Jazz Authorization Server (
JAS) can be configured to use the System for Cross-domain Identity Management (SCIM) for the WebSphere Liberty profile. SCIM is a standard for cloud-based identity management for single sign-on (SSO) in browsers. It is a RESTful protocol for identity account management operations.
This article will focus on the configuration steps to setup CLM / ELM with JAS for SCIM.
Important Notes and Pre-requisites
- It is recommended to upgrade to CLM and JAS Version 6.0.6.1 (with the latest iFix) or higher to configure SCIM with JAS
- To configure SCIM you must use Lightweight Directory Access Protocol (LDAP) for User registries
- The screenshots on the SCIM configurations in CLM / ELM are from version 6.0.6.1. In earlier versions there are additional options in SCIM configuration
Installation
CLM
- To deploy JAS to an existing environment and migrate to JAS, visit this Section on our Infocenter
- For a new deployment of CLM, Install the applications via IBM Installation Manager and Select the option "Enable Jazz Security Architecture SSO" during the installation
JAS
- Download Jazz Authorization Server install bit from jazz.net, under All Downloads Section for the specific version
- Install Jazz Authorization Server application via Installation Manager, instructions available on our Infocenter
Setup and Configure JAS for SCIM with LDAP Registry
Configuration files
- Copy the files from
[JazzAuthServer_Install_Dir]/wlp/usr/servers/jazzop/defaults
folder one level up to [JazzAuthServer_Install_Dir]/wlp/usr/servers/jazzop/
- Files we would modify are
server.xml
, appConfig.xml
and ldapUserRegistry.xml
-
appConfig.xml
- Contains Jazz Group/Role mappings and UserRegistry file information
-
ldapUserRegistry.xml
- Configuring Liberty with an LDAP user registry
Enable SCIM
Configure JAS with LDAP registry
- To configure SCIM you must use Lightweight Directory Access Protocol (LDAP)
- By default the bundled Liberty profile is configure with File based user registry and we need to configure it to point to the LDAP server to get information
- To do that, edit
[JazzAuthServer_Install_Dir]/wlp/usr/servers/jazzop/defaults/appConfig.xml
file and towards the end of the file change the following <include location="localUserRegistry.xml" optional="true"/>
<!--include location="ldapUserRegistry.xml" optional="true"/-->
TO <!--include location="localUserRegistry.xml" optional="true"/-->
<include location="ldapUserRegistry.xml" optional="true"/>
- To Configure the LDAP User Registry, guidance from LDAP administrators / Network admins may be necessary to complete the configuration Typical information needed from your LDAP Admin
- LDAP Server Name and Port (LDAP Server hostname and Port)
- The Base DN (LDAP Root Tree where Users/Groups can be queried from_)
- bindDN and bindPassword (User ID and password for the user who can query the LDAP directory)
- Group and User filter (inetOrgPerson, groupOfNames etc)
- User ID and Group ID mappings (sAMAccountName, cn etc)
- Example configuration for different LDAPs information is available in our Infocenter
- We have included a few examples from different LDAP environments (MS Active Directory, Tivoli and ApacheDS) in this article to help guide the configuration
- We have also included SCIM related configurations in ldapUserRegistry.xml
- Edit
[JazzAuthServer_Install_Dir]/wlp/usr/servers/jazzop/defaults/ldapUserRegistry.xml
and modify to match your environment, examples below
Microsoft Active Directory
-
<server>
<ldapRegistry ldapType="Microsoft Active Directory" baseDN="CN=Users,DC=test,DC=com"
bindDN="CN=CLM Admin,CN=Users,DC=test,DC=com" bindPassword="********"
host="ldapserver" id="ldapserver:389" ignoreCase="true" port="389" realm="ldapserver:389"
recursiveSearch="true" referal="follow" sslEnabled="false">
<activedFilters
userFilter="(&(sAMAccountName=%v)(objectcategory=user))"
groupFilter="(&(cn=%v)(objectcategory=group))"
userIdMap="user:sAMAccountName"
groupIdMap="*:cn"
groupMemberIdMap="memberOf:member" >
</activedFilters>
<attributeConfiguration>
<attribute name="cn" propertyName="displayName" entityType="PersonAccount"/>
<!-- propertyName is the scim property, name is the ldap property-->
</attributeConfiguration>
</ldapRegistry>
<federatedRepository>
<primaryRealm name="FVTRegistry">
<participatingBaseEntry name="CN=Users,DC=test,DC=com"/>
</primaryRealm>
</federatedRepository>
<administrator-role>
<user>clmadmin</user>
<group>MyJazzAdmins</group>
</administrator-role>
</server>
- Users or Groups listed under <administrator-role> tag are SCIM administrators
- The configuration under is mandatory as the
displayName
SCIM property is mapped to Name attribute in CLM / ELM. You can change the LDAP attribute mapping from cn
to your organization requirement.
IBM Tivoli Directory Server
-
<server>
<ldapRegistry ldapType="IBM Tivoli Directory Server" baseDN="o=test.com"
bindDN="uid=clmadmin,c=in,ou=Users,o=test.com" bindPassword="********"
host="ldapserver" id="ldapserver:389" ignoreCase="true" port="389"
realm="ldapserver:389" recursiveSearch="true" searchTimeout="10m" sslEnabled="false">
<idsFilters
groupFilter="(&(cn=%v)(|(objectclass=groupOfUniqueNames)(objectclass=posixGroup)))"
groupIdMap="*:cn"
groupMemberIdMap="groupOfUniqueNames:uniquemember"
userFilter="(&(uid=%v)(objectclass=person))"
userIdMap="*:uid">
</idsFilters>
<attributeConfiguration>
<attribute name="cn" propertyName="displayName" entityType="PersonAccount"/>
<!-- propertyName is the scim property, name is the ldap property-->
</attributeConfiguration>
<ldapEntityType name="PersonAccount">
<searchBase>c=in,ou=Users,o=test.com</searchBase>
</ldapEntityType>
<ldapEntityType name="Group">
<searchBase>ou=JazzGroups,ou=Groups,o=test.com</searchBase>
</ldapEntityType>
</ldapRegistry>
<administrator-role>
<user>myscimadmin</user>
</administrator-role>
</server>
- Users or Groups listed under <administrator-role> tag are SCIM administrators
- The configuration under is mandatory as the
displayName
SCIM property is mapped to Name attribute in CLM / ELM. You can change the LDAP attribute mapping from cn
to your organization requirement
-
< ldapEntityType >
tag is not mandatory, but can be used to limit the User and group query scope
Apache DS
-
<server>
<ldapRegistry ldapType="Custom" baseDN="dc=example,dc=com" host="ldapserver"
id="ldapserver:10389" ignoreCase="true" port="10389"
realm="ldapserver:10389" recursiveSearch="true" referal="follow"
sslEnabled="false" timestampFormat="yyyyMMddHHmmss.SSSSSSZ">
<customFilters
groupFilter="(&(cn=%v)(|(objectclass=groupOfUniqueNames)(objectclass=posixGroup)))"
groupIdMap="*:cn"
groupMemberIdMap="groupOfUniqueNames:uniquemember"
userFilter="(&(uid=%v)(objectclass=inetOrgPerson))"
userIdMap="*:uid" >
</customFilters>
<attributeConfiguration>
<attribute name="cn" propertyName="displayName" entityType="PersonAccount"/>
<!-- propertyName is the scim property, name is the ldap property-->
</attributeConfiguration>
</ldapRegistry>
<administrator-role>
<user>myscimdmin</user>
</administrator-role>
</server>
- The configuration under is mandatory as the
displayName
SCIM property is mapped to Name attribute in CLM / ELM. You can change the LDAP attribute mapping from cn
to your organization requirement.
- Users or Groups listed under <administrator-role> tag are SCIM administrators
- There are instances during JTS Setup , the SCIM configuration test would report a Timestamp mismatch error. Including the
attribute as shown above resolves the error.
Search results limit Large User User Registry
Encrypt Passwords
Group Mappings
- Groups to Jazz Roles mappings are picked from JTS configuration when JAS is configured with LDAP/SCIM. When running JTS/Setup select the User registry type as SCIM and enter the Group mappings under the property Jazz Groups to Registry Group Mapping (The steps are included later in this article)
Configure Database for JAS
When you first install the JAS, it comes configured to use a local Derby database for storing information. It is not recommended to use Derby database for a production environment and note that Derby database won't work in a clustered JAS environment, since that information won't be available to all the instances.
The basic steps to configure the database are:
- Create database tables on a database server which all JAS instances can access
- Update the JAS configuration file (appConfig.xml) to use the database server
The following links provide information for both Oracle and DB2, and sample SQL scripts are available that can create the necessary tables. But note that you will need to customize these scripts for your own environment.
Test SCIM
Jazz Team Server (JTS) Setup with JAS and SCIM
- For a new deployment, CLM installation should be enabled for Jazz Security Architecture SSO
- Ensure pop-up blocker is disabled on the browser, or Pop-ups are allowed for CLM and JAS URLs
- Accessing the JTS setup page https://jtsserver:port/jts/setup , would not prompt for a Username / Password
- Express setup would be disabled for a CLM instance enabled for Jazz Security Architecture SSO
- Run through JTS setup following the prompts until you reach "Register Applications" Page
- Enter the Jazz Authorization Server details. The URL you enter should be accessible by all and is as important as the Jazz Public URI
- DONOT register applications at this stage, delete the listed applications that was found and proceed to next step
- In the Next step (Step 6), "Select a type of User Registry", select SCIM
- Enter the SCIM Provider URL and Bind User Information
- Enter the Base Group DN and Group mapping information
Version 6.0.3 and below
Version 6.0.4 and above
- Click Test Connection, Save and Next, A Login window would be displayed, Login as a user with JazzAdmin role assigned
- Assign a License for the User
- Go back to Register Applications page (Step 5) and register all the applications
- Complete the setup
Enable an Existing CLM setup for Jazz Security Architecture
- Complete the Jazz Authorization Server SCIM Setup, Configuration and testing as per instructions within this article
- Enable CLM applications for Jazz Security Architecture single sign-on following the instructions on our InfoCenter
- Access the JTS Setup URL and click next until you reach step 6
- "Select a type of User Registry", select SCIM and follow instructions similar to a new JTS setup
- Click Test Connection and Next to save the Configuration
Importing Users
* Currently the User Synchronization operation by default picks
UserID=sAMAccountName for Microsoft AD and
UserId=uid for IBM Tivoli Directory Server and ApacheDS. It is recommended to
disable the Nighty Sync operation until verification is completed.
- To disable Nightly Sync, Login to JTS/admin page, Click Server > Advanced Properties and set Enable Nightly Sync with SCIM provider to false
- Test by importing a user manually
- Click on Users > Active Users > Import Users
- Enter a search term, click on the User and Import the user
- In the Active User Page, click on the newly imported user and confirm the UserId maps to what is configured in JAS
- Default is uid for Tivoli and Apache DS and sAMAccountName for Microsoft AD
- If the verification is complete, you can chose to enable the Nightly Sync or proceed with Manual Import of User
- To Manually Import users , use the repotools command and import from acsv file. Instructions are available on the IBM Knowledge Center
External links: