Jazz Forum Welcome to the Jazz Community Forum Connect and collaborate with IBM Engineering experts and users

Is it possible to achieve Single Sign-On for RTC/CLM with company's internal user authentication?

Questions
Tags
Users
Badges
George Harada
(321313) retagged
May 11 '17, 9:04 a.m.

Lets say a company uses a centric user management system, (I believe LDAP is required for this), and already has several apps configured to do Single Sign-On (SSO) including the intranet and several other apps.

I would like to know if it is possible to extend the SSO capability to include CLM, so with one login to the internal system, we wish to enable automatic logging into CLM products like RTC.

At this moment I think from version 6 onwards, Kerberos/SPNEGO SSO is the only likely candidate with the potential, but there is limited documentation and blogs to confirm if it is really possible. (And the setting up process seem extremely complicated to 'just try' if it works). There are some relevant documentation below.

Question:
Q. Is it possible to achieve Single Sign-On for RTC/CLM with company's internal user authentication?
Q. Has anybody achieved it? Or any specific documentation?
Q. If possible, is Kerberos/SPNEGO SSO the only way? With the following pre-conditions:

  • Microsoft Active Directory running on Windows Server 2008 R2 or later
  • IBM® WebSphere® Application Server Version 8 or later
Any other relevant information would be massively appreciated.

Information I read:
"Kerberos is a well-established SSO protocol that is also the default authentication protocol used by Microsoft Windows, so if your organization uses Windows workstations, Microsoft Active Directory for user management, and deploy Jazz applications in WebSphere 8 or later, it will be possible to configure CLM so that your Windows login session is automatically used to log in to CLM. Kerberos can also be used with non-Windows workstations, as long as you use a Microsoft Active Directory server to manage your user accounts."
New single sign-on options in CLM 6.0

Single sign-on authentication in CLM

Supported platforms for Kerberos/SPNEGO SSO authentication

Configuring Kerberos/SPNEGO single sign-on authentication

0 votes

Comments
Lonnie VanZandt
Apr 29 '17, 1:23 p.m.

 This is not the Answer; this is more of the same Question.


If an organization already has an OpenID SSO provider like KeyCloak deployed in their enterprise, can they reconfigure their Jazz CLM applications to authenticate with that provider to achieve a true, proper SSO experience across Jazz and non-Jazz systems?

(SSO between Jazz apps is not SSO, it is merely authentication within Jazz with fewer Jazz challenges.)

Donald Nong
May 02 '17, 1:54 a.m.

Lonnie, I don't know why you said the SSO between Jazz appliactions is not SSO. If you implement SSO using WebSphere Application Server, all applications (Jazz or not) deployed in the WAS cluster are SSO enabled. SSO is based on different specifications and/or implementations, so it is hard to say which one is "true". In the case of KeyCloak and OpenID, have a read on this blog.
https://advantage.ibm.com/2016/02/04/websphere-liberty-makes-it-easier-to-build-openid-connect-security-services/

3 answers
5,356 views
0 votes

3 answers

Permanent link
Leonardo Benevides
(2912830) May 04 '20, 9:47 a.m.

 Hi folks! 


Nobody answered the question on this topic, that was about the possibility to achieve SSO for CLM apps with company's OpenID SSO like e.g. KeyCloak.

Does anyone knows if is it possible to integrate KeyCloak with CLM?

0 votes

Permanent link
Davyd Norris
(3.1k219) May 05 '20, 8:34 p.m.
ELM integrates with OpenID based SSO - I have set it up for several clients on different systems but mostly Active Directory.

There are a couple of caveats:
 - ELM will only work with OpenID based SSO for each application's web UI. If you use any of the rich client or command line applications, you will need to also provide LDAP authentication
 - you need to set up your Jazz group mapping so that OpenID knows what group the user is in

It used to be that you had to also configure an LDAP connection to the same server as your SSO was using but I think that's now no longer required, but if anybody knows that for sure please confirm. It was a real pain to have to have both set up instead of just OpenID

0 votes

Permanent link
Dave Evans
(16322947) May 12 '21, 3:52 p.m.

Sorry I wasn't here four years ago... but YES! My company has had SSO with Windows and Linux for the past four years in CLM. We use Microsoft Active Directory for both Windows and Linux logins, so once a user is logged into their machines, they need only go to any favorite or link that opens CLM and they are automatically authenticated for in Chrome, Edge, Firefox, and cough even Internet Explorer. We accomplished this maybe even 5 or 6 years ago now using WebSphere Application Server 8.5.5.11.


I am now looking into this because we were thinking of migrating to WebSphere Liberty, but I can't seem to get a definitive answer on that.

These instructions look solid for Liberty:

But then ELM's help content says SPNEGO is not supported in Liberty, only in WAS 8+.

Has anyone accomplished it in Liberty?

Does anyone still want me to provide my documented step-by-step for how I did it 5-6 years ago for WAS 8.5.5 and Active Directory? I could dig it up, I bet.

0 votes

Your answer

Register or log in to post your answer.

Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.

Ask a question
Guidelines
FAQ
Search context
Follow this question

By Email: 

Once you sign in you will be able to subscribe for any updates here.

By RSS:

Answers
Answers and Comments
Question details
× 12,058
× 7,532

Question asked: Apr 17 '17, 3:44 a.m.

Question was seen: 5,356 times

Last updated: May 13 '21, 1:12 a.m.

Confirmation Cancel Confirm