- Introduction
- Configure a PingFederate instance for ODM (Part 1)
- Deploy ODM on a container configured with PingFederate (Part 2)
- Troubleshooting
- License
In the context of the Operational Decision Manager (ODM) on Certified Kubernetes offering, ODM for production can be configured with an external OpenID Connect server (OIDC provider), such as the PingFederate cloud service.
This tutorial shows how to integrate ODM with PingFederate to manage classic authentication and authorization.
PingFederate is an enterprise identity and access management (IAM) software product made by Ping Identity. It is mainly used for federated authentication and single sign-on (SSO) across different systems and organizations.
You need to create a number of secrets before you can install an ODM instance with an external OIDC provider such as the PingFederate service, and use web application single sign-on (SSO). The following diagram shows the ODM services with an external OIDC provider after a successful installation.
The following procedure describes how to manually configure ODM with a PingFederate service.
OpenID Connect is an authentication standard built on top of OAuth 2.0. It adds a token called an ID token.
Terminology:
- The OpenID provider — The authorization server that issues the ID token. In this case, PingFederate is the OpenID provider.
- The end user — The end user whose information is contained in the ID token.
- The relying party — The client application that requests the ID token from PingFederate.
- The ID token — The token that is issued by the OpenID provider and contains information about the end user in the form of claims.
- A claim — A piece of information about the end user.
The Authorization Code flow is best used by server-side apps where the source code is not publicly exposed. The apps must be server-side because the request that exchanges the authorization code for a token requires a client secret, which has to be stored in your client. However, the server-side app requires an end user because it relies on interactions with the end user's web browser, which redirects the user and then receives the authorization code.
The Client Credentials flow is intended for server-side (AKA "confidential") client applications with no end user, which normally describes machine-to-machine communication. The application must be server-side because it must be trusted with the client secret, and since the credentials are hard-coded, it cannot be used by an actual end user. It involves a single, authenticated request to the token endpoint, which returns an access token.
You need the following elements:
- Helm v3
- Kubectl
- Access to an Operational Decision Manager product
- Access to a CNCF Kubernetes cluster
- A PingFederate Saas trial Instance
This tutorial has been tested with a PingFederate Saas trial instance. You have to request it if you don't have one.
In this section, you will:
- Log into the PingFederate Admin Console
- Create some users and groups
- Create an ODM Resource and dedicated scope
- Create an ODM Application
- Check the configuration
When the trial is available, you have a link to the PingFederate Admin Console in the email you received. Use it to connect to the PingFederate Admin Console.
At the first connection, a predefined user that was used to log into the PingFederate Admin Console is already present in the Directory > Users tab. You can use the + button to add new users.
We will use the Directory>Groups tab to create a group named ODM-Admin and add the prefdefined user to it.
Select Directory > Groups and click the + button to create a new group.
- Group Name: ODM-Admin
- Description: ODM Admin Group
- Click Save
Using the three dot button on the ODM-Admin group, you can add the predefined user to the group using the Add/remove Users menu.
The resource is a way to create a dedicated scope that will be used in the client_credentials flow, as openid scope acconot be used.
Select Applications > Resources tab and click the + button to create a new resource.
-
Resource Name: ODM CC
-
Description: ODM Resource for Client Crededentials
-
Click Next
-
Click + Add Attributes button
-
Attribute Name: identity and PingOne Mappings Value #root.context.appConfig.clientId using the Advanced Expression button
-
Check Required checkbox
-
Click Next
- Click + Add Scope button
- Scope Name: odm_cc
- Click Save
Select Applications > Applications tab and click the + button to create a new application.
- Application Name: ODM Application
- Application Type: OIDC Web App
- Click Save
Select Configuration and edit using the Edit button.
- Response Type: Code,Token and ID Token
- Grant Type: Authorization Code, Implicit, Client Credentials
- Token Endpoint Authentication Method: Client Secret Post
- Click Save
Select Resources and edit using the Edit button.
- Add the odm_cc scope to the Selected Scopes list
- Click Save
[Optional] Set MFA to login to ODM UI Select Policies and edit using the Edit button.
- Check Multi_factor policy
- Click Save
Select Attribute Mappings and edit using the Edit button. Add new attribute using the +Add button
- Attribute Name: groups and PingOne Mappings Value Group Names
- Attribute Name: identity and PingOne Mappings Value user.name.given + ' ' + user.name.family using the Advanced Expression button
- Click Save
Select Access and edit using the Edit button.
- Select ODM-Admin group from the Groups dropdown
- Click Save
Download the pingfederate-odm-script.zip file to your machine and unzip it in your working directory. This .zip file contains scripts and templates to verify and set up ODM.
You can request an access token using the Client-Credentials flow to verify the format of the token. This token is used for the deployment of rulesets from the Business Console:
./get-client-credential-token.sh -i $CLIENT_ID -x $CLIENT_SECRET -n $PING_FEDERATE_SERVER_URLWhere:
- CLIENT_ID can be found in the overview of the ODM Application, section Applications / Applications
- CLIENT_SECRET can be found in the overview of the ODM Application, section Applications / Applications
- PING_FEDERATE_SERVER_URL is the issuer ID that can be retrieved in the Connection Details of the Overview tab of the ODM Application
If you decode the access_token value with a JWT decoder tool, you should get:
{
..
