry](#create-a-secret-to-use-the-entitled-registry) + - [Create secrets to configure ODM with PingFederate](#create-secrets-to-configure-odm-with-pingfederate) + - [Install your ODM Helm release](#install-your-odm-helm-release) + - [Add the public IBM Helm charts repository](#1-add-the-public-ibm-helm-charts-repository) + - [Check that you can access the ODM chart](#2-check-that-you-can-access-the-odm-chart) + - [Run the `helm install` command](#3-run-the-helm-install-command) + - [a. Installation on OpenShift using Routes](#a-installation-on-openshift-using-routes) + - [b. Installation using Ingress](#b-installation-using-ingress) + - [Complete post-deployment tasks](#complete-post-deployment-tasks) + - [Register the ODM redirect URL](#register-the-odm-redirect-url) + - [Access the ODM services](#access-the-odm-services) + - [Set up Rule Designer](#set-up-rule-designer) + - [Getting Started with IBM Operational Decision Manager for Containers](#getting-started-with-ibm-operational-decision-manager-for-containers) + - [Calling the ODM Runtime Service](#calling-the-odm-runtime-service) +- [Troubleshooting](#troubleshooting) +- [License](#license) + + + +# Introduction + +In the context of the Operational Decision Manager (ODM) on Certified Kubernetes offering, ODM for production can be configured with an external OpenID Connect server (OIDC provider), such as the PingFederate cloud service. + +This tutorial shows how to integrate ODM with PingFederate to manage classic authentication and authorization. + +## What is PingFederate? + +[PingFederate](https://www.pingidentity.com/en/product/pingfederate.html) is an enterprise identity and access management (IAM) software product made by [Ping Identity](https://www.pingidentity.com/en.html). It is mainly used for federated authentication and single sign-on (SSO) across different systems and organizations. + +## About this task + +You need to create a number of secrets before you can install an ODM instance with an external OIDC provider such as the PingFederate service, and use web application single sign-on (SSO). The following diagram shows the ODM services with an external OIDC provider after a successful installation. + +![ODM web application SSO](images/diag_pingfederate_interaction.jpg) + + +The following procedure describes how to manually configure ODM with a PingFederate service. + +## ODM OpenID flows + +[OpenID Connect](https://openid.net/developers/how-connect-works) is an authentication standard built on top of OAuth 2.0. It adds a token called an ID token. + +Terminology: + +- The **OpenID provider** — The authorization server that issues the ID token. In this case, PingFederate is the OpenID provider. +- The **end user** — The end user whose information is contained in the ID token. +- The **relying party** — The client application that requests the ID token from PingFederate. +- The **ID token** — The token that is issued by the OpenID provider and contains information about the end user in the form of claims. +- A **claim** — A piece of information about the end user. + +The [Authorization Code flow](https://docs.pingidentity.com/pingfederate/13.0/introduction_to_pingfederate/pf_grant_types.html#primary-grant-types) is best used by server-side apps where the source code is not publicly exposed. The apps must be server-side because the request that exchanges the authorization code for a token requires a client secret, which has to be stored in your client. However, the server-side app requires an end user because it relies on interactions with the end user's web browser, which redirects the user and then receives the authorization code. + +![Authorization Code Flow](images/authorization_code_flow.svg) + +The [Client Credentials flow](https://docs.pingidentity.com/pingfederate/13.0/introduction_to_pingfederate/pf_grant_types.html#primary-grant-types) is intended for server-side (AKA "confidential") client applications with no end user, which normally describes machine-to-machine communication. The application must be server-side because it must be trusted with the client secret, and since the credentials are hard-coded, it cannot be used by an actual end user. It involves a single, authenticated request to the token endpoint, which returns an access token. + +![Client Credentials Flow](images/client_credentials_flow.svg) + +## Prerequisites + +You need the following