r23 - 2019-12-09 - 10:29:00 - ShubjitNaikYou are here: TWiki >  Deployment Web > DeploymentInstallingUpgradingAndMigrating > JazzAuthorizationServer > JASAndSCIM

Configure Jazz Authorization Server for SCIM new.png

Author: ShubjitNaik
Build basis: JAS and CLM version 6.0.6.1 and higher

Jazz Authorization Server (JAS) can be configured to use the System for Cross-domain Identity Management (SCIM) for the WebSphere Liberty profile. SCIM is a standard for cloud-based identity management for single sign-on (SSO) in browsers. It is a RESTful protocol for identity account management operations.
This article will focus on the configuration steps to setup CLM / ELM with JAS for SCIM.

Important Notes and Pre-requisites

  • It is recommended to upgrade to CLM and JAS Version 6.0.6.1 (with the latest iFix) or higher to configure SCIM with JAS
  • To configure SCIM you must use Lightweight Directory Access Protocol (LDAP) for User registries
  • The screenshots on the SCIM configurations in CLM / ELM are from version 6.0.6.1. In earlier versions there are additional options in SCIM configuration

Installation

CLM

  • To deploy JAS to an existing environment and migrate to JAS, visit this Section on our Infocenter
  • For a new deployment of CLM, Install the applications via IBM Installation Manager and Select the option "Enable Jazz Security Architecture SSO" during the installation

    Enable_JAS_SSO.jpg

JAS

  • Download Jazz Authorization Server install bit from jazz.net, under All Downloads Section for the specific version

    JAS_Download.jpg

  • Install Jazz Authorization Server application via Installation Manager, instructions available on our Infocenter

    JAS_Install.jpg

Setup and Configure JAS for SCIM with LDAP Registry

Configuration files

  • Copy the files from [JazzAuthServer_Install_Dir]/wlp/usr/servers/jazzop/defaults folder one level up to [JazzAuthServer_Install_Dir]/wlp/usr/servers/jazzop/
  • Files we would modify are server.xml, appConfig.xml and ldapUserRegistry.xml
  • appConfig.xml - Contains Jazz Group/Role mappings and UserRegistry file information
  • ldapUserRegistry.xml - Configuring Liberty with an LDAP user registry

Enable SCIM

  • First Enable the Jazz Authorization Server to support SCIM
  • Edit [JazzAuthServer_Install_Dir]/wlp/usr/servers/jazzop/server.xml and include the following in the list of features
  • <feature>scim-1.0</feature> 

Configure JAS with LDAP registry

  • To configure SCIM you must use Lightweight Directory Access Protocol (LDAP)
  • By default the bundled Liberty profile is configure with File based user registry and we need to configure it to point to the LDAP server to get information
  • To do that, edit [JazzAuthServer_Install_Dir]/wlp/usr/servers/jazzop/defaults/appConfig.xml file and towards the end of the file change the following
     <include location="localUserRegistry.xml" optional="true"/>
        <!--include location="ldapUserRegistry.xml" optional="true"/-->
    TO
     <!--include location="localUserRegistry.xml" optional="true"/-->
        <include location="ldapUserRegistry.xml" optional="true"/>

  • To Configure the LDAP User Registry, guidance from LDAP administrators / Network admins may be necessary to complete the configuration Typical information needed from your LDAP Admin
    • LDAP Server Name and Port (LDAP Server hostname and Port)
    • The Base DN (LDAP Root Tree where Users/Groups can be queried from_)
    • bindDN and bindPassword (User ID and password for the user who can query the LDAP directory)
    • Group and User filter (inetOrgPerson, groupOfNames etc)
    • User ID and Group ID mappings (sAMAccountName, cn etc)

  • Example configuration for different LDAPs information is available in our Infocenter
  • We have included a few examples from different LDAP environments (MS Active Directory, Tivoli and ApacheDS) in this article to help guide the configuration
  • We have also included SCIM related configurations in ldapUserRegistry.xml

