It's all about the answers!

Ask a question

Delegation and Kerberos


Dekel Cohen (14681) | asked Aug 18 '08, 8:13 a.m.
Hi,

We are developing a jazz server extension (operation advisor) that accesses a third party server (SharePoint) during WorkItem Save operation. Ideally, we would like our code (running inside Jazz server) to use the client machine credentials for SharePoint authentication.
Below is the detailed scenario (assuming Windows OS for the RTC client):
1) User logs into her Windows machine using Windows Domain user+password.
2) User executes RTC client and logs into Jazz server with jazz credentials.
3) Edit WI and presses Save..
4) Our advisor (precondition) extension code is executed inside Jazz server connects to SharePoint.
5) SharePoint (in its popular config - there are several options), expects the Windows Domain user+password (not jazz user+pwd).

Questions:
a) Will jazz support Kerberos Delegation?
b) Related: Will jazz support storage of SSO/Credential/Account encrypted on server? Systems such as WebSphere Portal, Lotus Notes support this kind of "sensitive data store".

Thanks,
Dekel

2 answers



permanent link
Matt Lavin (2.7k2) | answered Aug 18 '08, 8:49 a.m.
FORUM MODERATOR / JAZZ DEVELOPER
In the 2.0 timeframe, we are discussing the requirement for some form of
delegated authentication in Jazz. The idea of exploring Kerberos as a
solution to delegated authentication is a good one, and I'll look into it.

We don't have any plans to add a generic 'secure' storage system, but I
think all you need is already there. You can store whatever data you
want in the Jazz repository, and you could encrypt it before you save it
if you are concerned about it's sensitivity.


Matt Lavin
Jazz Server Team


dekelc wrote:
Hi,

We are developing a jazz server extension (operation advisor) that
accesses a third party server (SharePoint) during WorkItem Save
operation. Ideally, we would like our code (running inside Jazz
server) to use the client machine credentials for SharePoint
authentication.
Below is the detailed scenario (assuming Windows OS for the RTC
client):
1) User logs into her Windows machine using Windows Domain
user+password.
2) User executes RTC client and logs into Jazz server with jazz
credentials.
3) Edit WI and presses Save..
4) Our advisor (precondition) extension code is executed inside Jazz
server connects to SharePoint.
5) SharePoint (in its popular config - there are several options),
expects the Windows Domain user+password (not jazz user+pwd).

Questions:
a) Will jazz support Kerberos Delegation?
b) Related: Will jazz support storage of SSO/Credential/Account
encrypted on server? Systems such as WebSphere Portal, Lotus Notes
support this kind of "sensitive data store".

Thanks,
Dekel

permanent link
Philippe Cohen (16) | answered Aug 31 '08, 10:36 a.m.
Matt,

The secure storage is not what enterprise customers are looking for when integrating a new system such as Jazz into their enterprise environments. They will likely expect Jazz to fit into their Single Sign On (SSO) environment. By SSO environment, I mean first Windows Active Directory with Kerberos, and additionally Tivoli Acess Management, CA eTrust, CAS, openSSO and others.

Consider the following use cases for the delegated authentication requirements.

1. Jazz server relying on a Single Sign-On infrastructure: RTC users working in an SSO environment won't have to input a password for the Jazz server, but being authenticated through their corporate authentication system.

2. Jazz server delegating the identity of the RTC user to other "back-end" system it may connect with. These back-end system can be SharePoint, Quickr, ClearCase, ClearQuest or any enterprise system that may need to be integrated with the Jazz server.

Philippe Cohen
Mainsoft Corporation

Your answer


Register or to post your answer.


Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.