Jazz Forum Welcome to the Jazz Community Forum Connect and collaborate with IBM Engineering experts and users

Push Jazz Repository Permissions from SAML 2.0 IdP to Jazz Team Server?

 I'm trying to configure CLM and Jazz Authorization Server to accept SAML assertions from an IDP, in this case Okta. We have no problem getting CLM/JTS to create the user upon login using SAML/Okta; however, we cant update the email address or more importantly the repository permissions for a user. Can anyone provide more instructions on how to set this up?

The only thing being pushed to the Jazz Team Server from my SAML provider, no matter what attribute statements I set on the IDP side, is the User ID. At a minimum, I must be able to send the Repository Permissions (JazzAdmins, JazzUsres, etc) from the SAML Provider or else we would have to maintain a local file or LDAP configuration on the JazzAuth server which is not ideal. Does anyone know specifically what CLM is looking for as far as samlwebsso20 attribute names for email and jazz repository permissions?

0 votes


Accepted answer

Permanent link

This bit, "we would have to maintain a local file or LDAP configuration on the JazzAuth server which is not ideal", unfortunately is true. CLM does not receive any SAML tokens directly, which is JAS's job, and JAS cannot do any group mapping using the group information returned in a SAML token.

Also, JTS cannot synchronize users using the SAML protocol. It still requires LDAP.

Michael Razavi selected this answer as the correct answer

0 votes

Comments

Donald, Thank you for the confirmation and the quick response!  Do you know if this is also the case with OpenID Connect?  

More or less the same. For OpenID/SCIM, it is required that both JTS and JAS can connect to the same LDAP server - JTS will do the group mapping in this case, which is a bit confusing compared with SAML. We also recently found the below defect.
https://jazz.net/jazz/resource/itemName/com.ibm.team.workitem.WorkItem/453857


One other answer

Permanent link

 Hi Mike ,

Below is what I have setup in okta . I could not get the sign on working . Can you please share your config .

Below is what I have setup in okta .

0 votes

Your answer

Register or log in to post your answer.

Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.

Search context
Follow this question

By Email: 

Once you sign in you will be able to subscribe for any updates here.

By RSS:

Answers
Answers and Comments
Question details
× 7,487
× 6,117

Question asked: Mar 29 '18, 1:21 p.m.

Question was seen: 3,169 times

Last updated: Nov 13 '20, 1:07 p.m.

Confirmation Cancel Confirm