Configuring claims-based authentication

Configuring i2 Analyze and analyze-deployment-tooling for SAML and OIDC authentication and authorization.

1. In the <config-name>/configuration/analyze-settings.properties file, add the following line:

   UserGroupsProvider=com.i2group.disco.user.ClaimsBasedUserGroupsProvider
   

This page includes information about configuring:

• SAML authentication
• OIDC authentication

---

Securing the connection to the authentication mechanism

If your authentication mechanism requires a secure connection, you must provide the trust certificate to the Liberty server in the analyze-deployment-tooling deployment.

1. In your config, create a configuration/secrets directory.
2. In the secrets folder, create an additional-trust-certificates.cer file.
3. In the additional-trust-certificates.cer file, provide the public certificate that can be used to trust the certificate from your authentication provider.
   You can provide multiple certificates in this file, one after another.

For example:

-----BEGIN CERTIFICATE-----
MIIFVzCCAz+gAwIBAgIUc/8wnmDAUE5paROLYCojKoWhf5AwDQYJKoZIhvcNAQEL
BQAwGDEWMBQGA1UEAwwNaTJBbmFseXplLWVpYTAeFw0yNDAyMjcxMzAwMzhaFw0y
NTAyMjYxMzAwMzhaMBgxFjAUBgNVBAMMDWkyQW5hbHl6ZS1laWEwggIiMA0GCSqG
BFJ7rNIcaIzh46GA0qgaHMqyY/fHW3RWEjCSn7rf2bQQEh+uIyUqTwR/sp/mmgbC
9ZbdLjm/qxd6y4JYLwgYNopmrMaL9ig6s5rEU9V0qHkXgOvHKHtkG9vOuCSQrCqX
McNCFAB5BK8js6xVGbWHv22U1KyHpdmSoLUHhK15aebm/tYvOgeUekZbeJDLFpjH
lnfgBABeDSrq0Yx0LYWQOf7WGyCCqb63UPBbxKZBNpfJOQtLlohajb50EpgiLV6L
w87f/ioQd7Rvj/TVOtoJlvlN4RaIRYqIO5R6OmQyZMVZ3++qFiUkyYthefSjpydH
jZ/iTxgA/zjke0lnrJie75URI5QApwT1QRe40pO8jq2r+Q6VSmW/yr8agOiqjxn/
3mub3xE4yleTzS710jXPi+gGWt4V2QytgDa+
-----END CERTIFICATE-----

---

Configuring SAML authentication

To configure SAML authentication, update the Liberty configuration to work with your identity provider and redeploy the system.

1. Update the <config-name>/configuration/server-extensions.xml file to include the samlWeb-2.0 feature:

   <featureManager>
     ...
     <feature>samlWeb-2.0</feature>
   </featureManager>
   

2. Redeploy your config by running the following command:

   deploy
   

   If you have multiple configs, specify the config name with -c <config-name>.

3. Navigate to https://i2analyze.eia:9443/ibm/saml20/defaultSP/samlmetadata.

   An spMetadata.xml file is downloaded.

4. Provide the spMetadata.xml file to your identity provider and you will receive an Identity Provider (IdP) metadata file in exchange. You are given a group ID to be used to configure the server.

5. Place the IdP metadata file in the <config-name>/configuration/liberty/resources/security directory.
   By default, Liberty expects the file to be named idpMetadata.xml.

6. Update the server-extensions.xml file to include the samlWebSso20 element with the groupIdentifier attribute. To retrieve the groupIdentifier value, in the IdP metadata file locate the URI for the "Groups" claim type.

   For example:

   <samlWebSso20 id="defaultSP" groupIdentifier="http://schemas.microsoft.com/ws/2008/06/identity/claims/groups"/>
   

   If your IdP metadata file is not called idpMetadata.xml, you can use the idpMetadata attribute to specify the name of your file.

   For more information about all of the configuration options available for configuring SAML in Liberty, see SAML Web Single Sign-On 2.0.

7. Ensure that the group names that the system receives from the identity provider align with the groups referenced in your security schema and command access control files.

8. Redeploy your config by running the following command:

   deploy
   

   If you have multiple configs, specify the config name with -c <config-name>.

Connect to the system and log in as a user that is authenticated by your identity provider.

---

Configuring OIDC authentication

To configure OIDC authentication, update the Liberty configuration to work with your identity provider and redeploy the system.

1. Update the <config-name>/configuration/server-extensions.xml file to configure OIDC:

   1. Add the openidConnectClient-1.0 feature element:

      <featureManager>
        ...
        <feature>openidConnectClient-1.0</feature>
      </featureManager>
      

   2. Add the <openidConnectClient> element and populate the attributes according to the values from your identity provider.

      The following attributes are used in this example configuration:

      • id - an ID for this OIDC client defined in Liberty. This value is used in the redirect URI of the client in the provider.
      • clientId - the ID of the client for i2 Analyze defined in the provider.
      • clientSecret - if your provider is configured for client authentication, this is the secret used to authenticate the client with the provider.
      • discoveryEndpointUrl - the URL for the OpenID Endpoint configuration from the provider.
      • signatureAlgorithm - the algorithm used to encrypt tokens.

      • groupIdentifier - the name of the claim in the token that contains a user's group information.

        <openidConnectClient 
        id="client01"
        clientId="oidc-example"
        clientSecret="${CLIENT_SECRET}"
        discoveryEndpointUrl="https://keycloak.eia:8443/realms/oidc-example/.well-known/openid-configuration"
        signatureAlgorithm="RS256"
        groupIdentifier="groups"
        />
        

      • To provide the value for the clientSecret you can use the Application Secrets mechanism as demonstrated in the example, or provide the value directly.

      • For more information about all of the configuration options available for configuring OIDC in Liberty, see OpenID Connect Client 1.0.

2. Ensure that the group names that the system receives from the identity provider align with the groups referenced in your security schema and command access control files.

3. Redeploy your config by running the following command:

   deploy
   

   If you have multiple configs, specify the config name with -c <config-name>.