It's all about the answers!

Ask a question
QuestionsTagsUsersBadges
Follow this question
Question details

×42,633
×10,835
×7,287
×6,034
×5,675
×4,259

question asked: Mar 29 '18, 1:21 p.m.
question was seen: 2,165 times
last updated: Nov 13 '20, 1:07 p.m.

Related questions

FAQ - How this Forum works

Push Jazz Repository Permissions from SAML 2.0 IdP to Jazz Team Server?

0
Michael Razavi (155) | asked Mar 29 '18, 1:21 p.m.

 I'm trying to configure CLM and Jazz Authorization Server to accept SAML assertions from an IDP, in this case Okta. We have no problem getting CLM/JTS to create the user upon login using SAML/Okta; however, we cant update the email address or more importantly the repository permissions for a user. Can anyone provide more instructions on how to set this up?

The only thing being pushed to the Jazz Team Server from my SAML provider, no matter what attribute statements I set on the IDP side, is the User ID. At a minimum, I must be able to send the Repository Permissions (JazzAdmins, JazzUsres, etc) from the SAML Provider or else we would have to maintain a local file or LDAP configuration on the JazzAuth server which is not ideal. Does anyone know specifically what CLM is looking for as far as samlwebsso20 attribute names for email and jazz repository permissions?

Accepted answer

0
permanent link
Donald Nong (14.5k414) | answered Mar 29 '18, 9:47 p.m.

This bit, "we would have to maintain a local file or LDAP configuration on the JazzAuth server which is not ideal", unfortunately is true. CLM does not receive any SAML tokens directly, which is JAS's job, and JAS cannot do any group mapping using the group information returned in a SAML token.

Also, JTS cannot synchronize users using the SAML protocol. It still requires LDAP.

Michael Razavi selected this answer as the correct answer
Comments
Michael Razavi commented Mar 29 '18, 10:03 p.m.

Donald, Thank you for the confirmation and the quick response!  Do you know if this is also the case with OpenID Connect?  

Donald Nong commented Mar 29 '18, 10:36 p.m.

More or less the same. For OpenID/SCIM, it is required that both JTS and JAS can connect to the same LDAP server - JTS will do the group mapping in this case, which is a bit confusing compared with SAML. We also recently found the below defect.
https://jazz.net/jazz/resource/itemName/com.ibm.team.workitem.WorkItem/453857

One other answer

Most liked answers ↑|Newest answers|Oldest answers

0
permanent link
ArunKumar Polisetty (11) | answered Nov 13 '20, 1:07 p.m.

 Hi Mike ,

Below is what I have setup in okta . I could not get the sign on working . Can you please share your config .

Below is what I have setup in okta .

Your answer

Register or to post your answer.