Accessing ELM's REST/OSLC APIs when SSO is enabled using SAML.
Hi,
2 answers
I would carefully follow https://rsjazz.wordpress.com/2021/10/15/elm-authentication/ for topics not covered use google search my questions site:jazz.net.
So you're using JAS with SAML? It's definitely possible to get application passwords to work - see this for overview https://jazz.net/wiki/bin/view/Main/ApplicationPasswordsForNativeClients and this for the detailed steps to authenticate https://jazz.net/wiki/bin/view/Main/ApplicationPasswordsAdoption in the section "Revised flow using application password".
-
If it is determined that the response is either a SAML challenge, an OIDC redirect, or a Kerberos challenge, the client forms an
Authorization: Basicheader with username and password credentials encoded as per Basic, but the password must be an application password that was obtained from the JAS by the user. The client sends a GET request with theAuthorizationheader to the URI returned by theX-JSA-APP-PASSWORD-REDIRECTheader (which it remembered from step 2).
Comments
Above is for JAS+SAML without MFA - MFA is a completely different ballgame which I haven't tried playing :-o
Also note application passwords once they've been used once with one app are tied to that app and can't be used to authenticate with a different app. This is how application passwords work in Liberty, and ELM just uses the Liberty feature as it works.
And another point is that when using an application password the userid has to be the same case as the LDAP user id. Whereas JTS/JAS can be configured for case-insensitive user id so fred would match Fred, but that isn't the case (haha) for application passwords: if the real user id is FrEd then that's what you have to use for the application password to work even though ELM login may accept fred, FRED, FREd if configured for case insensitivity. Again this is just how application passwords work in Liberty and ELM just uses the Liberty feature as it works.