Configuring an External Identity Provider
Registering a Tenant
You can configure an external authentication provider with TIBCO Order Management. See the "Multitenancy" topic in the TIBCO® Order Management Administration guide.
Register a tenant in the Authorization service using the POST method of the /v1/tenant
API with the following sample payload, which shows all the mandatory fields.
{ "tenantId": "cde6fa59-abb3-471-be01-2443c417cbda", "clientId": "ddaf41fb-3aef-4e30-879f-a188ba131abf", "clientSecret": "DI68Q~tljTkT4ABi7lZVztaz5AUN6A6r.CGJHbwd", "identityProviderType": "EXTERNAL", "supportAlgorithm": "RS256", "jwkSetUrl": "https://login.microsoftonline.com/cd-abb3-4971-be01-244bda/discovery/v2.0/keys", "issuer": "https://sts.windows.net/cde6fa59-abb3-4971-be01-2443c417cbda/", "oidcSchema": { "authUrl": "https://login.microsoftonline.com/cd-abb3-4971-be01-244bda/oauth2/v2.0/authorize", "accessTokenUrl": "https://login.microsoftonline.com/cd-abb3-4971-be01-244bda/oauth2/v2.0/token", "scope": "ddaf41fb-3aef-4e30-879f-a188ba131abf-serviceB/fosApplicationConsent" } }
Mapping of Keys from External OAuth2 Token
In the $OM_HOME/seed-data\app-properties/ConfigValues_Common.json
file, update the following properties. These are the properties that need to be mapped to the KEY of CLAIMS in an externally generated OAuth2 token.
{ "propName": "tenantIdMapping", "propDescription": "key in the token claims that refers to tenantId", "propValue": "TENANTID", "valueType": "string", "isTenantProperty": "false" }, { "propName": "userNameMapping", "propDescription": "key in the token claims that refers to userName", "propValue": "user_name", "valueType": "string", "isTenantProperty": "false" }, { "propName": "userRoleMapping", "propDescription": "key in the token claims that refers to userRole", "propValue": "authorities", "valueType": "string", "isTenantProperty": "false" }
Role-Based Access Configurations
Irrespective of whether you want to use an external or Order Management's authentication provider, you have to modify the authorization for each API in Order Management.
Each API in Order Management has role-based access. API-related role mapping is available in the respective microservice’s configuration. To configure API-specific roles, you must modify the following configurations for each of the mentioned microservices:
-
Authorization service:
File name:
$OM_HOME/roles/authorization-service/standalone/config/application.properties
Property name:
allowedUserRoles
Description: All the user roles (comma separated) have access to the APIs exposed in the authorization service. This is not considered when you have used
identityProviderType
asEXTERNAL
while registering the tenant. WhenidentityProviderType
is set asEXTERNAL
, the authorization service is not used to generate the token. -
Configurator:
File name:
$OM_HOME/roles/configurator/standalone/config/application.properties
Property name:
configuratorAccessRoles
Description: All the user roles (comma separated) have access to the APIs exposed as part of the configurator microservice.
-
OMS UI:
File name:
$OM_HOME/seed-data/config-files/ConfigValues_OMSUI.json
Property name:
com.tibco.fom.orch.roles.piExecutionToComplete
Description: To force completing plan items in execution status on the basis of role.
-
Archival service:
File name:
$OM_HOME/seed-data/config-files/ConfigValues_ArchivalService.json
Under the category name "Application Security Configurations", update the following properties:
Property Name Description operation.roles.orderSummary User Role for orderSummary API operation.roles.ordersByCriteria User Role for ordersByCriteria API operation.roles.orderByQueryFilter User Role for orderByQueryFilter API operation.roles.orderDetails User Role for orderDetails API operation.roles.executionPlanbyQueryFilter User Role for executionPlanbyQueryFilter API operation.roles.enrichedPlanByPlanId User Role for enrichedPlanByPlanId API operation.roles.auditTrailForOrder User Role for auditTrailForOrder API operation.roles.auditTrailForPlan User Role for auditTrailForPlan API operation.roles.planByCriteria User Role for planByCriteria API operation.roles.purgeOrders User Role for purgeOrders API Once you configure the above mentioned properties, replies from all the above APIs would only be received if the user accessing the resource belongs to one of the user groups that have access over the specified resource.
-
Orchestrator:
File name:
$OM_HOME/seed-data/config-files/ConfigValues_OrchService.json
Under the category name "Application Security Configurations", update the following properties:
Property Name Description operation.roles.submitOrder User Role for submitOrder Service operation.roles.orderExecutionPlan User Role for getOrderExecutionPlan Service operation.roles.getOrderDetails User Role for getOrderDetails Service operation.roles.getAuditTrail User Role for getAuditTrail Service operation.roles.executePlanItemReply User Role for planItemExecuteResponse Service operation.roles.orderWithdraw User Role for orderWithdraw Service operation.roles.submitOrderExecutionPlan User Role for submitOrderExecutionPlan Service operation.roles.milestoneNotifyRequest User Role for milestoneNotifyRequest Service operation.roles.planItemSuspendResponse User Role for planItemSuspendResponse Service operation.roles.amendOrder User Role for amendOrder Service operation.roles.purgeOrder User Role for purgeOrder Service operation.roles.orderSuspend User Role for orderSuspend Service operation.roles.orderActivate User Role for orderActivate Service operation.roles.planItemErrorHandler User Role for planItemErrorHandler Service operation.roles.planItemBulkErrorHandler User Role for planItemBulkErrorHandler Service operation.roles.preQualificationFailedReply User Role for preQualificationFailedReply Service operation.roles.feasibilityReply User Role for feasibilityReply Service operation.roles.orderCancel User Role for orderCancel Service operation.roles.performBulkOrderAction User Role for performBulkOrderAction Service operation.roles.orderScXml User Role for orderScXml Service operation.roles.orderContentForArchival Roles of the user used by archival for Inter-Service Communication operation.roles.triggerAllDeadOrder Roles of the user used by triggerAllDeadOrderṁ operation.roles.triggerDeadOrderByOrderIds Roles of the user used by triggerDeadOrderByOrderIds operation.roles.triggerPendingOrderByOrderIds Roles of the user used by triggerPendingOrderByOrderIds operation.roles.planFragments Roles of the user used by getPlanFragments operation.roles.submitPlanErrorNotification Roles of the user used by planErrorNotification operation.roles.opdErrorHandlerReply Roles of the user used by opdErrorHandlerReply -
Catalog service:
File name:
$OM_HOME/seed-data/config-files/ConfigValues_CatalogService.json
Under the category name "Application Security Configurations", update the following properties:
Property Name Description operation.roles.submitPlanFragmentModel User Role to access submitPlanFragmentModel Service operation.roles.submitProductModel User Role to access submitProductModel Service operation.roles.submitActionModel User Role to access submitActionModel Service operation.roles.purgePlanFragmentModel User Role to access purgePlanFragmentModel Service operation.roles.purgeProductModel User Role to access purgeProductModel Service operation.roles.purgeActionModel User Role to access purgeActionModel Service operation.roles.getProductModelRoles User Role to access getProductModelRoles Service operation.roles.getPlanFragmentModelRoles User Role to access getPlanFragmentModelRoles Service operation.roles.getActionModelRoles User Role to access getActionModelRoles Service operation.roles.getAllActionModelRoles User Role to access getAllActionModelRoles Service operation.roles.getAllPriceModelRoles User Role to access getAllPriceModelRoles Service operation.roles.getAllOfferIdsModelRoles User Role to access getAllOfferIdsModelRoles Service operation.roles.getAllDiscountModelRoles User Role to access getAllDiscountModelRoles Service operation.roles.getAllProductModelRoles User Role to access getAllProductModelRoles Service operation.roles.getAllPlanFragmentModelRoles User Role to access getAllPlanFragmentModelRoles Service operation.roles.getAllCategoryModelRoles User Role to access getAllCategoryModelRoles Service operation.roles.submitPriceModel User Role to access submitPriceModel Service operation.roles.submitDiscountModel User Role to access submitDiscountModel Service operation.roles.submitOfferIdsModel User Role to access submitOfferIdsModel Service operation.roles.submitCategoryModel User Role to access submitCategoryModel Service operation.roles.submitRuleModel User Role to access submitRuleModel Service operation.roles.purgePriceModel User Role to access purgePriceModel Service operation.roles.purgeDiscountModel User Role to access purgeDiscountModel Service operation.roles.purgeCategoryModel User Role to access purgeCategoryModel Service operation.roles.purgeOfferId User Role to access purgeOfferId Service operation.roles.purgeRuleModel User Role to access purgeRuleModel Service