Setting up OIDC access control
In this topic: |
This section provides instructions on how to integrate OpenID Connect (OIDC) with your Klocwork application. This setup will enable users to log in to Klocwork using their existing credentials from an OIDC identity provider (IdP).
projects_root/permissions_data
folder before switching.Prerequisites
Before starting the OIDC integration, ensure you have the following:
-
An active OIDC identity provider (IdP) (for example, Google or Microsoft Entra)
-
Administrative access to both the Validate Server and the OIDC IdP
-
The necessary information and metadata from the IdP (for example, Client ID, Client Secret, Authorization Endpoint, Token Endpoint, and UserInfo Endpoint)
-
Version 24.2 or newer of kwauth from one of the following packages: kwauthtools, kwbuildtools, or the kw-cmd-installer found in kw-desktop-tools. See Installing the Auth Tools package.
When setting up a secure connection (SSL) with OIDC, it is best practice to configure and test your SSL connection before setting up OIDC. This approach reduces the number of potential failure points. See Enabling SSL for SAML or OIDC authentication.
Step 1: Select user provisioning method and administrator account
To select your user provisioning method, edit the /projects_root/config/admin.conf
file or run kwauthconfigw, adding or choosing the following attribute:
user.manager=modern-jit OR modern-pp
where:
- modern-jit is modern authentication with just-in-time provisioning, where user accounts are created automatically when your user logs in for the first time through an IdP.
Choose this option if you would like to have Validate automatically create users after they successfully authenticate. If you choose this method, you only need to add users in your IdP.
-
modern-pp is modern authentication for pre-provisioned accounts.
Choose this option if you would like to explicitly add new users and configure groups or permissions using Validate's integrated user management tools. If you choose this method, you will need to add new users to both Validate and your IdP.
admin.conf
:init.admin.name=<user>
where:<user> is the user to be granted administrator privileges
For example, if you are using your company's IdP credentials, set init.admin.name=janedoe@company.com
Save the changes.
modern-pp
, as you won't be able to log in with any other user until you add it to Validate.Step 2: Add Klocwork to your identity provider
To configure Klocwork on your OIDC IdP:
-
Log in to your IdP's administration console.
-
Create an OIDC application for Klocwork. Provide the following details:
-
A redirect URL to your Validate server, for example:
https://{your-server-host}:{port}/kwauthgateway/login/oauth2/code/{custom-idp-registration-id}
-
Step 3: Configure OIDC authentication on the Validate Server
Add the following parameters, either through kwauthconfigw or by creating a file named auth.properties
in /projects_root/config/
.
Example configuration for Azure or Keycloak
kw.authFramework=openid
kw.userIdAttribute=preferred_username
kw.userDnAttribute=name
kw.openid.prompt=login
spring.security.oauth2.client.provider.{custom-idp-registration-id}.issuer-uri={https://login.microsoftonline.com/aaaaaa-bbbbb-1234/v2.0 | https://my.keycloak.com/realms/my-realm
spring.security.oauth2.client.registration.{custom-idp-registration-id}.client-id={client-id-provided-by-idp}
spring.security.oauth2.client.registration.{custom-idp-registration-id}.client-secret={client-secret-provided-by-idp}
spring.security.oauth2.client.registration.{custom-idp-registration-id}.scope=openid,email,profile
Example configuration for Google, GitHub, Facebook, or Okta
kw.authFramework=openid
kw.userIdAttribute=preferred_username
kw.userDnAttribute=name
kw.openid.prompt=login
spring.security.oauth2.client.registration.{google|github|google|facebook|okta}.client-id={client-id-provided-by-idp}
spring.security.oauth2.client.registration.{google|github|google|facebook|okta}.client-secret={client-secret-provided-by-idp}
Parameter | Description | Example |
---|---|---|
Framework | The framework for your authentication, in this case, openid |
kw.authFramework=openid |
User ID attribute | SAML/OIDC principal attribute key used to retrieve the attribute value that maps to a Validate user name | kw.userIdAttribute=preferred_username |
Display Name attribute | The display name in Validate | kw.userDnAttribute=name |
Issuer URI | The authorization server, preceded by security attributes |
spring.security.oauth2.client.provider.keycloak.issuer-uri=https://your_klocwork_server.com/realms/kwrealm/ |
Client ID | The OAuth 2.0 Client Identifier valid at the authorization server, preceded by security attributes | spring.security.oauth2.client.registration.keycloak.client-id=kwopenid |
Client secret | The Client secret from your IdP, preceded by security attributes | spring.security.oauth2.client.registration.keycloak.client-secret=jgp0ZFerrHsHGaT9H8FHL9tNv7fyoA4b |
Scope | The OAuth 2.0 scope, preceded by security attributes and openid . Available values: profile, email, address, phone, offline_access. See Requesting Claims using Scope Values and Offline Access |
spring.security.oauth2.client.registration.keycloak.scope=openid profile |
Authorization grant type | The OAuth 2.0 authorization grant type, preceded by security attributes | spring.security.oauth2.client.registration.keycloak.authorization-grant-type=authorization_code |
Redirect URI | (Optional) The redirect URI, preceded by security attributes | spring.security.oauth2.client.registration.keycloak.redirect-uri=http://localhost:${KW_PORT}/kwauthgateway/login/oauth2/code/kwopenid |
Request expiry | (Optional) The maximum duration for device authorization flow, in seconds | kw.RequestExpirySeconds=180 |
Prompt | (Optional) Behavior for authentication and consent process. Available values: none, login, consent, select_account. See Authentication Request | kw.openid.prompt=none |
Step 4: Test your OIDC integration
To test the OIDC integration:
-
Restart your Validate server.
-
Open Validate browser and click on the Login button. You should be redirected to your IdP for authentication.
-
Follow the device authorization flow for OIDC authentication.
After authenticating with the IdP, you should be redirected back to Validate and logged in automatically.
Troubleshooting
Here are some common errors or error messages you may encounter during setup, and how to fix them:
-
"Unable to find valid certification path to requested target": Your IdP is using a self-signed certificate. Please add the certificate to your environment so Validate can use it to communicate with the IdP.
-
"Signing credentials must not be empty when authentication requests require signing": The IdP requires signing and the certificates have not been included in the configuration.
-
"Unsupported authentication framework specified in configuration": Framework is not configured. Ensure that
kw.authFramework
is set tosaml
oropenid
in yourauth.properties
file. -
If you encounter issues when configuring your IdP settings in Validate, it might be useful to turn on IdP debug logging. This will provide extended information that can assist in troubleshooting.
Do not forget to turn off debug logging in production as it could leak sensitive information as well as consume a large amount of disk space.To turn on IdP debug logging, choose one of the following methods:
-
Set the
KW_DEBUG
environment variable to true and set the logging level forkwauthgateway
todebug
. -
In the
auth.properties
file, setkw.debugAttributes
to true. This setting allows you to see a text representation of the attributes returned from the IdP, helping you determine which one to use askw.userIdAttribute
. Keep in mind that whilekw.debugAttributes=true
, the server will not be usable because you won't be able to log in.
-
-
"The reply URL {your_validate_url} specified in the request does not match the reply URLs configured for the application": When your Validate server is set up behind a Reverse Proxy and the redirect URL configured on the IdP points to that proxy, you may encounter an error similar to this. To resolve this, add the following configuration in the Connector section of the
server.template
file:proxyName="reverse.proxy.url" proxyPort="reverse.proxy.port"
More information
To enable SSL for OIDC, see Enabling SSL for SAML or OIDC authentication