Configuring claims-based authentication

You can use a claims-based authentication provider to provide user and group information to i2 Analyze. This enables users to log in using authentication mechanisms such as SAML or OpenID Connect (OIDC).

Configuring i2 Analyze for claims-based authentication

  1. To configure claims-based authentication, your deployment must be configured for TLS. For more information, see Transport Layer Security connections with i2 Analyze.

  2. Update the configuration\fragments\common\WEB-INF\classes\ApolloServerSettingsMandatory.properties file with the name of the claims-based provider for the UserGroupsProvider setting:

    UserGroupsProvider=com.i2group.disco.user.ClaimsBasedUserGroupsProvider

The following sections describe how to configure i2 Analyze for SAML or OIDC claims-based authentication.

Configuring SAML authentication

To configure SAML authentication, update the Liberty configuration to work with your identity provider and redeploy the system.

  1. Update the configuration\liberty\server-extensions.xml file to include the samlWeb-2.0 feature:

    <featureManager>
  ...
  <feature>samlWeb-2.0</feature>
</featureManager>

  2. Redeploy Liberty by running the following command:

    setup -t deployLiberty

  3. Navigate to https://<liberty-hostname>:<ssl-port>/ibm/saml20/defaultSP/samlmetadata.

    An spMetadata.xml file is downloaded.

  4. Provide the spMetadata.xml file to your identity provider and you will receive an Identity Provider (IdP) metadata file in exchange. Ensure that you are added to the correct group. You are given a group ID to be used to configure the server.

  5. Rename the IdP file you received to: idpMetadata.xml.

    1. Place the file in the i2analyze\deploy\wlp\usr\servers\opal-server\resources\security\ directory on the Liberty server.

  6. Update the server.xml file to include the samlWebSso20 element with the groupIdentifier attribute. To retrieve the groupIdentifier value, in the idpMetadata.xml file locate the URI for the "Groups" claim type.

    For example:

    <samlWebSso20 id="defaultSP" groupIdentifier="http://schemas.microsoft.com/ws/2008/06/identity/claims/groups"/>

    For more information about all of the configuration options available for configuring SAML in Liberty, see SAML Web Single Sign-On 2.0.

  7. Ensure that the group names that the system receives from the identity provider align with the groups referenced in your security schema and command access control files.

  8. Redeploy and restart Liberty by running the following commands:

    setup -t deployLiberty
setup -t startLiberty

Connect to the system and log in as a user that is authenticated by your identity provider.

Configuring OIDC authentication

To configure OIDC authentication, update the Liberty configuration to work with your identity provider and redeploy the system.

  1. Update the configuration\liberty\server-extensions.xml file to configure OIDC:

    1. Add the openidConnectClient-1.0 feature element:

      <featureManager>
  ...
  <feature>openidConnectClient-1.0</feature>
</featureManager>

    2. Add the <openidConnectClient> element and populate the attributes according to the values from your identity provider.

      The following attributes are used in this example configuration:

      • id - an ID for this OIDC client defined in Liberty. This value is used in the redirect URI of the client in the provider.

      • clientId - the ID of the client for i2 Analyze defined in the provider.

      • clientSecret - if your provider is configured for client authentication, this is the secret used to authenticate the client with the provider.

      • discoveryEndpointUrl - the URL for the OpenID Endpoint configuration from the provider.

      • signatureAlgorithm - the algorithm used to encrypt tokens.

      • userIdentifier - the name of the claim in the token that contains the user's username.

      • groupIdentifier - the name of the claim in the token that contains a user's group information.

      <openidConnectClient 
  id="client01"
  clientId="oidc-example"
  clientSecret="PUgXRYXhWmVDUbAwHy4Bjg7LiKV"
  discoveryEndpointUrl="https://keycloak.eia:8443/realms/oidc-example/.well-known/openid-configuration"
  signatureAlgorithm="RS256"
  userIdentifier="preferred_username"
  groupIdentifier="groups"
/>

      For more information about all of the configuration options available for configuring OIDC in Liberty, see OpenID Connect Client 1.0.

  2. Ensure that the group names that the system receives from the identity provider align with the groups referenced in your security schema and command access control files.

  3. Redeploy and restart Liberty by running the following commands:

    setup -t deployLiberty
setup -t startLiberty