Single sign-on authentication in ELM

Single sign-on (SSO) authentication is a mechanism where multiple related but independent software applications are configured so that a user logs in once and gains access to all systems, without the need to re-authenticate. IBM® Engineering Lifecycle Management (ELM) supports several types of single sign-on authentication. Use the protocol that is appropriate for your deployment configuration and needs.
Note: The current release does not support a combination of Kerberos/SPNEGO SSO authentication and Jazz Security Architecture SSO authentication.

Kerberos/SPNEGO SSO authentication

Engineering Workflow Management supports Kerberos/SPNEGO authentication. The following clients can authenticate with a server that is configured for this protocol:
  • Engineering Workflow Management browser-based client
  • Engineering Workflow Management Eclipse client
  • Engineering Workflow Management .NET clients:
    • Engineering Workflow Management client for Microsoft Visual Studio IDE
    • Engineering Workflow Management Windows Explorer integration
    • Engineering Workflow Management MS-SCCI Provider
  • Engineering Workflow Management SCM command-line interface
  • Jazz build clients:
    • Jazz Build Agent
    • Jazz Build Engine for the Eclipse client
    • Jazz Build Engine for IBM i
    • Jazz Build Engine for z/OS
    • Jazz Build System Toolkit
  • Jazz repository tools command-line interface

For more information, see Configuring Kerberos/SPNEGO single sign-on authentication.

Jazz Security Architecture SSO authentication

Jazz Security Architecture SSO is an authentication protocol based on the OpenID Connect standard. It is an alternative single sign-on protocol to Kerberos/SPNEGO SSO, WebSphere Application Server with Lightweight Third-Party Authentication (LTPA) SSO. Jazz Security Architecture SSO is supported on all platforms and allows for single sign-on across applications that are installed in a mix of WebSphere Application Server.

Authentication services are provided by the Jazz™ Authorization Server, which must be installed somewhere in your network.
Restriction: Installation of the Jazz Authorization Server on IBM i and z/OS systems is not supported.
In addition, Jazz Security Architecture SSO must be enabled on the Jazz Team Server and deployed ELM applications. Authentication administration is simplified because only the Jazz Authorization Server must be configured for authentication (for example, to use an LDAP user registry); WebSphere Application Server that hosts the ELM applications is not configured for authentication. The Jazz Authorization Server validates user credentials and issues access tokens that can be shared across applications.

Also, Jazz Security Architecture SSO eliminates the requirement for paired configuration of OAuth consumer keys. All applications that are configured for Jazz Security Architecture SSO can communicate with each other without a configuration for every possible source and destination relationship.

For new installations, you enable Jazz Security Architecture SSO by selecting it as an option during the installation process. For more information, see Installing the IBM Engineering Lifecycle Management by using IBM Installation Manager.

For existing installations, you enable Jazz Security Architecture SSO by performing a migration procedure after you upgrade to the current release. For more information, see Enabling ELM applications for Jazz Security Architecture single sign-on.

WebSphere Application Server with Lightweight Third-Party Authentication (LTPA) SSO authentication

You can configure single sign-on in a distributed environment on WebSphere Application Server by using the LTPA authentication protocol. With LTPA, a user's login credentials are stored in a session cookie that is available for the current browser session only. This cookie contains the LTPA token. For more information, see Deploying WebSphere Application Server by using single sign-on authentication.

WebSphere Liberty SSO authentication

You can configure single sign-on in a distributed environment on WebSphere Liberty by using the LTPA authentication protocol. For detailed instructions, see this Deployment wiki article.


video icon Video

Jazz.net channel
Software Education channel

learn icon Courses

IoT Academy
Skills Gateway

ask icon Community

Jazz.net
Jazz.net forums
Jazz.net library

support icon Support

IBM Support Community
Deployment wiki