Skip to content

Configuring HCL DX Compose and HCL Leap SSO with OIDC

This page provides information on how to configure the Single Sign-On (SSO) layer between HCL DX Compose and HCL Leap.

Enabling SSO between HCL Leap and HCL DX Compose in Kubernetes

This guide shows how to enable SSO between HCL DX and HCL Leap. You can use the modern and natively supported OpenID Connect (OIDC) protocol since both applications run on Open Liberty. The protocol connects directly to the preferred Identity Provider (IdP), such as Azure AD, Keycloak or Okta. By configuring DX and Leap to trust your central IdP, users get a seamless, single log-in experience.

Implementing OIDC SSO

  1. Install and configure your IdP.

    Create a client for each product. IdPs will serve as the single point of truth for credential inputs.

  2. Enable OIDC in HCL DX.

    Refer to Configuring DX Compose to use an OIDC identity provider to enable and configure OIDC for DX Compose.

  3. Enable OIDC in HCL Leap.

    Leap can be configured to leverage OIDC as the primary authentication mechanism, turning it into a Relying Party (RP) to the specific IdP. RP is an application that relies on a third-party (such as an IdP) for authentication. When OIDC is used, the user and group lookup feature of Leap is not available and must be disabled as part of the configuration.

    1. Configure the OIDC IdP, which will serve as the OIDC provider.

      As part of the configuration process for your identify provider, you will have created or obtained a digital certificate for configuring HTTPS. This certificate will also need to be deployed to Leap so that the two servers can communicate with each other.

      Note

      The SSL certificate (.crt) and public key (.key) should be in PKCS12 format.

    2. After copying the .key and .crt to the Kubernetes image, create a secret using the following command:

      kubectl -n <namespace> create secret tls <tls-secret> --key="/tmp/oidc.key" --cert="/tmp/oidc.crt"

      This secret can be referenced in the values.yaml file using the following configuration:

      configuration:
    leap:
        customCertificateSecrets:
            keycloakCert: <tls-secret>

    3. Add the OIDC definition as a server customization in the values.yaml file.

      The properties that you need to specify may differ based on your identity provider. For additional information, refer to Open Liberty documentation on OIDC

      Before moving on, verify that the discoveryEndpointURL property is valid by opening the URL in a browser prior to entering it in the values.yaml file and updating the clientSecret with the proper value obtained from your IdP.

      Example of an OIDC definition:

      # Enter appropriate values for <your-oidc-id>, <your-client-id>, <your-client-secret>, <your-oidc-server>, <your-realm-name>. 
# You may have to refer to your identity provider's configuration.
configuration:
    leap:
        configOverrideFiles:
            openIdConnect: |
                <server description="leapServer">
                <openidConnectClient id="<your-oidc-id>"
                    clientId="<your-client-id>"
                    clientSecret="<your-client-secret>"
                    signatureAlgorithm="RS256"
                    authFilterRef="interceptedAuthFilter"
                    mapIdentityToRegistryUser="false"
                    httpsRequired="true"
                    scope="openid"
                    userIdentityToCreateSubject="preferred_username"
                    discoveryEndpointUrl="https://<your-oidc-server>/realms/<your-realm-name>/.well-known/openid-configuration">
                </openidConnectClient>
                <authFilter id="interceptedAuthFilter">
                    <requestUrl id="authRequestUrl" matchType="contains" urlPattern="/apps/secure|/apps/secured"/>
                </authFilter>
                <httpEndpoint id="defaultHttpEndpoint"
                    host="*"
                    httpPort="9080"
                    httpsPort="9443">
                    <samesite none="*" />
                </httpEndpoint>
                </server>

      For more details on defining a server customization, refer to Open Liberty server customizations.

      Important

      The openIdConnectClient redirects to https://<your-domain>/oidcclient/redirect/<your-oidc-id> after authentication. Make sure that your valid redirect URIs includes an entry that matches this, and that you're using a different id than what you're using for DX. You may also have to modify your Ingress/Gateway API configuration so that /oidcclient/redirect/<your-oidc-id> redirects to the Leap service.

    4. Add the following config properties related to OIDC in the values.yaml file.

      The following properties must be set to complete the OIDC configuration:

      • userLookups: Set this to false to disable user lookups, which is not available when configured with OIDC.
      • userGroups: Set this to false to disable group lookups, which is not available when configured with OIDC.
      • postLogoutRedirectURL: Set this to the URL to which Leap will redirect the browser after a user logs out. This is necessary to complete the loop with the OIDC IdP.
      configuration:
    leap:
        leapProperties: |
            ibm.nitro.NitroConfig.userLookup=false
            ibm.nitro.NitroConfig.userGroups=false
            ibm.nitro.LogoutServlet.postLogoutRedirectURL=https://myOIDCServer.com/realms/Leap/protocol/openid-connect/logout?client_id=hcl-leap-oidc-client&post_logout_redirect_uri=https://myLeapServer.com/apps/secure/org/ide/manager.html

      For more details on setting Leap properties, refer to Leap properties.

    5. Perform a Helm upgrade to apply your changes.

    6. Restart the Leap pod. After restarting the Leap pod, accessing Leap should redirect you to authenticate using your OIDC IdP.

      For example, the following screenshot shows an authentication page accessed using Keycloak: