<install dir>/wso2/on-prem-values.yaml
<install dir>/install_scripts/install-wso2.sh
front: onpremValues: env: # SSO configurations # # OIDC SINGLE_OIDC_PROVIDER_ENABLED: true SINGLE_OIDC_PROVIDER_CLIENT_ID: "lilt" SINGLE_OIDC_PROVIDER_CLIENT_SECRET: "SAMPLE" SINGLE_OIDC_PROVIDER_ID_TOKEN_SIGNED_RESPONSE_ALG: "RS256" SINGLE_OIDC_PROVIDER_ISSUER_NAME: "https://active-directory-bare-windows-vm-shared-vpc.ssodev.lilt.dev/adfs" SINGLE_OIDC_PROVIDER_ISSUER_AUTH_ENDPOINT: "https://active-directory-bare-windows-vm-shared-vpc.ssodev.lilt.dev/adfs/oauth2/authorize/" SINGLE_OIDC_PROVIDER_ISSUER_TOKEN_ENDPOINT: "https://active-directory-bare-windows-vm-shared-vpc.ssodev.lilt.dev/adfs/oauth2/token/" SINGLE_OIDC_PROVIDER_ISSUER_USERINFO_ENDPOINT: "https://active-directory-bare-windows-vm-shared-vpc.ssodev.lilt.dev/adfs/userinfo" SINGLE_OIDC_PROVIDER_ISSUER_JWKS_URI: "https://active-directory-bare-windows-vm-shared-vpc.ssodev.lilt.dev/adfs/discovery/keys" # # OIDC - overrides for working with ADFS SINGLE_OIDC_PROVIDER_OVERRIDES_RESOURCE_QUERY_PARAM: "urn:microsoft:userinfo" SINGLE_OIDC_PROVIDER_OVERRIDES_IDTOKEN_CLAIM_NAME_FOR_LILT_EMAIL_ADDRESS: "upn" config: # singleOidcProviderTlsOptions provides a means to customize HTTP requests made from the front container # to the OIDC Provider, when using the SingleOidcProvider SSO feature. Using these options means you # should NOT use any other OIDC-based login strategy besides that of the SingleOidcProvider SSO feature, or at # least be aware other strategies implemented via the openid-client library will also be affected by these options. singleOidcProviderTlsOptions: # existingSecret should be set to true if you are going to manage the secret yourself; otherwise set existingSecret # to false and the template will manage the secret. If managing the secret yourself, you can provide key-value pairs # in the secret for any of the following keys: # ca, cert, key, passphrase, crl, pfx # However, you MUST also provide a non-empty string value in the map below for the keys that you want to be used. # It does not matter what non-empty string you provide below in that case -- e.g., # ca: "use-the-existing-secret-value" # added below would cause your existing secret's ca value to be used. existingSecret: false secretName: "single-oidc-provider-tls-options" # ca, cert, key, passphrase, crl, and pfx are used to customize HTTP calls from the oidc-client library to the OIDC Provider # Only those with non-empty values will be used; all others will be ignored. # If existingSecret is false, the the values you specify below should be base64 encoded. # Their meaning can be found at: https://nodejs.org/api/tls.html#tlscreatesecurecontextoptions ca: |- SAMPLE cert: |- SAMPLE key: "" passphrase: "" crl: "" pfx: ""
front: onpremValues: env: # SSO configurations # # OIDC SINGLE_OIDC_PROVIDER_ENABLED: true SINGLE_OIDC_PROVIDER_CLIENT_ID: "lilt" SINGLE_OIDC_PROVIDER_CLIENT_SECRET: "SAMPLE" SINGLE_OIDC_PROVIDER_ID_TOKEN_SIGNED_RESPONSE_ALG: "RS256" SINGLE_OIDC_PROVIDER_ISSUER_NAME: "https://active-directory-bare-windows-vm-shared-vpc.ssodev.lilt.dev/adfs" SINGLE_OIDC_PROVIDER_ISSUER_AUTH_ENDPOINT: "https://active-directory-bare-windows-vm-shared-vpc.ssodev.lilt.dev/adfs/oauth2/authorize/" SINGLE_OIDC_PROVIDER_ISSUER_TOKEN_ENDPOINT: "https://active-directory-bare-windows-vm-shared-vpc.ssodev.lilt.dev/adfs/oauth2/token/" SINGLE_OIDC_PROVIDER_ISSUER_USERINFO_ENDPOINT: "https://active-directory-bare-windows-vm-shared-vpc.ssodev.lilt.dev/adfs/userinfo" SINGLE_OIDC_PROVIDER_ISSUER_JWKS_URI: "https://active-directory-bare-windows-vm-shared-vpc.ssodev.lilt.dev/adfs/discovery/keys"
nodejs
(the platform used to implement the SSO feature). In some environments, it will be necessary to provide additional TLS-related configuration. Support for doing so was added to LILT Enterprise starting at version 1.20.0.
front.onpremValues.config.singleOidcProviderTlsOptions
object, to provide the following configuration values affecting the TLS communication for calls made from the LILT appserver to your OIDC IdentityProvider:
nodejs
documentation at:
TLS (SSL) | Node.js v24.6.0 Documentation
In testing where Active Directory Federation Services (ADFS), running on Windows Server, was used as the IdentityProvider, it was necessary to specify ca
and cert
values, but not the others.
Further instructions for using these configuration values can be found in the comments in the YAML shown at the start of this SSO section.
SINGLE_OIDC_PROVIDER_OVERRIDES_RESOURCE_QUERY_PARAM
SINGLE_OIDC_PROVIDER_OVERRIDES_RESOURCE_QUERY_PARAM
as shown in the YAML at the start of this SSO documentation (above).
SINGLE_OIDC_PROVIDER_OVERRIDES_IDTOKEN_CLAIM_NAME_FOR_LILT_EMAIL_ADDRESS
email
property in the response from the Userinfo OIDC endpoint. As a workaround, you can adjust the settings in ADFS 2016 to provide the user’s email address as the value of a claim in the ID_TOKEN. Use the SINGLE_OIDC_PROVIDER_OVERRIDES_IDTOKEN_CLAIM_NAME_FOR_LILT_EMAIL_ADDRESS
setting as shown in the YAML at the start of this SSO documentation (above) to tell your LILT installation which claim in the ID_TOKEN will contain the email address.
The following articles might be helpful when attempting to configure ADFS to provide an email address via an ID_TOKEN claim:
Note that in the example shown above (and excerpted again below), the “upn” property in the IdToken is being leveraged, but it may or may not correspond to an email address used by your users. It likely is in the same format as an email address, and uniquely identifies a user in your IdentityProvider, and so may be suitable for using in this way if it is not possible to provide an email address via a property in the IdToken.
front: onpremValues env: SINGLE_OIDC_PROVIDER_OVERRIDES_RESOURCE_QUERY_PARAM: "urn:microsoft:userinfo" SINGLE_OIDC_PROVIDER_OVERRIDES_IDTOKEN_CLAIM_NAME_FOR_LILT_EMAIL_ADDRESS: "upn"
# ssh into the master vm for the Kubernetes cluster # (exactly how to do that is site specific) # store the front pod name in a variable, for ease of use fpod=$(kubectl get pods | grep front | awk '{print $1}') # "kubectl exec" into the "front" container of the "front" pod kubectl exec --stdin --tty $fpod -- /bin/sh # # At this point, you should have a shell prompt in that front container # # Use curl to verify domain name of your IdentityProvider can be resolved curl YOUR_IDP_DOMAIN_NAME ## Failure to resolve will look something like this: ## ## curl: (6) Could not resolve host: YOUR_IDP_DOMAIN_NAME; Unknown error ## # Use curl --insecure to verify the ".well-known" configuration page served by # your IdentityProvider can loaded, ignoring certificate issues. # (Note that the "adfs" in the URL below may not match what your IdentityProvider # uses. But there should be a URL with ".well-known" that is valid. curl --insecure https://YOUR_IDP_DOMAIN_NAME/adfs/.well-known/openid-configuration # If successful, the curl command above should return a result something # similar to: ## {"issuer":"https:\\/\\/YOUR_ID_DOMAIN_NAME\\/adfs","authorization_endpoint":"https:\\/\\/YOUR_ID_DOMAIN_NAME\\/adfs\\/oauth2\\/authorize\\/","token_endpoint":"https:\\/\\/YOUR_ID_DOMAIN_NAME\\/adfs\\/oauth2\\/token\\/","jwks_uri":"https:\\/\\/YOUR_ID_DOMAIN_NAME\\/adfs\\/discovery\\/keys","token_endpoint_auth_methods_supported":["client_secret_post","client_secret_basic","private_key_jwt","windows_client_authentication"],"response_types_supported":["code","id_token","code