"iss": "<PING_FEDERATE_SERVER_URL>",
....
"identity": "<CLIENT_ID>",
...
}-
To get your entitlement key, log in to MyIBM Container Software Library with the IBMid and password that are associated with the entitled software.
In the Container software library tile, verify your entitlement on the View library page, and then go to Get entitlement key to retrieve the key.
-
Create a pull secret by running a
kubectl create secretcommand.kubectl create secret docker-registry ibm-entitlement-key \ --docker-server=cp.icr.io \ --docker-username=cp \ --docker-password="<API_KEY_GENERATED>"Where:
- API_KEY_GENERATED is the entitlement key from the previous step. Make sure you enclose the key in double-quotes.
Note:
- The cp.icr.io value for the docker-server parameter is the only registry domain name that contains the images. You MUST set the docker-username to cp to use an entitlement key as docker-password.
- The
ibm-entitlement-keysecret name will be used for theimage.pullSecretsparameter when you run a Helm install of your containers. Theimage.repositoryparameter is also set by default tocp.icr.io/cp/cp4a/odm.
-
Create a secret to configure ODM with PingFederate.
If you have not done it yet, download the pingfederate-odm-script.zip file to your machine. This .zip file contains the script and the content of the templates directory. The script allows you to generate the necessary configuration files.
Generate the files with the following command:
./generateTemplate.sh -i $CLIENT_ID -x $CLIENT_SECRET -n $PING_FEDERATE_SERVER_URL
Where:
- CLIENT_ID can be found in the overview of the ODM Application, section Applications / Applications
- CLIENT_SECRET can be found in the overview of the ODM Application, section Applications / Applications
- PING_FEDERATE_SERVER_URL can be found as the Issuer ID in the overview / Connection Details of the ODM Application, section Applications / Applications
The following files are generated into the
outputdirectory:webSecurity.xmlcontains the mapping between Liberty J2EE ODM roles and the PingFederate ODM-Admin groupopenIdWebSecurity.xmlcontains two openIdConnectClient Liberty configurations:- the first for web access to Decision Center and Decision Server consoles with the Authorization Code flow
- the second for the rest-api calls with the client-credentials flow
openIdParameters.propertiesconfigures several features like allowed domains, logout, and some internal ODM openid features
-
Create the PingFederate authentication secret using
webSecurity.xml,openIdWebSecurity.xmlandopenIdParameters.propertiesfiles.kubectl create secret generic pingfederate-auth-secret \ --from-file=openIdParameters.properties=./output/openIdParameters.properties \ --from-file=openIdWebSecurity.xml=./output/openIdWebSecurity.xml \ --from-file=webSecurity.xml=./output/webSecurity.xml
helm repo add ibm-helm https://raw.githubusercontent.com/IBM/charts/master/repo/ibm-helm
helm repo updatehelm search repo ibm-odm-prodThe output should look like:
NAME CHART VERSION APP VERSION DESCRIPTION
ibm-helm/ibm-odm-prod 26.0.0 9.6.0.0 IBM Operational Decision ManagerYou can now install the product. We will use the PostgreSQL internal database and disable data persistence (internalDatabase.persistence.enabled=false) to avoid any platform complexity with persistent volume allocation.
Note:
The following command installs the latest available version of the chart.
If you want to install a specific version, add the--versionoption:helm install my-odm-release ibm-helm/ibm-odm-prod --version <version> -f pingfederate-values.yamlYou can list all available versions using:
helm search repo ibm-helm/ibm-odm-prod -l
See the Preparing to install documentation for more information. Inspect pingfederate-values.yaml for the parameters that have been defined for this installation.
helm install my-odm-release ibm-helm/ibm-odm-prod -f pingfederate-values.yamlRefer to the following documentation to install an NGINX Ingress Controller on:
When the NGINX Ingress Controller is ready, you can install the ODM release using pingfederate-ingress-values.yaml. Take note of the service.ingress.annotations values that have been defined in this file.
helm install my-odm-release ibm-helm/ibm-odm-prod -f pingfederate-nginx-values.yaml-
Get the ODM endpoints. Refer to this documentation to retrieve the endpoints. For example, on OpenShift you can get the route names and hosts with:
kubectl get routes --no-headers --output custom-columns=":metadata.name,:spec.host"You get the following hosts:
my-odm-release-odm-dc-route <DC_HOST> my-odm-release-odm-dr-route <DR_HOST> my-odm-release-odm-ds-console-route <DS_CONSOLE_HOST> my-odm-release-odm-ds-runtime-route <DS_RUNTIME_HOST>Using an Ingress, the endpoint is the address of the ODM ingress and is the same for all components. You can get it with:
kubectl get ingress my-odm-release-odm-ingress
You get the following ingress address:
NAME CLASS HOSTS ADDRESS PORTS AGE my-odm-release-odm-ingress <none> * <INGRESS_ADDRESS> 80 1d -
Register the redirect URIs into your PingFederate application.
