Is it possible to achieve Single Sign-On for RTC/CLM with company's internal user authentication?
George Harada (32●1●9)
| asked Apr 17 '17, 3:44 a.m.
retagged May 11 '17, 9:04 a.m. by Ken Tessier (841●1●7) Lets say a company uses a centric user management system, (I believe LDAP is required for this), and already has several apps configured to do Single Sign-On (SSO) including the intranet and several other apps.
Information I read: "Kerberos is a well-established SSO protocol that is also the default authentication protocol used by Microsoft Windows, so if your organization uses Windows workstations, Microsoft Active Directory for user management, and deploy Jazz applications in WebSphere 8 or later, it will be possible to configure CLM so that your Windows login session is automatically used to log in to CLM. Kerberos can also be used with non-Windows workstations, as long as you use a Microsoft Active Directory server to manage your user accounts." New single sign-on options in CLM 6.0 Single sign-on authentication in CLM Supported platforms for Kerberos/SPNEGO SSO authentication Configuring Kerberos/SPNEGO single sign-on authentication |
3 answers
Hi folks!
Nobody answered the question on this topic, that was about the possibility to achieve SSO for CLM apps with company's OpenID SSO like e.g. KeyCloak.
Does anyone knows if is it possible to integrate KeyCloak with CLM?
|
ELM integrates with OpenID based SSO - I have set it up for several clients on different systems but mostly Active Directory.
There are a couple of caveats:
- ELM will only work with OpenID based SSO for each application's web UI. If you use any of the rich client or command line applications, you will need to also provide LDAP authentication
- you need to set up your Jazz group mapping so that OpenID knows what group the user is in
It used to be that you had to also configure an LDAP connection to the same server as your SSO was using but I think that's now no longer required, but if anybody knows that for sure please confirm. It was a real pain to have to have both set up instead of just OpenID
|
Sorry I wasn't here four years ago... but YES! My company has had SSO with Windows and Linux for the past four years in CLM. We use Microsoft Active Directory for both Windows and Linux logins, so once a user is logged into their machines, they need only go to any favorite or link that opens CLM and they are automatically authenticated for in Chrome, Edge, Firefox, and cough even Internet Explorer. We accomplished this maybe even 5 or 6 years ago now using WebSphere Application Server 8.5.5.11.
I am now looking into this because we were thinking of migrating to WebSphere Liberty, but I can't seem to get a definitive answer on that.
These instructions look solid for Liberty:
But then ELM's help content says SPNEGO is not supported in Liberty, only in WAS 8+.
Has anyone accomplished it in Liberty?
Does anyone still want me to provide my documented step-by-step for how I did it 5-6 years ago for WAS 8.5.5 and Active Directory? I could dig it up, I bet.
|
Comments
This is not the Answer; this is more of the same Question.
Lonnie, I don't know why you said the SSO between Jazz appliactions is not SSO. If you implement SSO using WebSphere Application Server, all applications (Jazz or not) deployed in the WAS cluster are SSO enabled. SSO is based on different specifications and/or implementations, so it is hard to say which one is "true". In the case of KeyCloak and OpenID, have a read on this blog.
https://advantage.ibm.com/2016/02/04/websphere-liberty-makes-it-easier-to-build-openid-connect-security-services/