  • Edit [JazzAuthServer_Install_Dir]/wlp/usr/servers/jazzop/defaults/ldapUserRegistry.xml and modify to match your environment, examples below

Microsoft Active Directory

  • <server>
    
        <ldapRegistry ldapType="Microsoft Active Directory" baseDN="CN=Users,DC=test,DC=com" 
            bindDN="CN=CLM Admin,CN=Users,DC=test,DC=com" bindPassword="********" 
            host="ldapserver" id="ldapserver:389" ignoreCase="true" port="389" realm="ldapserver:389"
            recursiveSearch="true" referal="follow" sslEnabled="false">  
            
            <activedFilters
                            userFilter="(&amp;(sAMAccountName=%v)(objectcategory=user))"
                            groupFilter="(&amp;(cn=%v)(objectcategory=group))"
                            userIdMap="user:sAMAccountName"
                            groupIdMap="*:cn"
                            groupMemberIdMap="memberOf:member" >
                    </activedFilters>
    
            <attributeConfiguration>
                 <attribute name="cn" propertyName="displayName" entityType="PersonAccount"/>
                 <!-- propertyName is the scim property, name is the ldap property-->
            </attributeConfiguration>
    
        </ldapRegistry>
    
           <federatedRepository>
                    <primaryRealm name="FVTRegistry">
                            <participatingBaseEntry name="CN=Users,DC=test,DC=com"/>
                    </primaryRealm>
            </federatedRepository>
    
            <administrator-role>
               <user>clmadmin</user>
               <group>MyJazzAdmins</group>
            </administrator-role>
    
       </server>

  • Users or Groups listed under <administrator-role> tag are SCIM Administrators
  • The configuration under < attributeConfiguration > is mandatory as the displayName SCIM property is mapped to Name attribute in CLM / ELM. You can change the LDAP attribute mapping from cn to as per your organization's requirement.

IBM Tivoli Directory Server

  •  <server>
        <ldapRegistry ldapType="IBM Tivoli Directory Server" baseDN="o=test.com" 
         bindDN="uid=clmadmin,c=in,ou=Users,o=test.com" bindPassword="********"
         host="ldapserver" id="ldapserver:389" ignoreCase="true"  port="389"
         realm="ldapserver:389" recursiveSearch="true" searchTimeout="10m" sslEnabled="false">
         
       <idsFilters 
             groupFilter="(&amp;(cn=%v)(|(objectclass=groupOfUniqueNames)(objectclass=posixGroup)))"
             groupIdMap="*:cn"
             groupMemberIdMap="groupOfUniqueNames:uniquemember"
             userFilter="(&amp;(uid=%v)(objectclass=person))"
             userIdMap="*:uid">
        </idsFilters>
    
        <attributeConfiguration>
                 <attribute name="cn" propertyName="displayName" entityType="PersonAccount"/>
                 <!-- propertyName is the scim property, name is the ldap property-->
         </attributeConfiguration>
    
        <ldapEntityType name="PersonAccount">
                    <searchBase>c=in,ou=Users,o=test.com</searchBase>
         </ldapEntityType>
                <ldapEntityType name="Group">
                    <searchBase>ou=JazzGroups,ou=Groups,o=test.com</searchBase>
          </ldapEntityType>
    
        </ldapRegistry>
    
          <administrator-role>
                     <user>myscimadmin</user>
          </administrator-role>
        </server> 

  • Users or Groups listed under <administrator-role> tag are SCIM Administrators
  • The configuration under < attributeConfiguration > is mandatory as the displayName SCIM property is mapped to Name attribute in CLM / ELM. You can change the LDAP attribute mapping from cn to as per your organization's requirement
  • < ldapEntityType > tag is not mandatory, but can be used to limit the User and group query scope

Apache DS

  • <server>
            <ldapRegistry ldapType="Custom" baseDN="dc=example,dc=com" host="ldapserver" 
                   id="ldapserver:10389" ignoreCase="true" port="10389" 
                   realm="ldapserver:10389" recursiveSearch="true" referal="follow" 
                   sslEnabled="false" timestampFormat="yyyyMMddHHmmss.SSSSSSZ">
                  
                 <customFilters
                        groupFilter="(&amp;(cn=%v)(|(objectclass=groupOfUniqueNames)(objectclass=posixGroup)))"
                        groupIdMap="*:cn" 
                        groupMemberIdMap="groupOfUniqueNames:uniquemember"
                        userFilter="(&amp;(uid=%v)(objectclass=inetOrgPerson))"
                        userIdMap="*:uid" >
                  </customFilters>
    
                  <attributeConfiguration>
                       <attribute name="cn" propertyName="displayName" entityType="PersonAccount"/>
                       <!-- propertyName is the scim property, name is the ldap property-->
                  </attributeConfiguration>
    
           </ldapRegistry>
    
            <administrator-role>
                    <user>myscimdmin</user>
            </administrator-role>
    
    </server> 

  • The configuration under < attributeConfiguration > is mandatory as the displayName SCIM property is mapped to Name attribute in CLM / ELM. You can change the LDAP attribute mapping from cn to as per your organization's requirement
  • Users or Groups listed under <administrator-role> tag are SCIM Administrators
  • There are instances during JTS Setup , the SCIM configuration test would report a Timestamp mismatch error. Including the < timestampFormat > attribute as shown above resolves the error.

Search results limit Large User User Registry

  • Default Search results limit for Users and Groups is set to 4000 for SCIM. To increase it to example 100k users, add the following within the ldapRegistry.xml within the < server > pair
  • <federatedRepository maxSearchResults="100000" /> 

Encrypt Passwords

  • To encrypt passwords entered in "bindPassword", run the script [JazzAuthServer_Install_Dir]/wlp/bin/securityUtility
  • After the script completes, copy the output to the bindPassword attribute for the ldapRegistry section
  • To run the securityUtility script, use the following syntax:
  • $ securityUtility encode userPassword 
    where userPassword is the password to encode

Group Mappings

  • Groups to Jazz Roles mappings are picked from JTS configuration when JAS is configured with LDAP/SCIM. When running JTS/Setup select the User registry type as SCIM and enter the Group mappings under the property Jazz Groups to Registry Group Mapping (The steps are included later in this article)

  • Map Groups and Users who would Administrate JAS
    <oauth-roles>
            <authenticated>
                <special-subject type="ALL_AUTHENTICATED_USERS" />
            </authenticated>
            <clientManager>
                <group name="MYJAZZADMINS" />
                <user name = "myscimadmin" />
            </clientManager>
        </oauth-roles> 

Configure Database for JAS

When you first install JAS, it comes configured to use a local Derby database for storing information. It is not recommended to use Derby database for a production environment and note that Derby database won't work in a clustered JAS environment, since that information won't be available to all the instances.

The basic steps to configure the database are:

  • Create database tables on a database server which all JAS instances can access
  • Update the JAS configuration file (appConfig.xml) to use the database server

The following links provide information for Oracle, MSSQL and DB2 database servers and sample SQL scripts are available that can create the necessary tables. But note that you will need to customize these scripts for your own environment.

Test SCIM


Jazz Team Server (JTS) Setup with JAS and SCIM

  • For a new deployment, CLM installation should be enabled for Jazz Security Architecture SSO
  • Ensure pop-up blocker is disabled on the browser, or Pop-ups are allowed for CLM and JAS URLs
  • Accessing the JTS setup page https://jtsserver:port/jts/setup , would not prompt for a Username / Password
  • Express setup would be disabled for a CLM instance enabled for Jazz Security Architecture SSO
    JTS_Setup.png

  • Run through JTS setup following the prompts until you reach "Register Applications" Page
  • Enter the Jazz Authorization Server details. The URL you enter should be accessible by all and is as important as the Jazz Public URI

    JAS_Server.png

  • DONOT register applications at this stage, Click Next to proceed to the next step. We will return to register applications once the User registry is configured

  • In the Next step (Step 6), "Select a type of User Registry", select SCIM

    SCIM_Config.png

  • Enter the SCIM Provider URL and Bind User Information
    SCIM_Registry_6061.png

  • Click Test Connection, Save and Next, A Login window would be displayed, Login as a user with JazzAdmin role assigned
  • Assign a License for the User
  • Go back to Register Applications page (Step 5) and register all the applications
  • Complete the setup

Configure SCIM Property To UserID Mapping

By default the CLM login Id is configured to Ldap UserId attribute, example sAMAccountName or uid. If you wish to change the the CLM Login value to another LDAP attribute here are the steps.

