Configuring Connections to support Azure OIDC single sign-on

Update TCL Connections configuration files to add the properties needed to support Microsoft Azure Active Directory OIDC single sign-on.

Before you begin

Update WebSphere to support Azure AD OIDC authentication for Connections

Updating Connections configuration files

For background on how to edit the LotusConnections-config.xml file, see Common configuration properties and Changing common configuration property values.

The useSSO property is similar to the properties discussed in Security token properties.

  1. In the LotusConnections-config.xml file, add the generic property as follows:
    <genericProperty name="com.hcl.connections.rte.acceptIncomingOAuthTokens">true</genericProperty>
  2. In the opensocial-config.xml file, update the useSSO property to true:
    <connections-ee-settings useSSO="true" preloadJS="false" preloadJSSafari="true" />

Adding rewrite rules in web server/reverse proxy

Since some Connections login urls are not protected and intercepted by the OIDC Provider add Rewrite Rules in reverse proxy to redirect these requests to a protected url.

  1. Go to /http_server_root/HTTPServer/conf
  2. Edit the ihs-upload-rewrite.conf file, adding the following rules:
    Redirect /communities/login /communities/service/html/login
    Redirect /homepage/login /homepage/	
    Redirect /homepage/auth/login.jsp /homepage/
    Redirect /activities/auth/login.jsp /activities
    Redirect /profiles/login /profiles/html/
    RedirectMatch /profiles/*) /profiles/html/$1
    Redirect /forums/auth/login /forums/html/my
    Redirect /blogs/login /blogs/roller-ui/myblogs/edit
    Redirect /mobileAdmin/login /mobileAdmin/console
  3. OIDC discovery for the Azure server:
    Redirect "/.well-known/openid-configuration"{tenant}/v2.0/.well-known/openid-configuration 
    Note: Use the value for {tenant} from step 3 of Adding an application in Azure AD for SSO with Connections.

Updating the SameSite cookie attribute

Chrome and other browsers are changing to require the SameSite cookie attribute.

On the web server or load balancer, add a rule to add SameSite=None to cookie attributes. For example, in the httpd.conf file, add this line to set the cookie SameSite attributes to None through the Header directive.
Header edit Set-Cookie ^(.*)$ "$1; SameSite=None;Secure"