id_token","id_token token","code token","code id_token token"],"response_modes_supported":["query","fragment","form_post"],"grant_types_supported":["authorization_code","refresh_token","client_credentials","urn:ietf:params:oauth:grant-type:jwt-bearer","implicit","password","srv_challenge","urn:ietf:params:oauth:grant-type:device_code","device_code"],"subject_types_supported":["pairwise"],"scopes_supported":["winhello_cert","user_impersonation","vpn_cert","logon_cert","profile","openid","allatclaims","email","aza"],"id_token_signing_alg_values_supported":["RS256"],"token_endpoint_auth_signing_alg_values_supported":["RS256"],"access_token_issuer":"http:\\/\\/YOUR_ID_DOMAIN_NAME\\/adfs\\/services\\/trust","claims_supported":["aud","iss","iat","exp","auth_time","nonce","at_hash","c_hash","sub","upn","unique_name","pwd_url","pwd_exp","mfa_auth_time","sid"],"microsoft_multi_refresh_token":true,"userinfo_endpoint":"https:\\/\\/YOUR_ID_DOMAIN_NAME\\/adfs\\/userinfo","capabilities":["kdf_ver2"],"end_session_endpoint":"https:\\/\\/YOUR_ID_DOMAIN_NAME\\/adfs\\/oauth2\\/logout","as_access_token_token_binding_supported":true,"as_refresh_token_token_binding_supported":true,"resource_access_token_token_binding_supported":true,"op_id_token_token_binding_supported":true,"rp_id_token_token_binding_supported":true,"frontchannel_logout_supported":true,"frontchannel_logout_session_supported":true,"device_authorization_endpoint":"https:\\/\\/YOUR_ID_DOMAIN_NAME\\/adfs\\/oauth2\\/devicecode"} # Use curl to verify certificates used by the TLS setup are ok curl https://YOUR_IDP_DOMAIN_NAME/adfs/.well-known/openid-configuration # If successful, you should see the same result as the curl --insecure command. # If instead you see something like the output below, you may need to configure # one or more of the parameters of # # front.onpremValues.config.singleOidcProviderTlsOptions # # as described in sections above. # ## curl: (60) SSL certificate problem: unable to get local issuer certificate ## More details here: <https://curl.se/docs/sslcerts.html> ## ## curl failed to verify the legitimacy of the server and therefore could not ## establish a secure connection to it. To learn more about this situation and ## how to fix it, please visit the web page mentioned above. ## command terminated with exit code 60
/signin
page of the LILT app, and use your browser’s tools to delete the cookies and storage associated with the LILT app domain name.
To delete session information associated with your OIDC IdentityProvider, load the “…well-known…” configuration page (e.g., “https://YOUR_IDP_DOMAIN_NAME/adfs/.well-known/openid-configuration) in the browser, and use your browser’s tools to delete the cookies and storage associated with your IdentityProvider.
Note that if you do not delete the session info associated with your OIDC IdentityProvider, when you click on “Sign in with SSO” it may skip taking you to the IdentityProvider’s login screen to type in password information; instead, it will re-use the previous successful login session, if any.
front: onpremvalues: env: DEBUG: "openid-client,lilt:singleOidcProvider" NODE_DEBUG: "http,tls"
The options can be adjusted to include only a subset of the debug logging available. For instance, you can just specify the DEBUG
setting shown, but leave out the one for NODE_DEBUG
.