Configuring the Jazz Authorization Server for the SCIM feature

You can configure the Jazz™ Authorization Server to use the System for Cross-domain Identity Management (SCIM) for the WebSphere® Liberty profile. SCIM is a standard for cloud-based identity management for single sign-on (SSO) in browsers.

Starting in version 6.0.5, Jazz Authorization Server supports SCIM in the Liberty profile. SCIM is a RESTful protocol for identity account management operations. For more information about the SCIM feature, see Configuring SCIM for user and group member management.

Before you begin

To use SCIM, you must have Jazz Security Architecture single sign-on (SSO) enabled and you must use Lightweight Directory Access Protocol (LDAP). If you did not enable SSO when you installed IBM® Engineering Lifecycle Management applications, enable it, as described in Enabling ELM applications for Jazz Security Architecture single sign-on.

If you have not already done so, copy the files in the JazzAuthServer_install_dir/wlp/usr/servers/jazzop/defaults directory up one level to the jazzop directory, as described in Managing users on Jazz Authorization Server.

Restriction: When you configure your Jazz Authorization Server to use the System for Cross-domain Identity Management (SCIM), you cannot use the Electronic signatures features in ELM applications.

Procedure

  1. If Jazz Authorization Server is running, stop it, as described in Managing users on Jazz Authorization Server.
  2. Enable the Jazz Authorization Server to support SCIM 1.0.
    1. In an editor, open the JazzAuthServer_install_dir/wlp/usr/servers/jazzop/server.xml file.
      1. Add the following code for the SCIM feature in the <featureManager> section:
        <feature>scim-1.0</feature>
      2. Save your changes and close the file.
    2. In an editor, configure these files: JazzAuthServer_install_dir/wlp/usr/servers/jazzop/appConfig.xml and JazzAuthServer_install_dir/wlp/usr/servers/jazzop/ldapUserRegistry.xml. For instructions about configuring the files, see Configuring the Jazz Authorization Server to use an LDAP user registry and then return to this procedure for the SCIM feature.
      For the ldapUserRegistry.xml file, the following sample code shows an example of an LDAP registry on Microsoft Active Directory for SCIM:
      <ldapRegistry 
      	       id="your_id" realm="SampleLdapADRealm" 
      		host="your_host_name.com" port=your_port_number" ignoreCase="true" 
      		baseDN="cn=users,dc=asmith,dc=test" 
      		bindDN="cn=wasbind,cn=users,dc=asmith,dc=test" 
      		bindPassword="{xor}HTYxOx9vbmo="
      		ldapType="Microsoft Active Directory">
      		
          </ldapRegistry>
      
      	<federatedRepository>
      		<primaryRealm name="FVTRegistry">
      			<participatingBaseEntry name="cn=users,dc=asmith,dc=test"/>
      		</primaryRealm>
      	</federatedRepository>
      
      	<administrator-role>
            <user>TestJazzAdmin1</user>
      	</administrator-role>
      For the ldapUserRegistry.xml file, the following sample code shows an example of an LDAP registry on IBM Tivoli® Directory Server:
      <ldapRegistry
      	id="your_id" realm="SampleLdapIDSRealm" ignoreCase="true"
              	host="your_host_name" port="your_port_number"
              	baseDN="o=basedn.com"
      		 recursiveSearch="true"
              	ldapType="IBM Tivoli Directory Server">  
          </ldapRegistry>
      	
      	<administrator-role>
      		<user>elmadmin</user>
      		<user>mtmadmin</user>	
      	</administrator-role>
  3. Confirm your Jazz Authorization Server configuration with LDAP with the following URLs.
    If you cannot see any information at these URLs, the ELM application cannot access any of your user registry information.
    1. Start the Jazz Authorization Server, as described in Managing users on Jazz Authorization Server.
    2. Open a browser window outside the Jazz Authorization Server host environment.
    3. Confirm the Jazz Authorization Server with this URL:
      https://fully_qualified_domain_name_of_JAS_server:defined_port/oidc/endpoint/jazzop/.well-known/openid-configuration
    4. Confirm the SCIM API for Groups with this URL:
      https://fully_qualified_domain_name_of_JAS_server:defined_port/ibm/api/scim/Groups
    5. Confirm the SCIM API for Users with this URL:
      https://fully_qualified_domain_name_of_JAS_server:defined_port/ibm/api/scim/Users

What to do next

  1. With the SCIM feature enabled and the Jazz Authorization Server started, configure the SCIM feature for the Jazz Team Server, see step 9 of Running the setup by using Custom setup in the setup wizard.
    Notes:
    • Jazz Security Architecture SSO must be enabled before you can configure the SCIM feature on Jazz Team Server. If you did not enable SSO when you installed ELM, enable it, as described in Enabling ELM applications for Jazz Security Architecture single sign-on.
    • Jazz Team Server must be running.
    • Pop-up windows must be enabled so that you can log in to the Jazz Authorization Server.
  2. With the Jazz Team Server configured for the SCIM feature, synchronize the Jazz Team Server with the external user registry and import users, see Importing users from an external user registry.

video icon Video

Jazz.net channel
Software Education channel

learn icon Courses

IoT Academy
Skills Gateway

ask icon Community

Jazz.net
Jazz.net forums
Jazz.net library

support icon Support

IBM Support Community
Deployment wiki