elements: + +- [Helm v3](https://helm.sh/docs/intro/install/) +- [Kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl) +- Access to an Operational Decision Manager product +- Access to a CNCF Kubernetes cluster +- A PingFederate Saas trial Instance + +### Install a PingFederate instance + +This tutorial has been tested with a [PingFederate Saas trial instance](https://www.pingidentity.com/en/try-ping.html). You have to request it if you don't have one. + + +# Configure a PingFederate instance for ODM (Part 1) + +In this section, you will: + +- Log into the PingFederate Admin Console +- Create some users and groups +- Create an ODM Resource and dedicated scope +- Create an ODM Application +- Check the configuration + +## Log into the PingFederate Admin Console + +When the trial is available, you have a link to the PingFederate Admin Console in the email you received. Use it to connect to the PingFederate Admin Console. + +## Create some users and groups + +At the first connection, a predefined user that was used to log into the PingFederate Admin Console is already present in the Directory > Users tab. +You can use the + button to add new users. + +We will use the Directory>Groups tab to create a group named `ODM-Admin` and add the prefdefined user to it. + +Select Directory > Groups and click the + button to create a new group. + * Group Name: *ODM-Admin* + * Description: *ODM Admin Group* + * Click **Save** + +Using the three dot button on the ODM-Admin group, you can add the predefined user to the group using the **Add/remove Users** menu. + +![Admin Group](images/admin_group.png) + + +## Create an ODM Resource and dedicated scope + +The resource is a way to create a dedicated scope that will be used in the client_credentials flow, as openid scope acconot be used. + +Select **Applications** > **Resources** tab and click the + button to create a new resource. + * Resource Name: *ODM CC* + * Description: *ODM Resource for Client Crededentials* + * Click **Next** + + * Click **+ Add** Attributes button + * Attribute Name: *identity* and **PingOne Mappings Value** *#root.context.appConfig.clientId* using the **Advanced Expression** button + * Check *Required* checkbox + * Click **Next** + +![Resource Attributes](images/resource_attributes.png) + + * Click **+ Add** Scope button + * Scope Name: *odm_cc* + * Click **Save** + +![Resource Scope](images/resource_scope.png) + +## Create an ODM Application + +Select Applications > Applications tab and click the + button to create a new application. + * Application Name: *ODM Application* + * Application Type: *OIDC Web App* + * Click **Save** + +Select **Configuration** and edit using the **Edit** button. + * Response Type: *Code,Token and ID Token* + * Grant Type: *Authorization Code, Implicit, Client Credentials* + * Token Endpoint Authentication Method: *Client Secret Post* + * Click **Save** + +![Application Configuration](images/application_configuration.png) + +Select **Resources** and edit using the **Edit** button. + * Add the *odm_cc* scope to the **Selected Scopes** list + * Click **Save** + +![Application Resources](images/application_resources.png) + +[Optional] Set MFA to login to ODM UI +Select **Policies** and edit using the **Edit** button. + * Check **Multi_factor** policy + * Click **Save** + +![Application Policies](images/application_policies.png) + +Select **Attribute Mappings** and edit using the **Edit** button. +Add new attribute using the **+Add** button + * Attribute Name: *groups* and **PingOne Mappings Value** *Group Names* + * Attribute Name: *identity* and **PingOne Mappings Value** *user.name.given + ' ' + user.name.family* using the **Advanced Expression** button + * Click **Save** + +![Application Attributes](images/application_attributes.png) + +Select **Access** and edit using the **Edit** button. + * Select **ODM-Admin** group from the **Groups** dropdown + * Click **Save** + +![Application Access](images/application_access.png) + +## Check the configuration + + Download the [pingfederate-odm-script.zip](pingfederate-odm-script.zip) file to your machine and unzip it in your working directory. + This .zip file contains scripts and templates to verify and set up ODM. + + You can request an access token using the Client-Credentials flow to verify the format of the token. + This token is used for the deployment of rulesets from the Business Console: + + ```shell + ./get-client-credential-token.sh -i $CLIENT_ID -x $CLIENT_SECRET -n $PING_FEDERATE_SERVER_URL + ``` + + Where: + - *CLIENT_ID* can be found in the **overview** of the ODM Application, section **Applications** / **Applications** + - *CLIENT_SECRET* can be found in the **overview** of the ODM Application, section **Applications** / **Applications** + - *PING_FEDERATE_SERVER_URL* is the issuer ID that can be retrieved in the Connection Details of the Overview tab of the **ODM Application** + + If you decode the *access_token* value with a JWT decoder tool, you should get: + ```json + { + .. + "iss": "", + .... + "identity": "", + ... + } + ``` + + +# Deploy ODM on a container configured with PingFederate (Part 2) + +## Prepare your environment for the ODM installation + +### Create a secret to use the Entitled Registry + +1. To get your entitlement key, log in to [MyIBM Container Software Library](https://myibm.ibm.com/products-services/containerlibrary) with the IBMid and password that are associated with the entitled software. + + In the **Container software library** tile, verify your entitlement on the **View library** page, and then go to **Get entitlement key** to retrieve the key. + +2. Create a pull secret by running a `kubectl create secret` command. + + ```shell + kubectl create secret docker-registry ibm-entitlement-key \ + --docker-server=cp.icr.io \ + --docker-username=cp \ + --docker-password="" + ``` + + Where: + + - *API_KEY_GENERATED* is the entitlement key from the previous step. Make sure you enclose the key in double-quotes. + + > Note: + > 1. The **cp.icr.io** value for the docker-server parameter is the only registry domain name that contains the images. You MUST set the *docker-username* to **cp** to use an entitlement key as *docker-password*. + > 2. The `ibm-entitlement-key` secret name will be used for the `image.pullSecrets` parameter when you run a Helm install of your containers. The `image.repository` parameter is also set by default to `cp.icr.io/cp/cp4a/odm`. + +### Create secrets to configure ODM with PingFederate + +1. Create a secret to configure ODM with PingFederate. + + If you have not done it yet, download the [pingfederate-odm-script.zip](pingfederate-odm-script.zip) file to your machine. This .zip file contains the [script](generateTemplate.sh) and the content of the [templates](templates) directory. + The [script](generateTemplate.sh) allows you to generate the necessary configuration files. + + Generate the files with the following command: + ```shell + ./generateTemplate.sh -i $CLIENT_ID -x $CLIENT_SECRET -n $PING_FEDERATE_SERVER_URL + ``` + + Where: + - *CLIENT_ID* can be found in the **overview** of the ODM Application, section **Applications** / **Applications** + - *CLIENT_SECRET* can be found in the **overview** of the ODM Application, section **Applications** / **Applications** + - *PING_FEDERATE_SERVER_URL* can be found as the Issuer ID in the **overview** / **Connection Details** of the ODM Application, section **Applications** / **Applications** + + The following files are generated into the `output` directory: + + - `webSecurity.xml` contains the mapping between Liberty J2EE ODM roles and the PingFederate ODM-Admin group + - `openIdWebSecurity.xml` contains two openIdConnectClient Liberty configurations: + * the first for web access to Decision Center and Decision Server consoles with the Authorization Code flow + * the second for the rest-api calls with the client-credentials flow + - `openIdParameters.properties` configures several features like allowed domains, logout, and some internal ODM openid features + +3. Create the PingFederate authentication secret using `webSecurity.xml`, `openIdWebSecurity.xml` and `openIdParameters.properties` files. + + ```shell + kubectl create secret generic pingfederate-auth-secret \ + --from-file=openIdParameters.properties=./output/openIdParameters.properties \ + --from-file=openIdWebSecurity.xml=./output/openIdWebSecurity.xml \ + --from-file=webSecurity.xml=./output/webSecurity.xml + ``` + + +## Install your ODM Helm release + +### 1. Add the public IBM Helm charts repository + + ```shell + helm repo add ibm-helm https://raw.githubusercontent.com/IBM/charts/master/repo/ibm-helm + helm repo update + ``` + +### 2. Check that you can access the ODM chart + + ```shell + helm search repo ibm-odm-prod + ``` + The output should