As more and more customers move Identity to the cloud, we will run into applications that cannot be migrated in short term or cannot be migrated at all to cloud for various reasons including security. That leads to the question, how do we integrate those on-prem applications to cloud Identity solution? There are a few common patterns to integrate an application to central IDAM (IDentity and Access Management) solution (not to suggest that these are the only possible ways to integrate an application with IDAM solution). In this blog, I will talk about what those patterns are and how does IDCS integrate with those applications. I will talk about one of those patterns in detail.
1. Container security for J2EE applications
- Container security is the most widely used for J2EE applications. It is implemented by application container via security providers. WebLogic server supports IDCS security provider to integrate with IDCS. Other two popular containers, IBM WebSphere and Jboss support OpenID connect providers. You can leverage those security providers to integrate with IDCS.
2. SAML based federation integration
- Some of the applications natively understand SAML assertions and federate with IDAM solution for Single Sign-On. Because IDCS implements SAML standard, those applications can integrate with IDCS using SAML based federation.
3. HTTP header based integration
- If the application supports HTTP header based integration, then you can protect the application with Apache reverse proxy web server. Apache server supports OpenID connect module. You can leverage the module to protect the application and the module can pass user information from ID token to the application as HTTP header. I will talk about this integration in detail below.
4. OpenID Connect support
- Most of the modern web development frameworks like AngularJS or NodeJS or Go support OpenID connect integration with OpenID connect providers through OOB modules. You can leverage those modules and integrate with IDCS. IDCS is fully OpenID connect standards compliant.
In this article I will talk about how to configure OpenID connect module for Apache server. Before you configure the Apache module, you have to create OAuth client in IDCS.
Follow steps below to create OAuth client. For every step, I have captured screenshot and they follow after the steps description below.
- 1. Login to IDCS admin console with identity administrator user.
- 2. Create new application of type Trusted application from Applications tab.
- 3. Type application name and URL and click Next.
- 4. Select client credentials and Authorization code grant type. When you select authorization code grant type, you will have to enter redirect URL as well. Redirect URL for OpenID module is, https://APACHEHOSTNAME/oidc/.
- 5. Make sure you select Cloud gate App role and then click Next.
- 6. Since this is not resource server, do not create any resources and click Next.
- 7. Then click on Finish.
- 8. A pop up window will show both client ID and client secret. Note down client ID and secret because you will need them in the next step.
- 9. Now the last step is to activate the application.
OpenID connect module configuration
As shown in the below screenshot, configure the module. I have hidden IDCS tenant name and client secret.
Once you finish module configuration, restart Apache server and test. As you can see in the above configuration screen shot, I have only protected /protected/ endpoint. All the endpoints not mentioned in the configuration file above are unprotected by default.