Implementing OpenID Connect with PPM Center

This section provides information on how to implement OpenID Connect single sign-on (OICD SSO) with PPM.

Setting up OICD SSO with PPM

  1. Register PPM as Relaying Party (RP) in OpenID Provider (OP) with parameters:

    Callback URI: <PPM_BASE_URL>/itg/web/sso/oidc_callback.jsp

    Post Logout URI: <PPM_BASE_URL>/itg/web/sso/loggedout.jsp

    Remember the oAuth Client Key and oAuth Client Secret

  2. Edit the PPM server.conf file as follows:

    Add or change

    com.kintana.core.server.SINGLE_SIGN_ON_PLUGIN=com.kintana.sc.security.auth.OIDCSingleSignOn

  3. Edit <PPM_HOME>/integration/sso/oidc_sso.conf:

    1. Add discovery_file=<path to OP metadata file> or discovery_uri=<URI of OP metadata file>
    2. Add client_id=<oAuth Client Key for PPM>
    3. If PPM cannot access OP directly, configure the proxy: proxy=<proxy_dns or proxy_ip>:<proxy_port>
    4. If OP uses self-signed certification for https, add: disable_ssl=true

      Only use this option in development or test environments. Never use it in a production environment.
  4. Restart PPM user instances.

Troubleshooting

  • To troubleshoot SSO, check the <ppm_server>/log/serverLog.txt file.
  • For more debug information, in <PPM_HOME>/conf/logging.conf:

    Set com.kintana.core.logging.SYSTEM_THRESHOLD = DEBUG

    Add com.kintana.core.logging.PRODUCT_FUNCTION_LOGGING_LEVEL = com.kintana.sc.authentication, DEBUG

Advanced Configuration

You can override the default settings or parameters for RP metadata in the oidc_sso.conf file:

Override OP metadata in discovery_file or discovery_uri (see above):

Parameter name

Description

issuer

The issuer identifier for the OpenID Provider.

authorization_endpoint

The authorization endpoint is the endpoint on the authorization server where the resource owner logs in, and grants authorization to the client application.

token_endpoint

The token endpoint is the endpoint on the authorization server where the client application exchanges the authorization code, client ID and client secret, for an id token.

jwks_uri

Jwks_uri is a metadata entry expressed as a URI for the OpenID Connect Identity Provider (IDP)'s JWK Set which contains a JSONArray of the JSON Web Keys (JWK) used for JSON Web Signature.

If empty, id token’s signatures are not verified.

end_session_endpoint

The end session endpoint can be used to trigger single sign-out.

If empty, sign-out is disabled.

Override default settings:

Parameter name

Description

flow

Allowed Values: AUTHORIZATION CODE or IMPLICIT

Default value: PPM automatically choose the most appropriate flow.

audience

The audience of ID Token issued by OP.

Default value: aAuth Client ID of PPM Application.

user_id_claim

The claim in ID Token used for user id in PPM.

Default Value: sub

leeway

Specify a leeway window in which the ID Token should still be considered valid.

Default Value: 0

post_logout_redirect_uri

The redirect URI after OP successfully logs out

Default Value: <PPM_BASE_URL>/itg/sso/loggedout.jsp

token_endpoint_auth_method

The authentication method when the client application (PPM) exchanges the authorization code, client ID and client secret, for an id token from OP token endpoint.

Allowed values: client_secret_basic or client_secret_post

Default value: client_secret_basic

Limitations

  • Only AUTHORIZATION CODE flow or IMPLICIT flow are supported.
  • token_endpoint_auth_method can only be either client_secret_basic or client_secret_post