regenerate zip file

Author: mmouly

authentication/AzureAD/README_WITH_CLIENT_SECRET.md

@@ -60,22 +60,22 @@
 
     In **Microsoft Entra Id** / **Manage** / **App registrations**, select **ODM Application**, and in **Manage / Token Configuration**:
 
-  * Add Optional Email ID Claim
+  * Add Optional **email** ID Claim
     * Click +Add optional claim
     * Select ID
-    * Check Email
-    * Click Add
-
-  * Add Optional Email Access Claim
-    * Click +Add optional claim
-    * Select Access
-    * Check Email
+    * Check **email**
     * Click Add
 
     * Turn on Microsoft Graph email permission
       * Check Turn on the Microsoft Graph email permission
       * Click Add
 
+  * Add Optional **email** Access Claim
+    * Click +Add optional claim
+    * Select Access
+    * Check **email**
+    * Click Add
+
   * Add Group Claim
     * Click +Add groups claim
     * Check Security Groups
@@ -89,7 +89,7 @@
 
   * Click Edit in the "Attributes & Claims" section
     * Click + Add new claim
-      * Name: identity
+      * Name: **identity**
       * Fill 2 Claim conditions in the exact following order:
         1. User Type: Any / Scoped Groups: 0 / Source: Attribute / Value: <CLIENT_ID>
         2. User Type: Members / Scoped Groups: 0 / Source: Attribute / Value: user.mail
@@ -111,12 +111,19 @@
 
     In **Microsoft Entra Id** / **Manage** / **App Registration**, select **ODM Application**, and then click **Manifest**.
 
+    The Manifest feature (a JSON representation of an app registration) is currently in transition.
+    [**AAD Graph app manifest**](https://learn.microsoft.com/en-us/entra/identity-platform/azure-active-directory-graph-app-manifest-deprecation) will be deprecated soon and not editable anymore starting 12/2/2024. It will be replaced by the **Microsoft Graph App Manifest**
+
     As explained in [accessTokenAcceptedVersion attribute explanation](https://docs.microsoft.com/en-us/azure/active-directory/develop/reference-app-manifest#accesstokenacceptedversion-attribute), change the value to 2.
 
     ODM OpenID Liberty configuration needs version 2.0 for the issuerIdentifier. See the [openIdWebSecurity.xml](templates/openIdWebSecurity.xml) file.
 
     It is also necessary to set **acceptMappedClaims** to true to manage claims. Without this setting, you get the exception **AADSTS50146: This application is required to be configured with an application-specific signing key. It is either not configured with one, or the key has expired or is not yet valid.** when requesting a token.
 
+    With **Microsoft Graph App Manifest**:
+    *  **acceptMappedClaims** is relocated as a property of the **api** attribute
+    *  **accessTokenAcceptedVersion** is relocated as a property of the **api** attribute and renamed **requestedAccessTokenVersion**
+
    Then, click Save.
 
 8. Check the configuration.
@@ -318,7 +325,7 @@
 
     ```shell
     kubectl create secret generic users-groups-synchro-secret \
-        --from-file=sidecar-start.sh \
+        --from-file=./output/sidecar-start.sh \
         --from-file=generate-user-group-mgt.sh
     ```
     > **Note**
@@ -340,7 +347,7 @@
   ```shell
   helm search repo ibm-odm-prod
   NAME                  	CHART VERSION	APP VERSION	DESCRIPTION
-  ibm-helm/ibm-odm-prod   24.0.0          9.0.0.0   	IBM Operational Decision Manager
+  ibm-helm/ibm-odm-prod   24.1.0          9.0.0.1   	IBM Operational Decision Manager
   ```
 
 ### Run the `helm install` command
@@ -520,7 +527,7 @@ As explained in the ODM on Certified Kubernetes documentation [Configuring user
 You can realize a basic authentication ODM runtime call the following way:
 
   ```shell
-$ curl -H "Content-Type: application/json" -k --data @payload.json \
+curl -H "Content-Type: application/json" -k --data @payload.json \
         -H "Authorization: Basic b2RtQWRtaW46b2RtQWRtaW4=" \
       https://<DS_RUNTIME_HOST>/DecisionService/rest/production_deployment/1.0/loan_validation_production/1.0
 ```
@@ -530,15 +537,15 @@ Where b2RtQWRtaW46b2RtQWRtaW4= is the base64 encoding of the current username:pa
 But if you want to execute a bearer authentication ODM runtime call using the Client Credentials flow, you have to get a bearer access token:
 
 ```shell
-$ curl -k -X POST -H "Content-Type: application/x-www-form-urlencoded" \
+curl -k -X POST -H "Content-Type: application/x-www-form-urlencoded" \
     -d 'client_id=<CLIENT_ID>&scope=<CLIENT_ID>%2F.default&client_secret=<CLIENT_SECRET>&grant_type=client_credentials' \
     'https://login.microsoftonline.com/<TENANT_ID>/oauth2/v2.0/token'
 ```
 
 And use the retrieved access token in the following way:
 
   ```shell
-$ curl -H "Content-Type: application/json" -k --data @payload.json \
+curl -H "Content-Type: application/json" -k --data @payload.json \
         -H "Authorization: Bearer <ACCESS_TOKEN>" \
         https://<DS_RUNTIME_HOST>/DecisionService/rest/production_deployment/1.0/loan_validation_production/1.0
 ```

authentication/AzureAD/README_WITH_PRIVATE_KEY_JWT.md

@@ -118,13 +118,20 @@ For additional information regarding the implement in Liberty, please refer to t
 
     In **Microsoft Entra Id** / **Manage** / **App Registration**, select **ODM Application**, and then click **Manifest**.
 