  • If you have configured the userIdMap value in ldapUserRegistroy.xml file to different LDAP attribute , then change the SCIM configuration property in JTS Admin page
  • Navigate to https:/jtsserver:port/jts/admin page and Click Server > Advanced Properties and search for the property SCIM Property to User ID mapping SCIM_UserId_Map.png

  • Change the value as per the details in this table. Also change “User Name” that is used to login LDAP registry.

  • mobile phoneNumbers/type=mobile LDAP User Mobile
    Ldap UserId Attribute SCIM Property to UserId Mapping User Name
    sAMAccountName, uid userName (default value) LDAP User Uid
    mail emails LDAP User Email
    mail emails/type=work LDAP User Email 2

SCIM Property to User ID Mapping attribute Parameters

  • SCIM provider displays user information in following format
     
        {"emails":[{"value":"shubjitnaik@testmail.com", "where":"work"},{"value":"shubjit1@homemail.com", "where":"home"}], 
        "location":"https:\/\/jasserver:9643\/ibm\/api\/scim\/Users\/uid=shubjit,ou=Users,dc=ldap,dc=com",
        "displayName":"Shubjit Naik","schemas":["urn:scim:schemas:core:1.0"],"id":"uid=shubjit,ou=Users,dc=ldap,dc=com",
        "name":{"formatted":"Shubjit Naik","givenName":"Shubjit","familyName":"Naik"},"userName":"shubjit"} 

  • To retrieve this information access the URL format below
    https://[JAS_SERVER]:[JAS_PORT]/ibm/api/scim/Users/uid=shubjit,ou=Users,dc=ldap,dc=com
  • By default, the userName attribute value is used as CLM login Id, in this case it is shubjit
  • In the above example if you wish to use email to Login to clm, changing the value of "SCIM Property to User ID mapping" to emails would not work as there are multiple email addresses associated with the user and it would result in an error
  • The format to be used here is emails/where=work which will extract shubjitnaik@testmail.com as the value to Login to CLM

Enable an Existing CLM setup for Jazz Security Architecture

  • Complete the Jazz Authorization Server SCIM Setup, Configuration and testing as per instructions within this article
  • Enable CLM applications for Jazz Security Architecture single sign-on following the instructions on our InfoCenter
  • Access the JTS Setup URL and click next until you reach step 6
  • "Select a type of User Registry", select SCIM and follow instructions similar to a new JTS setup
  • Click Test Connection and Next to save the Configuration

Importing Users

  • By default User Synchronization operation by default picks UserID=sAMAccountName for Microsoft AD and UserId=uid for IBM Tivoli Directory Server and ApacheDS.
  • If you wish to change the User ID mapping, follow the instructions under "Configure SCIM Property To UserID Mapping" in this article
  • Test by importing a user manually
  • Click on Users > Active Users > Import Users
  • Enter a search term, click on the User and Import the user
  • In the Active User Page, click on the newly imported user and confirm the UserId maps to what you intended to configure
  • If the verification is complete, you can then "Synchronize the users from configured groups to CLM

Related topics: Jazz Authorization Server, Deployment web home

External links:

Edit | Attach | Printable | Raw View | Backlinks: Web, All Webs | History: r23 < r22 < r21 < r20 < r19 | More topic actions
 
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Contributions are governed by our Terms of Use. Please read the following disclaimer.
Ideas, requests, problems regarding the Deployment wiki? Create a new task in the RTC Deployment wiki project