-
Notifications
You must be signed in to change notification settings - Fork 827
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge remote-tracking branch 'origin' into passcode2clipboard
* origin: fix: upgrade org.springframework.security.oauth:spring-security-oauth2 from 2.5.0.RELEASE to 2.5.1.RELEASE (#1642) [Snyk] Upgrade com.unboundid.product.scim:scim-sdk from 1.8.24 to 1.8.25 (#1634) Bump k8s.io/client-go from 0.21.3 to 0.22.0 in /k8s (#1639) Bump k8s.io/api from 0.21.3 to 0.22.0 in /k8s (#1638) fix generateDocs PKCE support in IDP (OIDC) proxy authorization flow (#1606) fix: upgrade org.springframework.security.oauth:spring-security-oauth2 from 2.4.0.RELEASE to 2.5.1.RELEASE (#1632) fix: upgrade org.passay:passay from 1.2.0 to 1.6.0 (#1633)
- Loading branch information
Showing
17 changed files
with
219 additions
and
64 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
# Registering Okta as external, public OIDC provider in UAA | ||
|
||
Okta can be setup as an [OIDC provider](https://developer.okta.com/docs/guides/add-an-external-idp/openidconnect/configure-idp-in-okta/) for UAA login. | ||
In order to prevent storing a client secret in UAA configuration and all of it's successor problems like secret rotation and so on, register the | ||
external OIDC provider with a public client. | ||
|
||
1. Create an OIDC application and set it with [PKCE public](https://developer.okta.com/blog/2019/08/22/okta-authjs-pkce#use-pkce-to-make-your-apps-more-secure). | ||
Register the "Redirect URIs" in the application section "OpenID Connect Configuration" | ||
|
||
Add following URI in list field: | ||
`http://{UAA_HOST}/login/callback/{origin}`. [Additional documentation for achieving this can be found here](https://developer.okta.com/docs/guides/implement-auth-code-pkce/overview/). | ||
|
||
2. Copy client id. | ||
|
||
3. Minimal OIDC configuration needs to be added in login.ym. | ||
Read configuration refer to 'https://<your-tenant>.okta.com/.well-known/openid-configuration' for discoveryUrl and issuer | ||
|
||
login: | ||
oauth: | ||
providers: | ||
okta.public: | ||
type: oidc1.0 | ||
discoveryUrl: https://trailaccount.okta.com/.well-known/openid-configuration | ||
issuer: https://trailaccount.okta.com | ||
scopes: | ||
- openid | ||
linkText: Login with Okta-Public | ||
showLinkText: true | ||
relyingPartyId: 0iak4aiaC4HV39L6g123 | ||
|
||
4. Ensure that the scope `openid` is included in the`scopes` property. | ||
|
||
5. Restart UAA. You will see `Login with Okta-Public` link on your login page. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,36 @@ | ||
# Registering SAP IAS as external, public OIDC provider in UAA | ||
|
||
SAP IAS can be setup as an [OIDC provider](https://help.sap.com/viewer/6d6d63354d1242d185ab4830fc04feb1/Cloud/en-US/a789c9c8c0f5439da8c30b5d9e43bece.htm) for UAA login. | ||
In order to prevent storing a client secret in UAA configuration and all of it's successor problems like secret rotation and so on, register the | ||
external OIDC provider with a public client. | ||
|
||
1. Create an OIDC application and set it with [type public](https://help.sap.com/viewer/6d6d63354d1242d185ab4830fc04feb1/Cloud/en-US/a721157cd40544eb9bad40085cf8ec15.html). | ||
Register the "Redirect URIs" in the application section "OpenID Connect Configuration" | ||
|
||
Add following URI in list field: | ||
`http://{UAA_HOST}/login/callback/{origin}`. [Additional documentation for achieving this can be found here](https://help.sap.com/viewer/6d6d63354d1242d185ab4830fc04feb1/Cloud/en-US/1ae324ee3b2d4a728650eb022d5fd910.html). | ||
|
||
2. Copy client id. | ||
|
||
3. Minimal OIDC configuration needs to be added in login.ym. | ||
Read configuration refer to '[https://<tenant ID>.accounts.ondemand.com/.well-known/openid-configuration](https://help.sap.com/viewer/6d6d63354d1242d185ab4830fc04feb1/Cloud/en-US/c297516bae4547eb82eeed80fea2b937.html)' for discoveryUrl and issuer | ||
|
||
login: | ||
oauth: | ||
providers: | ||
ias.public: | ||
type: oidc1.0 | ||
discoveryUrl: https://trailaccount.accounts.ondemand.com/.well-known/openid-configuration | ||
issuer: https://trailaccount.accounts.ondemand.com | ||
scopes: | ||
- openid | ||
- profile | ||
linkText: Login with IAS-Public | ||
showLinkText: true | ||
relyingPartyId: 3feb7ecb-d106-4432-b335-aca2689ad123 | ||
|
||
4. Ensure that the scope `openid`, `email` and `profile` is included in the`scopes` property. Then UAA shadow user (if addShadowUserOnLogin=true) is created | ||
with all properties. | ||
|
||
5. Restart UAA. You will see `Login with IAS-Public` link on your login page. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.