I am attempting to understand the feasibility of using SAML security tokens for access management. Assuming a repository deployment on WebSphere Application Server, what are the chances that an authenticated session can be established using a SAML token? Can authorization assertions be used for dynamically granting roles in the repository? Has anyone successfully used SAML or some other SSO or federation mechanism to replace the login screen? The administration of roles? Setting other user attributes in the system?

Hi Mark,

I have no experience with SAML - but I do know you can use a single sign on accross the jazz platform by using WAS and LDAP. Can that work for you?

Hi Mark,

I have no experience with SAML - but I do know you can use a single sign on accross the jazz platform by using WAS and LDAP. Can that work for you?

Thanks for the reply. I think you are referring to a configuration of WAS with LDAP supplying authentication and access control? I can configure the application to use my LDAP (Active Directory, in this case) to perform authentication binds and to perform lookups for security group membership. I would like to take WAS and the Jazz server out of the business of initial authentication and access control and move those concerns to the infrastructure. Specifically, I am trying to use federated identity and authorization services across domains (TFIM and TAM) for using a third party site for hosting Rational products. I want my infrastructure to retain control of authentication and authorization without having the third party getting user IDs and passwords from end users. If I can get authentication, that will be a step forward. Reads for roles from the directory are less concerning from a security perspective and do help centralize control.

Thoughts?

I have a customer that is interested in using SAML with WAS instead of directly calling LDAP. This is for a RAM install, but I can see it could be used for other WAS-based tools like RTC. Would be nice to know if this is a supported configuration, since SAML is supported in WAS, hopefully it would be supported in rational tools. Has there been any usage or testing of SAML and any of the WAS-based products?

I have multiple CLM customers asking for SAML support. Please see this work item to add your support for this feature:
https://jazz.net/jazz/web/projects/Jazz%20Foundation#action=com.ibm.team.workitem.viewWorkItem&id=250779

looks like as of now CLM does not support.

There is now SAML support in CLM 6.0.1 See https://jazz.net/downloads/jazz-foundation/releases/6.0.1?p=news#saml601