EditAttachPrintable
r4 - 2016-09-29 - 11:13:20 - Main.sbeardYou are here: TWiki >  Deployment Web > DeploymentInstallingUpgradingAndMigrating > JazzAuthorizationServer > AboutJazzAuthorizationServer

new.png Jazz Security Architecture and Jazz Authorization Server

Authors: ShubjitNaik
Build basis: Jazz Authorization Server 6.x, WebSphere Liberty 8.5.x


Starting with the CLM 6.0 software release, Jazz Security Architecture (JSA) SSO is available as an authentication option. Based on OpenID Connect, the authentication is not performed by the container hosting Jazz applications, but instead is delegated to a separate Jazz Authorization Server (JAS), which performs the role of an OpenID Connect provider (OP). JAS also provides Single Sign On feature to the applications that are configured with it.

Information related to Jazz Security Architecture is extracted from our jazz.net article Jazz Server Authentication Explained

About OIDC, JSA and JAS

The OpenID Connect (OIDC) authentication protocol was established in early 2015 as an extension of the OAuth 2.0 protocol, designed to be easier to adopt across a wide range of clients (native applications, browsers, browser-based applications, and mobile devices). It is extensible and configurable (with optional features). OpenID Connect is a simple identity protocol and open standard that is built on top of the OAuth 2.0 protocol that enables client applications to rely on authentication that is performed by an OpenID Connect Provider to verify the identity of a user. OpenID is a protocol for authentication while OAuth is for authorization. (Authentication is about making sure that the guy you are talking to is indeed who he claims to be. Authorization is about deciding what that guy should be allowed to do)

For additional information on OIDC and the authentication flow visits our Infocenter page.

Jazz Security Architecture is a particular profile of OIDC, specifying which optional features are included, and a few extensions. Authentication is handled by a separate OpenID provider (OP, in our case it would be our Jazz Authorization Server); Jazz applications delegate to that provider instead of relying on the application server to handle authentication. Jazz Authorization Server is based on the IBM WebSphere Liberty server. Because Jazz Authorization Server authenticates users, it must be configured with a user registry.

When a user logs into a Jazz application, JAS (OP) generates a token for the user (known as a bearer token) that can then be used to authenticate with any application that is configured with the same OP. Therefore, Jazz Security Architecture provides a single sign-on experience that is independent of the type of application container, unlike Kerberos, WebSphere, and Tomcat single sign-on mechanisms. Single sign-on is supported across all applications that are configured to use the same JAS.

Configuring Jazz applications for Jazz Security Architecture SSO is either done at install time, for new installations, or done as a migration procedure, for existing installations that are using some other form of authentication.

Application To Application Authentication

In addition to authenticating end users that access Jazz applications, applications also authenticate requests sent by other applications. In particular, applications that participate in Open Services Lifecycle Collaboration use linked data to share and connect resources across application development domains. There are two forms of application-to-application authentication implemented by Jazz applications, OAuth 1.0a and OpenID Connect.

Up until the 6.0 software release, OAuth 1.0a was the only type of inter-application authentication supported. It requires pair-wise relationships between communicating applications - applications that are registered as "friends" of each other can send requests to each other that will be authenticated using OAuth 1.0a. For bi-directional communications, each application must be a friend of each other. The friending application is allocated a key and secret which it uses to authenticate with the friend application.

When applications are configured with Jazz Security Architecture SSO enabled, they can use OpenID Connect to authenticate with each other. In that case, no pair-wise relationships are needed between applications for authentication purposes; no "keys" or "secrets" are held by applications in order to authenticate with each other. Instead, when a user authenticates with an application that has Jazz Security Architecture SSO enabled, that user is automatically authenticated with all other applications that are registered with the same Jazz Authorization Server as the first application. Therefore, applications can invoke services in other applications on behalf of the user without requiring additional logins.

Advantages Of Using JAS

Jazz Security Architecture is one of our new Authentication and Single Sign-On (SSO) solution for Jazz Application starting CLM 6.x. JSA eliminates the requirement for paired configuration of OAuth consumer keys. All applications that are configured for Jazz Security Architecture SSO can communicate with each other without a configuration for every possible source and destination relationship.

SSO

  • Allows for SSO across Jazz applications that are installed in a mix of WebSphere Application Server and Apache Tomcat servers
  • Allows for SSO on a distributed deployment of CLM on Apache Tomcat Servers. Apache Tomcat supports single sign-on authentication only when all applications are installed on the same server, with the introduction of JAS, we can now have a distributed deployment using Apache Tomcat
  • Allows for SSO across Jazz deployments setup using WebSphere Application Server across Multiple Domains

Reduced Maintenance

  • JAS would be the only server to be configured for Authentication, LDAP and Group Mappings (For Synchronizing/importing users, JTS would need to be configured with LDAP as well)
    • On a distributed setup without JAS, each application server (profile) hosting Jazz applications need to configured with LDAP and Group Mappings need to be setup
  • Changes to Group Mappings need a restart of only JAS, reducing the maintenance time of restarting each Application server hosting Jazz applications

Authentication and SSO via SAML Identity Providers

  • SSO across different vendor applications along with JAzz applications connected to a single SAML IDPs for Authentication
  • Possibility to Leverage Multi-Factor Authentication and additional security via SAML IDPs
  • Limitations
    • Works only for Web Clients, Eclipse/VS clients for Rational Team Concert bypass and authenticate via traditional LDAP authentication
    • RDNG – Browser Add-On not supported

SAML

Starting in the CLM version 6.0.1, Jazz Authorization Server supports Security Assertion Markup Language (SAML) web browser SSO in the Liberty profile. SAML is an OASIS open standard for representing and exchanging user identity, authentication, and attribute information. A SAML assertion is an XML formatted token that is used to transfer user identity and attribute information from the identity provider (IdP) of a user to a trusted service provider (SP) as part of completing an SSO request.

For additional information on SAML and WebSphere Liberty visit our Infocenter Page

Related topics: Jazz Server Authentication Explained

Additional contributors: TWikiUser

Edit | Attach | Printable | Raw View | Backlinks: Web, All Webs | History: r11 | r6 < r5 < r4 < r3 | More topic actions...
 
This site is powered by the TWiki collaboration platformCopyright © by IBM and non-IBM contributing authors. All material on this collaboration platform is the property of the contributing authors.
Contributions are governed by our Terms of Use. Please read the following disclaimer.
Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.