Push Jazz Repository Permissions from SAML 2.0 IdP to Jazz Team Server?
I'm trying to configure CLM and Jazz Authorization Server to accept SAML assertions from an IDP, in this case Okta. We have no problem getting CLM/JTS to create the user upon login using SAML/Okta; however, we cant update the email address or more importantly the repository permissions for a user. Can anyone provide more instructions on how to set this up?
The only thing being pushed to the Jazz Team Server from my SAML provider, no matter what attribute statements I set on the IDP side, is the User ID. At a minimum, I must be able to send the Repository Permissions (JazzAdmins, JazzUsres, etc) from the SAML Provider or else we would have to maintain a local file or LDAP configuration on the JazzAuth server which is not ideal. Does anyone know specifically what CLM is looking for as far as samlwebsso20 attribute names for email and jazz repository permissions?
Accepted answer
This bit, "we would have to maintain a local file or LDAP configuration on the JazzAuth server which is not ideal", unfortunately is true. CLM does not receive any SAML tokens directly, which is JAS's job, and JAS cannot do any group mapping using the group information returned in a SAML token.
Also, JTS cannot synchronize users using the SAML protocol. It still requires LDAP.
Comments
Donald, Thank you for the confirmation and the quick response! Do you know if this is also the case with OpenID Connect?
More or less the same. For OpenID/SCIM, it is required that both JTS and JAS can connect to the same LDAP server - JTS will do the group mapping in this case, which is a bit confusing compared with SAML. We also recently found the below defect.
https://jazz.net/jazz/resource/itemName/com.ibm.team.workitem.WorkItem/453857
One other answer
Hi Mike ,