Integrate OSP with NetIQ Advanced Authentication using OAuth2/OIDC

You can configure One SSO Provider (OSP) to authenticate users through NetIQ Advanced Authentication (AA) using the OAuth2/OpenID Connect protocol. This topic provides step-by-step instructions for the integration.

Prerequisites

Before you begin, ensure that you have the following requirements in place:

  • OSP instance deployed on Apache Tomcat.

  • NetIQ Advanced Authentication server accessible.

  • Administrative access to both systems.

  • Client credentials (Client ID and Client Secret) from NetIQ AA.

  • LDAP server added in Repositories. Navigate to New LDAP repo.

Back to top

Step 1: Register OAuth2 client in NetIQ Advanced Authentication

Create an OAuth2/OIDC client in NetIQ Advanced Authentication to enable the integration with OSP.

To register an OAuth2 client:

  1. Log in to the NetIQ Advanced Authentication admin console.

  2. Follow the NetIQ documentation to create an OAuth2/OIDC client.

NetIQ AA requires exact redirect URI matching including query parameters.

To configure redirect URIs:

Register the following redirect URI pattern in NetIQ AA:

https://<OSP_HOST>:<PORT>/osp/a/<INSTANCE>/auth/app/contractcontinue?acAuthCardId=netiq-aa-contract-%24default-card%24&exid=0&forceAuth=local&sid=0

Example: https://localhost:8443/osp/a/dimensions/auth/app/contractcontinue?acAuthCardId=netiq-aa-contract-%24default-card%24&exid=0&forceAuth=local&sid=0

After creating the OAuth2 client, note the following values from NetIQ AA:

  • Issuer: https://<NETIQ_AA_HOST>/osp/a/TOP/auth/oauth2

  • Authorization Endpoint: From .well-known/openid-configuration

  • Token Endpoint: From .well-known/openid-configuration

  • UserInfo Endpoint: From .well-known/openid-configuration

  • Logout Endpoint: From .well-known/openid-configuration

You can access the OIDC metadata at:

https://<NETIQ_AA_HOST>/osp/a/TOP/auth/oauth2/.well-known/openid-configuration

Back to top

Step 2: Configure OSP authentication service

Edit the OSP configuration file to add the NetIQ AA OpenID data source, authentication source, and authentication contract.

To add the OpenID data source:

  1. Locate and open the OSP configuration file:

    /opt/netiq/idm/osp/config/authcfg.xml

  2. Add the following data source configuration. Replace the placeholder values with your actual NetIQ AA settings:

    Copy code 
    <OpenIdDataSource
        id="ds-netiq-aa"
        displayName="NetIQ AA OIDC Data Source"
        enabled="true"
        issuer="https://aauth.multifactor.in/osp/a/TOP/auth/oauth2"
        clientId="id-Rl5vzrg9dP1Tfw0cRK7nRYW7lkY3BMcJ"
        clientSecret="secret-PgL2RW5S4E8rCwGuOy3DdT91omeqIEIW"
        scope="openid profile email">
        <RedirectUrl returnParamName="post_logout_redirect_uri">https://aauth.multifactor.in/osp/a/TOP/auth/oauth2/logout</RedirectUrl>
    </OpenIdDataSource>

Configuration parameters:

  • issuer: NetIQ AA OAuth2 issuer URL (from OIDC metadata).

  • clientId: Client ID from NetIQ AA OAuth2 client.

  • clientSecret: Client secret from NetIQ AA OAuth2 client.

  • scope: Requested OAuth2 scopes. Must match NetIQ AA configuration.

  • RedirectUrl: Logout endpoint URL (from OIDC metadata).

Add the authentication source and map NetIQ AA user attributes (native) to OSP attributes (local).

Copy code 
<OpenIdAuthenticationSource
    id="as-netiq-aa"
    displayName="Authentication from NetIQ AA"
    enabled="true">
    <Reference refId="ds-netiq-aa" type="DataSource"/>
    <AttributeMapping>
        <AttributeMapEntry localName="username" nativeName="preferred_username"/>
        <AttributeMapEntry localName="givenName" nativeName="given_name"/>
        <!-- Optional: Add only if NetIQ AA returns these attributes -->
        <!-- <AttributeMapEntry localName="mail" nativeName="email"/> -->
        <!-- <AttributeMapEntry localName="surname" nativeName="family_name"/> -->
    </AttributeMapping>
</OpenIdAuthenticationSource>

Note: Only map attributes that NetIQ AA actually returns in the UserInfo endpoint. Common mappings include preferred_username to username, given_name to givenName, email to mail, and family_name to surname.

