Configuring Connections to support Azure OIDC single sign-on
Update TCL Connections configuration files to add the properties needed to support Microsoft Azure Active Directory OIDC single sign-on.
Before you begin
Update WebSphere to support Azure AD OIDC authentication for Connections
Updating Connections configuration files
For background on how to edit the LotusConnections-config.xml file, see Common configuration properties and Changing common configuration property values.
The useSSO property is similar to the properties discussed in Security token properties.
- In the
LotusConnections-config.xml
file, add the generic property as follows:<genericProperty name="com.hcl.connections.rte.acceptIncomingOAuthTokens">true</genericProperty>
- In the
opensocial-config.xml
file, update the useSSO property to true:<connections-ee-settings useSSO="true" preloadJS="false" preloadJSSafari="true" />
Adding rewrite rules in web server/reverse proxy
Since some Connections login urls are not protected and intercepted by the OIDC Provider add Rewrite Rules in reverse proxy to redirect these requests to a protected url.
- Go to /http_server_root/HTTPServer/conf
- Edit the
ihs-upload-rewrite.conf
file, adding the following rules:Redirect /communities/login /communities/service/html/login Redirect /homepage/login /homepage/ Redirect /homepage/auth/login.jsp /homepage/ Redirect /activities/auth/login.jsp /activities Redirect /profiles/login /profiles/html/myProfileView.do RedirectMatch /profiles/profile.do(.*) /profiles/html/myprofile.do$1 Redirect /forums/auth/login /forums/html/my Redirect /blogs/login /blogs/roller-ui/myblogs/edit Redirect /mobileAdmin/login /mobileAdmin/console
- OIDC discovery for the Azure
server:
Redirect "/.well-known/openid-configuration" https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration
Note: Use the value for {tenant} from step 3 of Adding an application in Azure AD for SSO with Connections.
Updating the SameSite cookie attribute
Chrome and other browsers are changing to require the SameSite cookie attribute.
Header edit Set-Cookie ^(.*)$ "$1; SameSite=None;Secure"