Fix (APAR):  PI47460

Status:  Fix

Release:  8.0.0.11,8.0.0.10

Operating System:  AIX,HP-UX,IBM i,Linux,Solaris,Windows,z/OS

Supersedes Fixes:  

CMVC Defect:  xxxxxx

Byte size of APAR:  529371

Date: 2015-11-25

Abstract:  add multi-provider support to openid connect relying party in the full profile

Description/symptom of problem:  
PI47460 resolves the following problem:

ERROR DESCRIPTION:                                              
The WebSphere Application Server full profile OpenID Connect    
RP will not work with multiple OpenID Connect providers. The    
Trust Association Interceptor (TAI) configuration of RP will    
only allow one provider to be configured.                       

LOCAL FIX:                                                      
n/a                                                             

PROBLEM SUMMARY

USERS AFFECTED:
 IBM WebSphere Application Server users of
OpenID Connect relying party

PROBLEM DESCRIPTION:
The OpenID Connect Relying Party (RP)
TAI does not support multiple
providers.

RECOMMENDATION:
 Install a fix pack that contains this
APAR.

The current implementation of the OpenID Connect relying party
Trust Association Interceptor (TAI) in the full profile only
supports the configuration of a single provider.  If a user
needs to configure the TAI to interact with multiple
providers, they cannot do it.

PROBLEM CONCLUSION:                                             
The OpenID Connect relying party TAI is updated to add          
multi-provider support.                                         
                                                                
You can configure each provider by embedding a provider_<id>    
in the TAI property name. The provider_<id>s are numbered       
sequentially for each OP. There are some TAI properties         
that apply to all the providers and these properties are not    
prefixed with provider_<id>.                                    
                                                                
For example, you can configure two providers as shown below:    
                                                                
provider_1.identifier=provider1                                 
provider_1.interceptedPathFilter=/testapp1                      
provider_1.clientId=client01                                    
provider_1.clientSecret=secret_01                               
provider_1.authorizeEndpointUrl=https://localhost:8020/oidc/endp
oint/OP/authorize                                               
provider_1.tokenEndpointUrl=https://localhost:8020/oidc/endpoint
/OP/token                                                       
provider_1.scope=openid general                                 
provider_2.identifier=provider2                                 
provider_2.interceptedPathFilter=/testapp2                      
provider_2.clientId=client02                                    
provider_2.clientSecret=secret_02                               
provider_2.authorizeEndpointUrl=https://accounts.google.com/o/oa
uth2/auth                                                       
provider_2.tokenEndpointUrl=https://www.googleapis.com/oauth2/v3
/token                                                          
provider_2.scope=openid general email                           
provider_2.jwkEndpointUrl=https://www.googleapis.com/oauth2/v2/c
erts                                                            
provider_2.issuerIdentifier=accounts.google.com                 
provider_2.signatureAlgorithm=RS256                             
provider_2.userIdentifier=email                                 
callbackServletContext=/oidcclient                              
                                                                
See                                                             
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=p
hil&product=was-nd-dist&topic=csec_oidprop for more             
information on the OpenID Connect RP custom properties.         
                                                                
The fix for this APAR is currently targeted for inclusion in    
fix packs 8.0.0.12 and 8.5.5.8.  Please refer to the            
Recommended Updates page for delivery information:              
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980   


Directions to apply fix:  Fix applies to Editions:
Release 8.0
_x_ Application Server (Express or BASE)
_x_ Network Deployment (ND)
__ Edge Components
__ Developer

Install Fix to all WebSphere installations unless special instructions are included below.

Special Instructions: None

NOTE:
The user must:
* Logged in with the same authority level when unpacking a fix, fix pack or refresh pack.
* Be at V1.4.3 or newer of the Installation Manager. Certain iFixes may require a newer version of the Installation Manager and the Installation Manager will inform you during the installation process if a newer version is required.

The IBM Knowledge Center can provide details, if needed, on the use of the Installation Manager to apply the iFixes.
http://publib.boulder.ibm.com/infocenter/install/v1r4/index.jsp.  Shutdown WebSphere Application Server before applying the iFixes.  Restart WebSphere Application Server after applying the iFixes.

Directions to remove fix:  

The IBM Knowledge Center can provide details, if needed, on the use of the Installation Manager to remove the iFixes.
http://publib.boulder.ibm.com/infocenter/install/v1r4/index.jsp.  Shutdown WebSphere Application Server before removing the iFixes.  Restart WebSphere Application Server after removing the iFixes.

Directions to re-apply fix:  
1) Shutdown WebSphere Application Server.

2) Follow the Fix instructions to apply the fix.

3) Restart WebSphere Application Server.



Additional Information: