Batch jobs and SAML authetication
We are migrating our ELM Applications to cloud and planning to use SAML Authentication.
We followed instructions from this url https://jazz.net/wiki/bin/view/Main/JFSCoreSecurity#Application_Authentication and it works for non-batch jobs. The user verification is impossible in the case of batch jobs. Coud you please provide more details about OIDC authentication. This URL https://jazz.net/wiki/bin/view/Main/NativeClientAuthentication#Jazz_Container_authentication is some infomration. But it is unclear. Would you have any detailed steps or example?
The URLs for the OAuth endpoints should not be hard-coded by a client but should be retrieved from the root services document. The URLs shown in the details below should be considered as examples only.
-
Retrieve Request Token
-
Root Services Key:
http://jazz.net/xmlns/prod/jazz/jfs/1.0/oauthRequestTokenUrl -
Example URL:
https://{server-name-and-port}/jazz/oauth-request-token -
Method:
POST -
Parameters:
oauth_consumer_key={consumer-key}[1] [2]
-
Root Services Key:
-
Authenticate Request Token
-
Root Services Key:
http://jazz.net/xmlns/prod/jazz/jfs/1.0/oauthUserAuthorizationUrl -
Example URL:
https://{server-name-and-port}/jazz/oauth-authorize -
Method:
POST -
Parameters:
oauth_token={request-token}&authorize=True[3]
-
Root Services Key:
- Retrieve Access Token
-
Root Services Key:
http://jazz.net/xmlns/prod/jazz/jfs/1.0/oauthAccessTokenUrl -
Example URL:
https://{server-name-and-port}/jazz/oauth-access-token -
Method:
POST -
Parameters:
oauth_consumer_key={consumer-key}&oauth_token={request-token}[2] [4]
3 answers
In the case of SAML and a native client, you're almost certainly going to have to use application passwords or application tokens. You need to enable this in the JAS and then log in as a real user to generate them.
Once you do that, you can then use the user name and the application password (you'll need to add header info to tell ELM that your client knows how to do the application password flow) to log your client in.
I found it a lot easier to use the application token, which you send as a Bearer token.
See:
https://www.ibm.com/docs/en/engineering-lifecycle-management-suite/lifecycle-management/7.0.3?topic=installation-application-passwords-native-client-authentication-openid-connect
Thank you for the quick and detailed response. We were able to generate application password by using (oidc/endpoint/jazzop/personalTokenManagement) url. Which user ID should we use to make API calls for our batch jobs. It failed with My ID with newly generated passwords.
How can we generate bearer tokens? Could you please share the docs?
https://jazz.net/wiki/bin/view/Main/NativeClientAuthentication explains how that is supposed to work. https://rsjazz.wordpress.com/2021/10/15/elm-authentication/ tries to be a bit more approachable.
Comments
Unfortunately neither of these links explain how, but it does cover the basics that you need. This page covers how to use application passwords and tokens:
For application password connections, you need to send extra information in your headers, and you need to supply the username under which you generated the application password when you authenticate.
For application tokens, you generate the token in the same place as the application password, and you then pass it as a Bearer token in the Authentication header, which is described in the links above. That's the quickest way to get connected.
Note that the first time you use either an application password or token it will be locked to the application you access and can't be used for any other (ie. if you first use it with EWM via a call to /ccm, that password can't then be used to access DNG via /rm
1 vote