It's all about the answers!

Ask a question

Is it possible to achieve Single Sign-On for RTC/CLM with company's internal user authentication?


George Harada (328) | asked Apr 17 '17, 3:44 a.m.
retagged May 11 '17, 9:04 a.m. by Ken Tessier (84117)

Lets say a company uses a centric user management system, (I believe LDAP is required for this), and already has several apps configured to do Single Sign-On (SSO) including the intranet and several other apps.

I would like to know if it is possible to extend the SSO capability to include CLM, so with one login to the internal system, we wish to enable automatic logging into CLM products like RTC.

At this moment I think from version 6 onwards, Kerberos/SPNEGO SSO is the only likely candidate with the potential, but there is limited documentation and blogs to confirm if it is really possible. (And the setting up process seem extremely complicated to 'just try' if it works). There are some relevant documentation below.

Question:
Q. Is it possible to achieve Single Sign-On for RTC/CLM with company's internal user authentication?
Q. Has anybody achieved it? Or any specific documentation?
Q. If possible, is Kerberos/SPNEGO SSO the only way? With the following pre-conditions:

  • Microsoft Active Directory running on Windows Server 2008 R2 or later
  • IBM® WebSphere® Application Server Version 8 or later
Any other relevant information would be massively appreciated.

Information I read:
"Kerberos is a well-established SSO protocol that is also the default authentication protocol used by Microsoft Windows, so if your organization uses Windows workstations, Microsoft Active Directory for user management, and deploy Jazz applications in WebSphere 8 or later, it will be possible to configure CLM so that your Windows login session is automatically used to log in to CLM. Kerberos can also be used with non-Windows workstations, as long as you use a Microsoft Active Directory server to manage your user accounts."
New single sign-on options in CLM 6.0

Single sign-on authentication in CLM

Supported platforms for Kerberos/SPNEGO SSO authentication

Configuring Kerberos/SPNEGO single sign-on authentication


Comments
Lonnie VanZandt commented Apr 27 '17, 6:26 p.m. | edited Apr 29 '17, 1:23 p.m.

 This is not the Answer; this is more of the same Question.


If an organization already has an OpenID SSO provider like KeyCloak deployed in their enterprise, can they reconfigure their Jazz CLM applications to authenticate with that provider to achieve a true, proper SSO experience across Jazz and non-Jazz systems?

(SSO between Jazz apps is not SSO, it is merely authentication within Jazz with fewer Jazz challenges.)


Donald Nong commented May 02 '17, 1:54 a.m.

Lonnie, I don't know why you said the SSO between Jazz appliactions is not SSO. If you implement SSO using WebSphere Application Server, all applications (Jazz or not) deployed in the WAS cluster are SSO enabled. SSO is based on different specifications and/or implementations, so it is hard to say which one is "true". In the case of KeyCloak and OpenID, have a read on this blog.
https://advantage.ibm.com/2016/02/04/websphere-liberty-makes-it-easier-to-build-openid-connect-security-services/

3 answers



permanent link
Leonardo Benevides (234118) | answered May 04 '20, 9:47 a.m.

 Hi folks! 


Nobody answered the question on this topic, that was about the possibility to achieve SSO for CLM apps with company's OpenID SSO like e.g. KeyCloak.

Does anyone knows if is it possible to integrate KeyCloak with CLM?


permanent link
Davyd Norris (1.6k12) | answered May 05 '20, 8:34 p.m.
ELM integrates with OpenID based SSO - I have set it up for several clients on different systems but mostly Active Directory.

There are a couple of caveats:
 - ELM will only work with OpenID based SSO for each application's web UI. If you use any of the rich client or command line applications, you will need to also provide LDAP authentication
 - you need to set up your Jazz group mapping so that OpenID knows what group the user is in

It used to be that you had to also configure an LDAP connection to the same server as your SSO was using but I think that's now no longer required, but if anybody knows that for sure please confirm. It was a real pain to have to have both set up instead of just OpenID

permanent link
Dave Evans (1382138) | answered May 12 '21, 3:52 p.m.

Sorry I wasn't here four years ago... but YES! My company has had SSO with Windows and Linux for the past four years in CLM. We use Microsoft Active Directory for both Windows and Linux logins, so once a user is logged into their machines, they need only go to any favorite or link that opens CLM and they are automatically authenticated for in Chrome, Edge, Firefox, and cough even Internet Explorer. We accomplished this maybe even 5 or 6 years ago now using WebSphere Application Server 8.5.5.11.


I am now looking into this because we were thinking of migrating to WebSphere Liberty, but I can't seem to get a definitive answer on that.

These instructions look solid for Liberty:

But then ELM's help content says SPNEGO is not supported in Liberty, only in WAS 8+.

Has anyone accomplished it in Liberty?

Does anyone still want me to provide my documented step-by-step for how I did it 5-6 years ago for WAS 8.5.5 and Active Directory? I could dig it up, I bet.

Your answer


Register or to post your answer.