IDCS Authentication integration option in Admin UI for connectREST API

Environment:

LX, Live Experience, REST API

Issue:

When IDCS Authentication integration option in Admin UI is enabled, it is no longer possible to authenticate users provisioned in Live Experience directly (including administrator accounts). All authentication for Live Experience UIs (including the admin UI), will be done through IDCS SSO (SAML2 flow). Due to this change, it is no longer possible to access the REST API for Live Experience using basic authentication.

If you require access to the Live Experience REST API, you will need to configure Live Experience as a confidential application in IDCS in order to support client credentials-based authentication.

Resolution:

IDCS Configuration for LX External API Access

Create a new “Confidential Application” in IDCS

Login with administrator credentials to IDCS and navigate to IDCS Admin console.

Open the IDCS Admin Console menu and select “Applications”. On the Applications screen click “+ Add”.

Select “Confidential Application” on the Add Application pop-up.

On the "Details" tab enter application Name.

Click Next.

On the “Client” tab select “Skip for later” and click Next.

On the “Resources” tab select “Skip for later” and click Next.

On the “Web Tier Policy” tab select “Skip for later” and click Next.

On “Authorization” tab select “Skip for later” and click Finish.

Configure the new confidential application

In the IDCS console menu select “Applications”. Select the newly created confidential application for Live Experience.

On the “Configuration” tab, expand “Client Configuration”, and select “Register Client”.

Select “Client Credentials” for Allowed Grant Types.

Select Client Type “Confidential”.

Select “Specific” for Authorized Resources.

Click the “Save” button at the top of the screen.

On the “Configuration” tab expand “Resources” and select Register Resources.

Set Primary Audience to “api”.

In the Scopes section, click “Add”.

 In the “Add Scope” pop-up, set the value for the Scope to “/” and click “ADD”.

Click the “Save” button at the top of the screen.

On the “Configuration” tab, expand “Client Configuration”.

 In the “Token Issuance Policy” click on “Add Scope”.

In the “Select Scope” pop-up, select the new Live Experience confidential application and click “>”.

Select “api/” and click on “Add”.

Click the “Save” button at the top of the screen.

No configuration setup is needed for “Web Tier Policy”, “Users”, “Groups”.

Activate the new confidential application

In the IDCS console menu select “Applications”. Select the newly created confidential application for Live Experience.

Click the “Activate” button at the top right of the screen to activate the application.

Make a note of key security information for the new confidential application

In order to authenticate with IDCS when accessing the Live Experience REST API, you will need the client credentials associated the new confidential application. In addition, public certificate for your IDCS stripe must be provisioned in the LX admin UI.

In the IDCS console menu select “Applications”. Select the newly created confidential application for Live Experience.

On the “Configuration” tab, expand the General Information section.

Copy and make a note of the client ID.

Along side Client Secret, click “Show Secret”. Copy and make a note of the value.

Enable the API access and provide certificate in the LX admin UI.

In addition to the confidential application client credentials, public certificate for your IDCS stripe must be provisioned in the LX admin UI.

In the IDCS console menu select “Applications”. Select SAML application for Live Experience SSO.

On the SSO Configuration tab, click on “Download Signing Certificate”.

Open downloaded file in a text editor and remove lines “-----BEGIN CERTIFICATE-----”, “-----END CERTIFICATE-----”.

Login with administrator credentials to the LX admin UI and navigate to “Integration”.

 Select “IDP” tab.

In the section “Configure API access through IDCS”, set “Allow access to Live Experience API” to “On”.

Populate “IDCS Signing Certificate Public Key” text box with the downloaded IDCS public certificate. Please note that lines “-----BEGIN CERTIFICATE-----”, “-----END CERTIFICATE-----” should be excluded.

Click “Update Public Key”.