The redirect URIs are built in the following way:
Using Routes:
- Decision Center redirect URI:
https://<DC_HOST>/decisioncenter/openid/redirect/odm - Decision Runner redirect URI:
https://<DR_HOST>/DecisionRunner/openid/redirect/odm - Decision Server Console redirect URI:
https://<DS_CONSOLE_HOST>/res/openid/redirect/odm - Decision Server Runtime redirect URI:
https://<DS_RUNTIME_HOST>/DecisionService/openid/redirect/odm - Rule Designer redirect URI:
https://127.0.0.1:9081/oidcCallback
Using Ingress:
- Decision Center redirect URI:
https://<INGRESS_ADDRESS>/decisioncenter/openid/redirect/odm - Decision Runner redirect URI:
https://<INGRESS_ADDRESS>/DecisionRunner/openid/redirect/odm - Decision Server Console redirect URI:
https://<INGRESS_ADDRESS>/res/openid/redirect/odm - Decision Server Runtime redirect URI:
https://<INGRESS_ADDRESS>/DecisionService/openid/redirect/odm - Rule Designer redirect URI:
https://127.0.0.1:9081/oidcCallback
From the PingFederate admin console, in Applications / Applications
-
Edit the
ODM Application -
In the tab Configuration
- Add the redirect URIs in the Redirect URIs field for each component.
For example, add the Decision Center redirect URI that you got earlier (
https://<DC_HOST>/decisioncenter/openid/redirect/odm-- do not forget to replace <DC_HOST> with your actual host name!) -
Click Save at the bottom of the page.
- Decision Center redirect URI:
Well done! You can now connect to ODM using the endpoints you got earlier and log in as an ODM admin with your account.
First set up Rule Designer following these instructions.
To be able to securely connect your Rule Designer to the Decision Server and Decision Center services that are running in Certified Kubernetes, you need to establish a TLS connection through a security certificate in addition to the OpenID configuration.
-
Get the following configuration files.
https://<DC_HOST>/decisioncenter/assets/truststore.jkshttps://<DC_HOST>/decisioncenter/assets/OdmOidcProvidersRD.jsonwhere DC_HOST is the Decision Center endpoint.
-
Copy the
truststore.jksandOdmOidcProvidersRD.jsonfiles to your Rule Designer installation directory next to theeclipse.inifile. -
Edit your
eclipse.inifile and add the following lines at the end.-Djavax.net.ssl.trustStore=<ECLIPSEINITDIR>/truststore.jks -Djavax.net.ssl.trustStorePassword=changeme -Dcom.ibm.rules.authentication.oidcconfig=<ECLIPSEINITDIR>/OdmOidcProvidersRD.jsonWhere:
- changeme is the fixed password to be used for the default truststore.jks file.
- ECLIPSEINITDIR is the Rule Designer installation directory where the eclipse.ini file is.
-
Restart Rule Designer.
For more information, refer to this documentation.
Get hands-on experience with IBM Operational Decision Manager in a container environment by following this Getting started tutorial.
Log in the Business Console.
Import the Decision Service named Loan Validation Service if it is not already there.
Deploy the Loan Validation Service production_deployment ruleapp using the production deployment deployment configuration in the Deployments>Configurations tab.
You can retrieve the payload.json from the ODM Decision Server Console or use the provided payload.
As explained in the ODM on Certified Kubernetes documentation Configuring user access with OpenID, we advise you to use basic authentication for the ODM runtime call for better performance and to avoid token expiration and revocation.
You perform a basic authentication ODM runtime call in the following way:
curl -H "Content-Type: application/json" -k --data @payload.json \
-H "Authorization: Basic b2RtQWRtaW46b2RtQWRtaW4=" \
https://<DS_RUNTIME_HOST>/DecisionService/rest/production_deployment/1.0/loan_validation_production/1.0
Where b2RtQWRtaW46b2RtQWRtaW4= is the base64 encoding of the current username:password odmAdmin:odmAdmin
If you want to perform a bearer authentication ODM runtime call using the Client Credentials flow, you must get a bearer access token:
curl -k -X POST -H "Content-Type: application/x-www-form-urlencoded" \
-d "client_id=${CLIENT_ID}&scope=odm_cc&client_secret=${CLIENT_SECRET}&grant_type=client_credentials" \
"${PING_FEDERATE_SERVER_URL}/token"
And use the retrieved access token in the following way:
curl -H "Content-Type: application/json" -k --data @payload.json \
-H "Authorization: Bearer <ACCESS_TOKEN>" \
https://<DS_RUNTIME_HOST>/DecisionService/rest/production_deployment/1.0/loan_validation_production/1.0
If you encounter any issue, have a look at the OpenID Connect troubleshooting Tips