look like: + ```shell + NAME CHART VERSION APP VERSION DESCRIPTION + ibm-helm/ibm-odm-prod 26.0.0 9.6.0.0 IBM Operational Decision Manager + ``` + +### 3. Run the `helm install` command + +You can now install the product. We will use the PostgreSQL internal database and disable data persistence (`internalDatabase.persistence.enabled=false`) to avoid any platform complexity with persistent volume allocation. + +> **Note:** +> The following command installs the **latest available version** of the chart. +> If you want to install a **specific version**, add the `--version` option: +> +> ```bash +> helm install my-odm-release ibm-helm/ibm-odm-prod --version -f pingfederate-values.yaml +> ``` +> +> You can list all available versions using: +> +> ```bash +> helm search repo ibm-helm/ibm-odm-prod -l +> ``` + +#### a. Installation on OpenShift using Routes + + See the [Preparing to install](https://www.ibm.com/docs/en/odm/9.6.0?topic=production-preparing-install-operational-decision-manager) documentation for more information. Inspect [pingfederate-values.yaml](pingfederate-values.yaml) for the parameters that have been defined for this installation. + + ```shell + helm install my-odm-release ibm-helm/ibm-odm-prod -f pingfederate-values.yaml + ``` + +#### b. Installation using Ingress + + Refer to the following documentation to install an NGINX Ingress Controller on: + - [Microsoft Azure Kubernetes Service](../../platform/azure/README-NGINX.md) + - [Amazon Elastic Kubernetes Service](../../platform/eks/README-NGINX.md) + - [Google Kubernetes Engine](../../platform/gcloud/README_NGINX.md) + + When the NGINX Ingress Controller is ready, you can install the ODM release using [pingfederate-ingress-values.yaml](pingfederate-ingress-values.yaml). Take note of the `service.ingress.annotations` values that have been defined in this file. + + ```shell + helm install my-odm-release ibm-helm/ibm-odm-prod -f pingfederate-nginx-values.yaml + ``` + +## Complete post-deployment tasks + +### Register the ODM redirect URL + + +1. Get the ODM endpoints. + Refer to [this documentation](https://www.ibm.com/docs/en/odm/9.6.0?topic=tasks-configuring-external-access) to retrieve the endpoints. + For example, on OpenShift you can get the route names and hosts with: + + ```shell + kubectl get routes --no-headers --output custom-columns=":metadata.name,:spec.host" + ``` + + You get the following hosts: + ``` + my-odm-release-odm-dc-route + my-odm-release-odm-dr-route + my-odm-release-odm-ds-console-route + my-odm-release-odm-ds-runtime-route + ``` + + Using an Ingress, the endpoint is the address of the ODM ingress and is the same for all components. You can get it with: + + ```shell + kubectl get ingress my-odm-release-odm-ingress + ``` + + You get the following ingress address: + ``` + NAME CLASS HOSTS ADDRESS PORTS AGE + my-odm-release-odm-ingress * 80 1d + ``` + +2. Register the redirect URIs into your PingFederate application. + + The redirect URIs are built in the following way: + + Using Routes: + - Decision Center redirect URI: `https:///decisioncenter/openid/redirect/odm` + - Decision Runner redirect URI: `https:///DecisionRunner/openid/redirect/odm` + - Decision Server Console redirect URI: `https:///res/openid/redirect/odm` + - Decision Server Runtime redirect URI: `https:///DecisionService/openid/redirect/odm` + - Rule Designer redirect URI: `https://127.0.0.1:9081/oidcCallback` + + Using Ingress: + - Decision Center redirect URI: `https:///decisioncenter/openid/redirect/odm` + - Decision Runner redirect URI: `https:///DecisionRunner/openid/redirect/odm` + - Decision Server Console redirect URI: `https:///res/openid/redirect/odm` + - Decision Server Runtime redirect URI: `https:///DecisionService/openid/redirect/odm` + - Rule Designer redirect URI: `https://127.0.0.1:9081/oidcCallback` + + From the PingFederate admin console, in **Applications** / **Applications** + - Edit the `ODM Application` + - In the tab **Configuration** + * Add the redirect URIs in the **Redirect URIs** field for each component. + + For example, add the Decision Center redirect URI that you got earlier (`https:///decisioncenter/openid/redirect/odm` -- do not forget to replace with your actual host name!) + - Click **Save** at the bottom of the page. + + ![Add URI](images/application_redirect_uris.png) + + +### Access the ODM services + +Well done! You can now connect to ODM using the endpoints you got [earlier](#register-the-odm-redirect-url) and log in as an ODM admin with your account. + +### Set up Rule Designer + +First set up Rule Designer following [these instructions](https://www.ibm.com/docs/en/odm/9.6.0?topic=designer-installing-rule-online). + +To be able to securely connect your Rule Designer to the Decision Server and Decision Center services that are running in Certified Kubernetes, you need to establish a TLS connection through a security certificate in addition to the OpenID configuration. + +1. Get the following configuration files. + * `https:///decisioncenter/assets/truststore.jks` + * `https:///decisioncenter/assets/OdmOidcProvidersRD.json` + where *DC_HOST* is the Decision Center endpoint. + +2. Copy the `truststore.jks` and `OdmOidcProvidersRD.json` files to your Rule Designer installation directory next to the `eclipse.ini` file. + +3. Edit your `eclipse.ini` file and add the following lines at the end. + ``` + -Djavax.net.ssl.trustStore=/truststore.jks + -Djavax.net.ssl.trustStorePassword=changeme + -Dcom.ibm.rules.authentication.oidcconfig=/OdmOidcProvidersRD.json + ``` + Where: + - *changeme* is the fixed password to be used for the default truststore.jks file. + - *ECLIPSEINITDIR* is the Rule Designer installation directory where the eclipse.ini file is. + +4. Restart Rule Designer. + +For more information, refer to [this documentation](https://www.ibm.com/docs/en/odm/9.6.0?topic=designer-importing-security-certificate-in-rule). + +### Getting Started with IBM Operational Decision Manager for Containers + +Get hands-on experience with IBM Operational Decision Manager in a container environment by following this [Getting started tutorial](https://github.com/DecisionsDev/odm-for-container-getting-started/blob/master/README.md). + +### Calling the ODM Runtime Service + +Log in the Business Console. + +Import the Decision Service named [Loan Validation Service](https://github.com/DecisionsDev/odm-for-container-getting-started/blob/master/Loan%20Validation%20Service.zip) if it is not already there. + +![Import project](images/import_project.png) + +Deploy the **Loan Validation Service** production_deployment ruleapp using the **production deployment** deployment configuration in the Deployments>Configurations tab. + +![Deploy project](images/deploy_project.png) + +You can retrieve the payload.json from the ODM Decision Server Console or use [the provided payload](payload.json). + +As explained in the ODM on Certified Kubernetes documentation [Configuring user access with OpenID](https://www.ibm.com/docs/en/odm/9.6.0?topic=access-configuring-user-openid), we advise you to use basic authentication for the ODM runtime call for better performance and to avoid token expiration and revocation. + +You perform a basic authentication ODM runtime call in the following way: + + ``` + curl -H "Content-Type: application/json" -k --data @payload.json \ + -H "Authorization: Basic b2RtQWRtaW46b2RtQWRtaW4=" \ + https:///DecisionService/rest/production_deployment/1.0/loan_validation_production/1.0 + ``` + + Where `b2RtQWRtaW46b2RtQWRtaW4=` is the base64 encoding of the current username:password odmAdmin:odmAdmin + +If you want to perform a bearer authentication ODM runtime call using the Client Credentials flow, you must get a bearer access token: + + ``` + curl -k -X POST -H "Content-Type: application/x-www-form-urlencoded" \ + -d "client_id=${CLIENT_ID}&scope=odm_cc&client_secret=${CLIENT_SECRET}&grant_type=client_credentials" \ + "${PING_FEDERATE_SERVER_URL}/token" + ``` + + And use the retrieved access token in the following way: + + ``` + curl -H "Content-Type: application/json" -k --data @payload.json \ + -H "Authorization: Bearer " \ + https:///DecisionService/rest/production_deployment/1.0/loan_validation_production/1.0 + ``` + +# Troubleshooting + +If you encounter any issue, have a look at the [OpenID Connect troubleshooting Tips](/troubleshooting/OpenID/README.md) + +# License + +[Apache 2.0](/LICENSE) diff --git a/authentication/PingFederate/generateTemplate.sh b/authentication/PingFederate/generateTemplate.sh new file mode 100755 index 00000000..6c207934 --- /dev/null +++ b/authentication/PingFederate/generateTemplate.sh @@ -0,0 +1,66 @@ +#!/bin/bash +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +OUTPUT_DIR=./output +TEMPLATE_DIR=./templates + +function usage { + cat <