Configure OpenID authentication method

Add the authentication method configuration.

Copy code 
<OpenIdAuthentication
    id="netiq-aa-auth"
    displayName="NetIQ AA Login"
    enabled="true"
    isPassive="true">
    <Reference refId="as-netiq-aa" type="AuthenticationSource"/>
    <Property name="check-post-csrf" value="false"/>
</OpenIdAuthentication>

Properties:

  • isPassive="true": Enables passive authentication.

  • check-post-csrf="false": Disables CSRF check for OIDC callback.

Create authentication contract

Add the authentication contract for NetIQ AA.

Copy code 
<AuthContract
    id="netiq-aa-contract"
    displayName="NetIQ Advanced Authentication Login"
    uri="dimensions:user:netiq-aa">
    <Reference refId="netiq-aa-auth" type="ContractExecutable"/>
</AuthContract>

Register authentication contract

Register the authentication contract in the Authentication section.

Copy code 
<Authentication allowDisabledContracts="true" checkAntiCsrf="false">
    <Reference refId="netiq-aa-contract" type="AuthContractOrGroup" decorator="default"/>
    <!-- Other authentication methods... -->
</Authentication>

Back to top

Step 3: Configure OAuth2 application templates

This step is only required if OSP acts as an OAuth2 provider for downstream applications (for example, Dimensions CM).

Resource owner password credentials template

Copy code 
<OAuth2ApplicationTemplate
    displayName="OAuth DimCMServer Template"
    id="oauth-DimCMServer-template"
    hmacAlgorithm="HMACSHA256"
    accessTokenTTL="120"
    supportsROCredentials="true"
    supportsRefreshTokens="true">
    <Reference refId="as-netiq-aa" type="AuthenticationSource"/>
    <AttributeMapping>
        <AttributeMapEntry localName="username" clientName="preferred_username" accessToken="jwt"/>
        <AttributeMapEntry localName="givenName" clientName="given_name" accessToken="jwt"/>
    </AttributeMapping>
</OAuth2ApplicationTemplate>

Authorization code template

Copy code 
<OAuth2ApplicationTemplate
    displayName="OAuth DimCMWeb Template"
    id="oauth-DimCMWeb-template"
    hmacAlgorithm="HMACSHA256"
    accessTokenTTL="120"
    supportsAuthorizationCode="true"
    supportsRefreshTokens="true">
    <Reference refId="as-netiq-aa" type="AuthenticationSource"/>
    <AttributeMapping>
        <AttributeMapEntry localName="username" clientName="preferred_username" accessToken="jwt"/>
        <AttributeMapEntry localName="username" clientName="xnetiq_uguid" accessToken="jwt"/>
        <AttributeMapEntry localName="givenName" clientName="given_name" accessToken="jwt"/>
    </AttributeMapping>
</OAuth2ApplicationTemplate>

Register OAuth2 clients

Copy code 
<OAuth2Clients>
    <Reference refId="oauth-DimCMWeb-template" type="OAuth2ApplicationTemplate"/>
    <Client id="DimCM" secret="HelloDimensionsCM">
        <RedirectUrlList>
            <Url>https://localhost:8443/adminconsole?jsp=login_openid</Url>
            <Url>https://localhost:8443/dimensions?jsp=login_openid</Url>
        </RedirectUrlList>
    </Client>
</OAuth2Clients>

Back to top

Step 4: Configure security settings

Configure security settings to disable CSRF protection for OIDC flows.

Copy code 
<Security>
    <AntiCSRF>
        <DoubleSubmit enabled="false" useHostPrefix="false"/>
        <VerifyOrigin enabled="false" userRefererAsFallback="false"/>
    </AntiCSRF>
</Security>

Note: CSRF protection is disabled for OIDC flows. Ensure proper security measures are in place.

Back to top

Step 5: Restart OSP

Restart OSP to apply the configuration changes.

To restart OSP:

Run one of the following commands:

sudo systemctl restart osp

Or:

sudo rcosp restart

Back to top

See also: