Configuring an External Identity Provider

Before you beginYou must have registered an application in the external authentication provider such as Azure Active-Directory(ADD) or Google Identity with all the required details for the application role assignment to the user.

Registering a Tenant

You can configure an external authentication provider with TIBCO Order Management. See the "Multitenancy" topic in the TIBCO® Order Management Administration guide.

Register a tenant in the Authorization service using the POST method of the /v1/tenant API with the following sample payload, which shows all the mandatory fields.

{
  "tenantId": "cde6fa59-abb3-471-be01-2443c417cbda",
  "clientId": "ddaf41fb-3aef-4e30-879f-a188ba131abf",
  "clientSecret": "DI68Q~tljTkT4ABi7lZVztaz5AUN6A6r.CGJHbwd",
  "identityProviderType": "EXTERNAL",
  "supportAlgorithm": "RS256",
  "jwkSetUrl": "https://login.microsoftonline.com/cd-abb3-4971-be01-244bda/discovery/v2.0/keys",
  "issuer": "https://sts.windows.net/cde6fa59-abb3-4971-be01-2443c417cbda/",
  "oidcSchema": {
    "authUrl": "https://login.microsoftonline.com/cd-abb3-4971-be01-244bda/oauth2/v2.0/authorize",
    "accessTokenUrl": "https://login.microsoftonline.com/cd-abb3-4971-be01-244bda/oauth2/v2.0/token",
    "scope": "ddaf41fb-3aef-4e30-879f-a188ba131abf-serviceB/fosApplicationConsent"
  }
}

Mapping of Keys from External OAuth2 Token

In the $OM_HOME/seed-data\app-properties/ConfigValues_Common.json file, update the following properties. These are the properties that need to be mapped to the KEY of CLAIMS in an externally generated OAuth2 token.

{
    "propName": "tenantIdMapping",
    "propDescription": "key in the token claims that refers to tenantId",
    "propValue": "TENANTID",
    "valueType": "string",
    "isTenantProperty": "false"
},
{
    "propName": "userNameMapping",
    "propDescription": "key in the token claims that refers to userName",
    "propValue": "user_name",
    "valueType": "string",
    "isTenantProperty": "false"
},
{
    "propName": "userRoleMapping",
    "propDescription": "key in the token claims that refers to userRole",
    "propValue": "authorities",
    "valueType": "string",
    "isTenantProperty": "false"
}

Role-Based Access Configurations

Irrespective of whether you want to use an external or Order Management's authentication provider, you have to modify the authorization for each API in Order Management.

Each API in Order Management has role-based access. API-related role mapping is available in the respective microservice’s configuration. To configure API-specific roles, you must modify the following configurations for each of the mentioned microservices:

  • Authorization service:

    File name: $OM_HOME/roles/authorization-service/standalone/config/application.properties

    Property name: allowedUserRoles

    Description: All the user roles (comma separated) have access to the APIs exposed in the authorization service. This is not considered when you have used identityProviderType as EXTERNAL while registering the tenant. When identityProviderType is set as EXTERNAL, the authorization service is not used to generate the token.

  • Configurator:

    File name: $OM_HOME/roles/configurator/standalone/config/application.properties

    Property name: configuratorAccessRoles

    Description: All the user roles (comma separated) have access to the APIs exposed as part of the configurator microservice.

  • OMS UI:

    File name: $OM_HOME/seed-data/config-files/ConfigValues_OMSUI.json

    Property name: com.tibco.fom.orch.roles.piExecutionToComplete

    Description: To force completing plan items in execution status on the basis of role.

  • Archival service:

    File name: $OM_HOME/seed-data/config-files/ConfigValues_ArchivalService.json

    Under the category name "Application Security Configurations", update the following properties:

    Property Name Description
    operation.roles.orderSummary User Role for orderSummary API
    operation.roles.ordersByCriteria User Role for ordersByCriteria API
    operation.roles.orderByQueryFilter User Role for orderByQueryFilter API
    operation.roles.orderDetails User Role for orderDetails API
    operation.roles.executionPlanbyQueryFilter User Role for executionPlanbyQueryFilter API
    operation.roles.enrichedPlanByPlanId User Role for enrichedPlanByPlanId API
    operation.roles.auditTrailForOrder User Role for auditTrailForOrder API
    operation.roles.auditTrailForPlan User Role for auditTrailForPlan API
    operation.roles.planByCriteria User Role for planByCriteria API
    operation.roles.purgeOrders User Role for purgeOrders API

    Once you configure the above mentioned properties, replies from all the above APIs would only be received if the user accessing the resource belongs to one of the user groups that have access over the specified resource.

  • Orchestrator:

    File name: $OM_HOME/seed-data/config-files/ConfigValues_OrchService.json

    Under the category name "Application Security Configurations", update the following properties:

    Property Name Description
    operation.roles.submitOrder User Role for submitOrder Service
    operation.roles.orderExecutionPlan User Role for getOrderExecutionPlan Service
    operation.roles.getOrderDetails User Role for getOrderDetails Service
    operation.roles.getAuditTrail User Role for getAuditTrail Service
    operation.roles.executePlanItemReply User Role for planItemExecuteResponse Service
    operation.roles.orderWithdraw User Role for orderWithdraw Service
    operation.roles.submitOrderExecutionPlan User Role for submitOrderExecutionPlan Service
    operation.roles.milestoneNotifyRequest User Role for milestoneNotifyRequest Service
    operation.roles.planItemSuspendResponse User Role for planItemSuspendResponse Service
    operation.roles.amendOrder User Role for amendOrder Service
    operation.roles.purgeOrder User Role for purgeOrder Service
    operation.roles.orderSuspend User Role for orderSuspend Service
    operation.roles.orderActivate User Role for orderActivate Service
    operation.roles.planItemErrorHandler User Role for planItemErrorHandler Service
    operation.roles.planItemBulkErrorHandler User Role for planItemBulkErrorHandler Service
    operation.roles.preQualificationFailedReply User Role for preQualificationFailedReply Service
    operation.roles.feasibilityReply User Role for feasibilityReply Service
    operation.roles.orderCancel User Role for orderCancel Service
    operation.roles.performBulkOrderAction User Role for performBulkOrderAction Service
    operation.roles.orderScXml User Role for orderScXml Service
    operation.roles.orderContentForArchival Roles of the user used by archival for Inter-Service
    Communication operation.roles.triggerAllDeadOrder Roles of the user used by triggerAllDeadOrderṁ
    operation.roles.triggerDeadOrderByOrderIds Roles of the user used by triggerDeadOrderByOrderIds
    operation.roles.triggerPendingOrderByOrderIds Roles of the user used by triggerPendingOrderByOrderIds
    operation.roles.planFragments Roles of the user used by getPlanFragments
    operation.roles.submitPlanErrorNotification Roles of the user used by planErrorNotification
    operation.roles.opdErrorHandlerReply Roles of the user used by opdErrorHandlerReply
  • Catalog service:

    File name: $OM_HOME/seed-data/config-files/ConfigValues_CatalogService.json

    Under the category name "Application Security Configurations", update the following properties:

    Property Name Description
    operation.roles.submitPlanFragmentModel User Role to access submitPlanFragmentModel Service
    operation.roles.submitProductModel User Role to access submitProductModel Service
    operation.roles.submitActionModel User Role to access submitActionModel Service
    operation.roles.purgePlanFragmentModel User Role to access purgePlanFragmentModel Service
    operation.roles.purgeProductModel User Role to access purgeProductModel Service
    operation.roles.purgeActionModel User Role to access purgeActionModel Service
    operation.roles.getProductModelRoles User Role to access getProductModelRoles Service
    operation.roles.getPlanFragmentModelRoles User Role to access getPlanFragmentModelRoles Service
    operation.roles.getActionModelRoles User Role to access getActionModelRoles Service
    operation.roles.getAllActionModelRoles User Role to access getAllActionModelRoles Service
    operation.roles.getAllPriceModelRoles User Role to access getAllPriceModelRoles Service
    operation.roles.getAllOfferIdsModelRoles User Role to access getAllOfferIdsModelRoles Service
    operation.roles.getAllDiscountModelRoles User Role to access getAllDiscountModelRoles Service
    operation.roles.getAllProductModelRoles User Role to access getAllProductModelRoles Service
    operation.roles.getAllPlanFragmentModelRoles User Role to access getAllPlanFragmentModelRoles Service
    operation.roles.getAllCategoryModelRoles User Role to access getAllCategoryModelRoles Service
    operation.roles.submitPriceModel User Role to access submitPriceModel Service
    operation.roles.submitDiscountModel User Role to access submitDiscountModel Service
    operation.roles.submitOfferIdsModel User Role to access submitOfferIdsModel Service
    operation.roles.submitCategoryModel User Role to access submitCategoryModel Service
    operation.roles.submitRuleModel User Role to access submitRuleModel Service
    operation.roles.purgePriceModel User Role to access purgePriceModel Service
    operation.roles.purgeDiscountModel User Role to access purgeDiscountModel Service
    operation.roles.purgeCategoryModel User Role to access purgeCategoryModel Service
    operation.roles.purgeOfferId User Role to access purgeOfferId Service
    operation.roles.purgeRuleModel User Role to access purgeRuleModel Service