It's all about the answers!

Ask a question

How does OpenID connect work and looks like with CLM

Mirko Hartwig (4124) | asked Jun 27 '16, 2:37 a.m.
IBM CLM integrated OpenID connect starting with Version 6.0 but there is no Demo (Video) or other detailed information how it looks like or how it exactly work. I found only a Video where a WAS Liberty is connected to google using OpenID ( ). Nowhere is exactly described how this 2 Factor authentication works.

Is a User only using Username/Password or do the User needs to verify himself after login with a numeric code send via SMS to his Smartphone or if the System use tokens behind and if yes from where knows CLM that the right User signed in to provide the token. Is JAS than the OpenID provider aso aso?

Information on and BM Help Sites like or are not really helpful.

Ralph Schoon commented Jun 27 '16, 4:04 a.m.

I could also find it here: (updated)

Mirko Hartwig commented Jun 27 '16, 5:31 a.m.

Hello Ralph,

thanks for the link but I found this too as I searched for an adequate answer for my question. It does not provide an answer for my questions as in this link a few parts from OpenID connect are described but it is not clear, for example in Figure 2 which is RP and OP) and it is also not clear how in the end it looks like. OpenID is a top up to Oauth2.0 which provides different solutions (ways) how to handle the second factor. And here I see only a mix from near all different ways how CLM handle high security which is massive confusing. 

2 answers

permanent link
Donald Nong (14.5k614) | answered Jun 27 '16, 9:48 p.m.
You probably get confused. JSA is a replacement of the old authentication method which relies on the application server on which the CLM applications run. It does not necessarily provide 2 factor authentication (at least I'm not aware of any such steps or documents).

In Figure 2 of article #75, RP is the Jazz Applications and OP is the Jazz Authorization Server.

Once configured, the login process does not look much different from the traditional one - you will get a login page from the Jazz Authorization Server instead of JTS, and that's it. The blog below shows such a screen.

permanent link
Lonnie VanZandt (88717) | answered Jul 13 '16, 4:49 a.m.
What the user community needs is a scripted working example of non-browser, programmatic use of the OSLC REST URLs when the CLM ecosystem is configured to use SSO and OpenID Connect and the Identity Manager is not a Jazz component.

For example, here's an httpie gist that successfully does OAuth1a one-legged authentication to retrieve DNG RM Requirement(s) using an OSLC Query.
http -v --follow --verify no --auth "consumer_key:secret" --auth-type oauth1 --session jazz-oauth1a GET \
projectURL== \
oauth_token=="" \
accept:'application/rdf+xml' \
oslc-core-version:2.0 \
oslc.query==true \
oslc.prefix==dcterms=\<\> \\* \
The community needs similar gists for the new SSO and OpenID Connect configurations for each OSLC facet including CM, RM, QM, and AM (out of Design Manager).

Additionally and secondarily, gists for automation services such as Ruby Mechanize could illustrate how to interact with Jazz's web UIs when implementing browser-based apps.

When such (simple) gists are available and runnable, implementors can copy these scripts, run them on their own systems, and study the actual HTTP exchanges and session files to see the details. Sadly, the textual statements of how the protocols should or might work are, in the IBM sites, extremely TL;DR, too ambiguous, too erroneous, or too limited to specific configurations or versions.

PS: For information on httpie and its OAuth1 plugin see

Your answer

Register or to post your answer.

Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.