It's all about the answers!

Ask a question

Push Jazz Repository Permissions from SAML 2.0 IdP to Jazz Team Server?

Michael Razavi (1516) | asked Mar 29 '18, 1:21 p.m.

 I'm trying to configure CLM and Jazz Authorization Server to accept SAML assertions from an IDP, in this case Okta. We have no problem getting CLM/JTS to create the user upon login using SAML/Okta; however, we cant update the email address or more importantly the repository permissions for a user. Can anyone provide more instructions on how to set this up?

The only thing being pushed to the Jazz Team Server from my SAML provider, no matter what attribute statements I set on the IDP side, is the User ID. At a minimum, I must be able to send the Repository Permissions (JazzAdmins, JazzUsres, etc) from the SAML Provider or else we would have to maintain a local file or LDAP configuration on the JazzAuth server which is not ideal. Does anyone know specifically what CLM is looking for as far as samlwebsso20 attribute names for email and jazz repository permissions?

Accepted answer

permanent link
Donald Nong (14.5k614) | answered Mar 29 '18, 9:47 p.m.

This bit, "we would have to maintain a local file or LDAP configuration on the JazzAuth server which is not ideal", unfortunately is true. CLM does not receive any SAML tokens directly, which is JAS's job, and JAS cannot do any group mapping using the group information returned in a SAML token.

Also, JTS cannot synchronize users using the SAML protocol. It still requires LDAP.

Michael Razavi selected this answer as the correct answer

Michael Razavi commented Mar 29 '18, 10:03 p.m.

Donald, Thank you for the confirmation and the quick response!  Do you know if this is also the case with OpenID Connect?  

Donald Nong commented Mar 29 '18, 10:36 p.m.

More or less the same. For OpenID/SCIM, it is required that both JTS and JAS can connect to the same LDAP server - JTS will do the group mapping in this case, which is a bit confusing compared with SAML. We also recently found the below defect.

One other answer

permanent link
ArunKumar Polisetty (111) | answered Nov 13 '20, 1:07 p.m.

 Hi Mike ,

Below is what I have setup in okta . I could not get the sign on working . Can you please share your config .

Below is what I have setup in okta .

Your answer

Register or to post your answer.

Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.