-    As explained in [accessTokenAcceptedVersion attribute explanation](https://docs.microsoft.com/en-us/azure/active-directory/develop/reference-app-manifest#accesstokenacceptedversion-attribute), change the value of **accessTokenAcceptedVersion** to `2`.
+    The Manifest feature (a JSON representation of an app registration) is currently in transition.
+    [**AAD Graph app manifest**](https://learn.microsoft.com/en-us/entra/identity-platform/azure-active-directory-graph-app-manifest-deprecation) will be deprecated soon and not editable anymore starting 12/2/2024. It will be replaced by the **Microsoft Graph App Manifest**
+
+    As explained in [accessTokenAcceptedVersion attribute explanation](https://docs.microsoft.com/en-us/azure/active-directory/develop/reference-app-manifest#accesstokenacceptedversion-attribute), change the value to 2.
 
     ODM OpenID Liberty configuration needs version 2.0 for the issuerIdentifier. See the [openIdWebSecurity.xml](templates/openIdWebSecurity.xml) file.
 
-    It is also necessary to set **acceptMappedClaims** to `true` to manage claims. Without this setting, you get the exception `AADSTS50146: This application is required to be configured with an application-specific signing key. It is either not configured with one, or the key has expired or is not yet valid.` when requesting a token.
+    It is also necessary to set **acceptMappedClaims** to true to manage claims. Without this setting, you get the exception **AADSTS50146: This application is required to be configured with an application-specific signing key. It is either not configured with one, or the key has expired or is not yet valid.** when requesting a token.
+
+    With **Microsoft Graph App Manifest**:
+    *  **acceptMappedClaims** is relocated as a property of the **api** attribute
+    *  **accessTokenAcceptedVersion** is relocated as a property of the **api** attribute and renamed **requestedAccessTokenVersion**
 
-   Then, click Save.
+    Then, click Save.
 
 # Deploy ODM on a container configured with Microsoft Entra ID (Part 2)
 

authentication/AzureAD/azuread-odm-script.zip

@@ -28,18 +28,18 @@ Options:
 
 -g : AZUREAD ODM Group ID
 -i : Client ID
--n : AZUREAD domain (AZUREAD server name)
+-n : Tenant ID
 -x : Cient Secret
 -a : Allow others domains (Optional)
-Usage example: $0 -i AzureADClientId -x AzureADClientSecret -n <Application ID (GUID)> -g <GROUP ID (GUID)> [-a <domain name>]"
+Usage example: $0 -i AzureADClientId -x AzureADClientSecret -n AzureADTenantId -g <GROUP ID (GUID)> [-a <domain name>]"
 EOF
 }
 
 while getopts "x:i:n:s:g:ha:" option; do
     case "${option}" in
         g) AZUREAD_ODM_GROUP_ID=${OPTARG};;
         i) AZUREAD_CLIENT_ID=${OPTARG};;
-        n) AZUREAD_SERVER_NAME=${OPTARG};;
+        n) AZUREAD_TENANT_ID=${OPTARG};;
         x) AZUREAD_CLIENT_SECRET=${OPTARG};;
         a) ALLOW_DOMAIN=${OPTARG};;
         h) usage; exit 0;;
@@ -55,17 +55,17 @@ if [[ -z ${AZUREAD_CLIENT_ID} ]]; then
   echo "AZUREAD_CLIENT_ID has to be provided, either as in environment or with -i."
   exit 1
 fi
-if [[ -z ${AZUREAD_SERVER_NAME} ]]; then
-  echo "AZUREAD_SERVER_NAME has to be provided, either as in environment or with -n."
+if [[ -z ${AZUREAD_TENANT_ID} ]]; then
+  echo "AZUREAD_TENANT_ID has to be provided, either as in environment or with -n."
   exit 1
 fi
 if [[ -z ${AZUREAD_CLIENT_SECRET} ]]; then
   echo "AZUREAD_CLIENT_SECRET has to be provided, either as in environment or with -x."
   exit 1
 fi
 
-if [[ ${AZUREAD_SERVER_NAME} != "https://.*" ]]; then
-  AZUREAD_SERVER_URL=https://login.microsoftonline.com/${AZUREAD_SERVER_NAME}
+if [[ ${AZUREAD_TENANT_ID} != "https://.*" ]]; then
+  AZUREAD_SERVER_URL=https://login.microsoftonline.com/${AZUREAD_TENANT_ID}
 else
   AZUREAD_SERVER_URL=${AZUREAD_SERVER_NAME}
 fi
@@ -76,6 +76,7 @@ sed -i.bak 's|AZUREAD_CLIENT_ID|'$AZUREAD_CLIENT_ID'|g' $OUTPUT_DIR/*
 sed -i.bak 's|AZUREAD_CLIENT_SECRET|'$AZUREAD_CLIENT_SECRET'|g' $OUTPUT_DIR/*
 sed -i.bak 's|AZUREAD_ODM_GROUP_ID|'$AZUREAD_ODM_GROUP_ID'|g' $OUTPUT_DIR/*
 sed -i.bak 's|AZUREAD_SERVER_URL|'$AZUREAD_SERVER_URL'|g' $OUTPUT_DIR/*
+sed -i.bak 's|AZUREAD_TENANT_ID|'$AZUREAD_TENANT_ID'|g' $OUTPUT_DIR/*
 # Claim replacement
 sed -i.bak 's|AZUREAD_CLAIM_GROUPS|'$AZUREAD_CLAIM_GROUPS'|g' $OUTPUT_DIR/*
 sed -i.bak 's|AZUREAD_CLAIM_LOGIN|'$AZUREAD_CLAIM_LOGIN'|g' $OUTPUT_DIR/*

authentication/AzureAD/generateTemplate.sh

@@ -28,17 +28,17 @@ Options:
 
 -g : AZUREAD ODM Group ID
 -i : Client ID
--n : AZUREAD domain (AZUREAD server name)
+-n : Tenant ID
 -a : Allow others domains (Optional)
-Usage example: $0 -i AzureADClientId -n <Application ID (GUID)> -g <GROUP ID (GUID)> [-a <domain name>]"
+Usage example: $0 -i AzureADClientId -n TenantId -g <GROUP ID (GUID)> [-a <domain name>]"
 EOF
 }
 
 while getopts "x:i:n:s:g:ha:" option; do
     case "${option}" in
         g) AZUREAD_ODM_GROUP_ID=${OPTARG};;
         i) AZUREAD_CLIENT_ID=${OPTARG};;
-        n) AZUREAD_SERVER_NAME=${OPTARG};;
+        n) AZUREAD_TENANT_ID=${OPTARG};;
         a) ALLOW_DOMAIN=${OPTARG};;
         h) usage; exit 0;;
         *) usage; exit 1;;
@@ -53,22 +53,23 @@ if [[ -z ${AZUREAD_CLIENT_ID} ]]; then
   echo "AZUREAD_CLIENT_ID has to be provided, either as in environment or with -i."
   exit 1
 fi
-if [[ -z ${AZUREAD_SERVER_NAME} ]]; then
-  echo "AZUREAD_SERVER_NAME has to be provided, either as in environment or with -n."
+if [[ -z ${AZUREAD_TENANT_ID} ]]; then
+  echo "AZUREAD_TENANT_ID has to be provided, either as in environment or with -n."
   exit 1
 fi
 
-if [[ ${AZUREAD_SERVER_NAME} != "https://.*" ]]; then
-  AZUREAD_SERVER_URL=https://login.microsoftonline.com/${AZUREAD_SERVER_NAME}
+if [[ ${AZUREAD_TENANT_ID} != "https://.*" ]]; then
+  AZUREAD_SERVER_URL=https://login.microsoftonline.com/${AZUREAD_TENANT_ID}
 else
-  AZUREAD_SERVER_URL=${AZUREAD_SERVER_NAME}
+  AZUREAD_SERVER_URL=${AZUREAD_TENANT_ID}
 fi
 
 mkdir -p $OUTPUT_DIR && cp $TEMPLATE_DIR/* $OUTPUT_DIR
 echo "Generating files for AZUREAD"
 sed -i.bak 's|AZUREAD_CLIENT_ID|'$AZUREAD_CLIENT_ID'|g' $OUTPUT_DIR/*
 sed -i.bak 's|AZUREAD_ODM_GROUP_ID|'$AZUREAD_ODM_GROUP_ID'|g' $OUTPUT_DIR/*
 sed -i.bak 's|AZUREAD_SERVER_URL|'$AZUREAD_SERVER_URL'|g' $OUTPUT_DIR/*
+sed -i.bak 's|AZUREAD_TENANT_ID|'$AZUREAD_TENANT_ID'|g' $OUTPUT_DIR/*
 # Claim replacement
 sed -i.bak 's|AZUREAD_CLAIM_GROUPS|'$AZUREAD_CLAIM_GROUPS'|g' $OUTPUT_DIR/*
 sed -i.bak 's|AZUREAD_CLAIM_LOGIN|'$AZUREAD_CLAIM_LOGIN'|g' $OUTPUT_DIR/*

authentication/AzureAD/generateTemplateForPrivateKeyJWT.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+
+while true
+do
+  echo "synchronize groups and users every minute"
+  /tmp/sidecarconf/generate-user-group-mgt.sh -i AZUREAD_CLIENT_ID -x AZUREAD_CLIENT_SECRET -t AZUREAD_TENANT_ID -v
+  sleep 60
+done