Edit
Attach
P
rintable
r22 - 2019-11-18 - 13:34:19 -
ShubjitNaik
You are here:
TWiki
>
Deployment Web
>
DeploymentInstallingUpgradingAndMigrating
>
JazzAuthorizationServer
>
JASAndSCIM
<div id="header-title" style="padding: 10px 15px; border-width:1px; border-style:solid; border-color:#FFD28C; background-image: url(<nop>https://jazz.net/wiki/pub/Deployment/WebPreferences/TLASE.jpg); background-size: cover; font-size:120%"> ---+!! Configure Jazz Authorization Server for SCIM <img src="https://jazz.net/wiki/pub/Deployment/WebPreferences/new.png" alt="new.png" width="50" height="50" align="right"> %DKGRAY% Author: Main.ShubjitNaik<br> Build basis: JAS and CLM version 6.0.6.1 and higher %ENDCOLOR%</div></sticky> <!-- Page contents top of page on right hand side in box --> <sticky><div style="float:right; border-width:1px; border-style:solid; border-color:#DFDFDF; background-color:#F6F6F6; margin:0 0 15px 15px; padding: 0 15px 0 15px;"> %TOC{title="Page contents"}% </div></sticky> <sticky><div style="margin:15px;"></sticky> Jazz Authorization Server (*JAS*) can be configured to use the System for Cross-domain Identity Management (SCIM) for the !WebSphere Liberty profile. SCIM is a standard for cloud-based identity management for single sign-on (SSO) in browsers. It is a RESTful protocol for identity account management operations.%BR% This article will focus on the configuration steps to setup CLM / ELM with JAS for SCIM. ---++ Important Notes and Pre-requisites * It is recommended to upgrade to CLM and JAS Version 6.0.6.1 (with the latest iFix) or higher to configure SCIM with JAS * To configure SCIM you must use Lightweight Directory Access Protocol (LDAP) for User registries * The screenshots on the SCIM configurations in CLM / ELM are from version 6.0.6.1. In earlier versions there are additional options in SCIM configuration ---++ Installation *CLM* %BR% * To deploy JAS to an existing environment and migrate to JAS, visit this [[https://www.ibm.com/support/knowledgecenter/SSYMRC_6.0.6.1/com.ibm.jazz.install.doc/topics/t_JsaSso_CLM_apps_enable.html][Section]] on our Infocenter * For a new deployment of CLM, Install the applications via IBM Installation Manager and Select the option "Enable Jazz Security Architecture SSO" during the installation%BR%%BR% <img src="%ATTACHURLPATH%/Enable_JAS_SSO.jpg" alt="Enable_JAS_SSO.jpg" width="650" height="250" /> %BR% *JAS* %BR% * Download Jazz Authorization Server install bit from [[https://jazz.net/downloads/clm/releases/6.0.6.1?p=allDownloads][jazz.net]], under All Downloads Section for the specific version%BR%%BR% <img src="%ATTACHURLPATH%/JAS_Download.jpg" alt="JAS_Download.jpg" width="400" height="75" /> %BR%%BR% * Install Jazz Authorization Server application via Installation Manager, instructions available on our [[https://www.ibm.com/support/knowledgecenter/SSYMRC_6.0.6.1/com.ibm.jazz.install.doc/topics/t_s_server_installation_im.html][Infocenter]]%BR%%BR% <img src="%ATTACHURLPATH%/JAS_Install.jpg" alt="JAS_Install.jpg" width="600" height="200" /> %BR% ---++ Setup and Configure JAS for SCIM with LDAP Registry ---+++ Configuration files * Copy the files from =[JazzAuthServer_Install_Dir]/wlp/usr/servers/jazzop/defaults= folder one level up to =[JazzAuthServer_Install_Dir]/wlp/usr/servers/jazzop/= * Files we would modify are =server.xml=, =appConfig.xml= and =ldapUserRegistry.xml= * =appConfig.xml= - Contains Jazz Group/Role mappings and !UserRegistry file information * =ldapUserRegistry.xml= - Configuring Liberty with an LDAP user registry ---+++ Enable SCIM * First Enable the Jazz Authorization Server to support SCIM * Edit =[JazzAuthServer_Install_Dir]/wlp/usr/servers/jazzop/server.xml= and include the following in the list of features * <verbatim><feature>scim-1.0</feature> </verbatim> ---+++ Configure JAS with LDAP registry * To configure SCIM you must use Lightweight Directory Access Protocol (LDAP) * By default the bundled Liberty profile is configure with File based user registry and we need to configure it to point to the LDAP server to get information * To do that, edit =[JazzAuthServer_Install_Dir]/wlp/usr/servers/jazzop/defaults/appConfig.xml= file and towards the end of the file change the following <verbatim> <include location="localUserRegistry.xml" optional="true"/> <!--include location="ldapUserRegistry.xml" optional="true"/--></verbatim> *TO* <verbatim> <!--include location="localUserRegistry.xml" optional="true"/--> <include location="ldapUserRegistry.xml" optional="true"/></verbatim> %BR% * To Configure the LDAP User Registry, guidance from LDAP administrators / Network admins may be necessary to complete the configuration Typical information needed from your LDAP Admin * LDAP Server Name and Port (_LDAP Server hostname and Port_) * The Base DN (LDAP Root Tree where Users/Groups can be queried from_) * bindDN and bindPassword (_User ID and password for the user who can query the LDAP directory_) * Group and User filter (_inetOrgPerson, groupOfNames etc_) * User ID and Group ID mappings (_sAMAccountName, cn etc_) * Example configuration for different LDAPs information is available in our [[https://www.ibm.com/support/knowledgecenter/SSYMRC_6.0.6.1/com.ibm.jazz.install.doc/topics/t_config_ldap_connection_liberty.html][Infocenter]] * We have included a few examples from different LDAP environments (MS Active Directory, Tivoli and ApacheDS) in this article to help guide the configuration * We have also included SCIM related configurations in ldapUserRegistry.xml * Edit =[JazzAuthServer_Install_Dir]/wlp/usr/servers/jazzop/defaults/ldapUserRegistry.xml= and modify to match your environment, examples below ---++++ Microsoft Active Directory * <verbatim><server> <ldapRegistry ldapType="Microsoft Active Directory" baseDN="CN=Users,DC=test,DC=com" bindDN="CN=CLM Admin,CN=Users,DC=test,DC=com" bindPassword="********" host="ldapserver" id="ldapserver:389" ignoreCase="true" port="389" realm="ldapserver:389" recursiveSearch="true" referal="follow" sslEnabled="false"> <activedFilters userFilter="(&(sAMAccountName=%v)(objectcategory=user))" groupFilter="(&(cn=%v)(objectcategory=group))" userIdMap="user:sAMAccountName" groupIdMap="*:cn" groupMemberIdMap="memberOf:member" > </activedFilters> <attributeConfiguration> <attribute name="cn" propertyName="displayName" entityType="PersonAccount"/> <!-- propertyName is the scim property, name is the ldap property--> </attributeConfiguration> </ldapRegistry> <federatedRepository> <primaryRealm name="FVTRegistry"> <participatingBaseEntry name="CN=Users,DC=test,DC=com"/> </primaryRealm> </federatedRepository> <administrator-role> <user>clmadmin</user> <group>MyJazzAdmins</group> </administrator-role> </server></verbatim> <br> * Users or Groups listed under =<administrator-role>= tag are SCIM Administrators * The configuration under =< attributeConfiguration >= is mandatory as the =displayName= SCIM property is mapped to Name attribute in CLM / ELM. You can change the LDAP attribute mapping from =cn= to as per your organization's requirement. ---++++ IBM Tivoli Directory Server * <verbatim> <server> <ldapRegistry ldapType="IBM Tivoli Directory Server" baseDN="o=test.com" bindDN="uid=clmadmin,c=in,ou=Users,o=test.com" bindPassword="********" host="ldapserver" id="ldapserver:389" ignoreCase="true" port="389" realm="ldapserver:389" recursiveSearch="true" searchTimeout="10m" sslEnabled="false"> <idsFilters groupFilter="(&(cn=%v)(|(objectclass=groupOfUniqueNames)(objectclass=posixGroup)))" groupIdMap="*:cn" groupMemberIdMap="groupOfUniqueNames:uniquemember" userFilter="(&(uid=%v)(objectclass=person))" userIdMap="*:uid"> </idsFilters> <attributeConfiguration> <attribute name="cn" propertyName="displayName" entityType="PersonAccount"/> <!-- propertyName is the scim property, name is the ldap property--> </attributeConfiguration> <ldapEntityType name="PersonAccount"> <searchBase>c=in,ou=Users,o=test.com</searchBase> </ldapEntityType> <ldapEntityType name="Group"> <searchBase>ou=JazzGroups,ou=Groups,o=test.com</searchBase> </ldapEntityType> </ldapRegistry> <administrator-role> <user>myscimadmin</user> </administrator-role> </server> </verbatim> <br> * Users or Groups listed under =<administrator-role>= tag are SCIM Administrators * The configuration under =< attributeConfiguration >= is mandatory as the =displayName= SCIM property is mapped to Name attribute in CLM / ELM. You can change the LDAP attribute mapping from =cn= to as per your organization's requirement * =< ldapEntityType >= tag is not mandatory, but can be used to limit the User and group query scope ---++++ Apache DS * <verbatim><server> <ldapRegistry ldapType="Custom" baseDN="dc=example,dc=com" host="ldapserver" id="ldapserver:10389" ignoreCase="true" port="10389" realm="ldapserver:10389" recursiveSearch="true" referal="follow" sslEnabled="false" timestampFormat="yyyyMMddHHmmss.SSSSSSZ"> <customFilters groupFilter="(&(cn=%v)(|(objectclass=groupOfUniqueNames)(objectclass=posixGroup)))" groupIdMap="*:cn" groupMemberIdMap="groupOfUniqueNames:uniquemember" userFilter="(&(uid=%v)(objectclass=inetOrgPerson))" userIdMap="*:uid" > </customFilters> <attributeConfiguration> <attribute name="cn" propertyName="displayName" entityType="PersonAccount"/> <!-- propertyName is the scim property, name is the ldap property--> </attributeConfiguration> </ldapRegistry> <administrator-role> <user>myscimdmin</user> </administrator-role> </server> </verbatim> <br> * The configuration under =< attributeConfiguration >= is mandatory as the =displayName= SCIM property is mapped to Name attribute in CLM / ELM. You can change the LDAP attribute mapping from =cn= to as per your organization's requirement * Users or Groups listed under =<administrator-role>= tag are SCIM Administrators * There are instances during JTS Setup , the SCIM configuration test would report a Timestamp mismatch error. Including the =< timestampFormat >= attribute as shown above resolves the error. ---++++ Search results limit Large User User Registry * Default Search results limit for Users and Groups is set to 4000 for SCIM. To increase it to example 100k users, add the following within the ldapRegistry.xml within the <server> pair * <verbatim><federatedRepository maxSearchResults="100000" /> </verbatim> ---++++ Encrypt Passwords * To encrypt passwords entered in "bindPassword", run the script =[JazzAuthServer_Install_Dir]/wlp/bin/securityUtility= * After the script completes, copy the output to the bindPassword attribute for the ldapRegistry section * To run the securityUtility script, use the following syntax: * <verbatim>$ securityUtility encode userPassword </verbatim> where _userPassword_ is the password to encode ---++++ Group Mappings * Groups to Jazz Roles mappings are picked from JTS configuration when JAS is configured with LDAP/SCIM. When running JTS/Setup select the User registry type as SCIM and enter the Group mappings under the property _Jazz Groups to Registry Group Mapping_ (The steps are included later in this article) * Map Groups and Users who would Administrate JAS <verbatim><oauth-roles> <authenticated> <special-subject type="ALL_AUTHENTICATED_USERS" /> </authenticated> <clientManager> <group name="MYJAZZADMINS" /> <user name = "myscimadmin" /> </clientManager> </oauth-roles> </verbatim> ---+++ Configure Database for JAS When you first install JAS, it comes configured to use a local Derby database for storing information. It is not recommended to use Derby database for a production environment and note that Derby database won't work in a clustered JAS environment, since that information won't be available to all the instances. The basic steps to configure the database are: * Create database tables on a database server which all JAS instances can access * Update the JAS configuration file (appConfig.xml) to use the database server The following links provide information for Oracle, MSSQL and DB2 database servers and sample SQL scripts are available that can create the necessary tables. But note that you will need to customize these scripts for your own environment. * [[https://jazz.net/wiki/bin/view/Deployment/PerformanceClusteredJAS#DB2][Configure IBM DB2 Database]] * [[https://jazz.net/wiki/bin/view/Deployment/PerformanceClusteredJAS#Oracle][Configure Oracle Database]] * [[https://jazz.net/wiki/bin/view/Deployment/PerformanceClusteredJAS#Microsoft_SQL_Server][Configure Microsoft SQL Server Database]] ---+++ Test SCIM * Now that JAS is configured with LDAP and SCIM, it is time to start and test if it is configured right * Start the server (*Linux example*) <verbatim> $ cd JazzAuthServer_install_dir $ ./start-jazz </verbatim> * Access the following URLs to test JAS and SCIM configuration * JAS Configuration URL (Default value for a new setup is _data [ ]_ ) %BR% https://fully_qualified_domain_name_of_JAS_server:defined_port/oidc/endpoint/jazzop/.well-known/openid-configuration %BR% https://fully_qualified_domain_name_of_JAS_server:defined_port/oidc/endpoint/jazzop/registration * Confirm the SCIM API for Users with this URL %BR% https://fully_qualified_domain_name_of_JAS_server:defined_port/ibm/api/scim/Users * Confirm the SCIM API for Groups with this URL %BR% https://fully_qualified_domain_name_of_JAS_server:defined_port/ibm/api/scim/Groups %BR% ---++ Jazz Team Server (JTS) Setup with JAS and SCIM * For a new deployment, CLM installation should be enabled for Jazz Security Architecture SSO * Ensure pop-up blocker is disabled on the browser, or Pop-ups are allowed for CLM and JAS URLs * Accessing the JTS setup page https://jtsserver:port/jts/setup , would not prompt for a Username / Password * Express setup would be disabled for a CLM instance enabled for Jazz Security Architecture SSO %BR% <img src="%ATTACHURLPATH%/JTS_Setup.png" alt="JTS_Setup.png" width="600" height="125" /> %BR% * Run through JTS setup following the prompts until you reach "Register Applications" Page * Enter the Jazz Authorization Server details. *The URL you enter should be accessible by all and is as important as the Jazz Public URI* %BR% %BR% <img src="%ATTACHURLPATH%/JAS_Server.png" alt="JAS_Server.png" width="575" height="350" /> %BR% * *DONOT* register applications at this stage, Click Next to proceed to the next step. We will return to register applications once the User registry is configured%BR% * In the Next step (Step 6), "Select a type of User Registry", select SCIM %BR% %BR% <img src="%ATTACHURLPATH%/SCIM_Config.png" alt="SCIM_Config.png" width="550" height="375" /> %BR% %BR% * Enter the SCIM Provider URL and Bind User Information %BR% <img src="%ATTACHURLPATH%/SCIM_Registry_6061.png" alt="SCIM_Registry_6061.png" width="650" height="600" /> %BR% %BR% * Click Test Connection, Save and Next, A Login window would be displayed, Login as a user with !JazzAdmin role assigned * Assign a License for the User * Go back to *Register Applications* page (Step 5) and register all the applications * Complete the setup ---++ Configure SCIM Property To !UserID Mapping By default the CLM login Id is configured to Ldap !UserId attribute, example =sAMAccountName= or =uid=. If you wish to change the the CLM Login value to another LDAP attribute here are the steps. * If you have configured the userIdMap value in ldapUserRegistroy.xml file to different LDAP attribute , then change the SCIM configuration property in JTS Admin page * Navigate to =https:/jtsserver:port/jts/admin= page and Click Server > Advanced Properties and search for the property *SCIM Property to User ID mapping* <img src="%ATTACHURLPATH%/SCIM_UserId_Map.png" alt="SCIM_UserId_Map.png" width="850" height="350" /> <br> * Change the value as per the details in this table. Also change User Name that is used to login LDAP registry. * %TABLE{ sort="on" tableborder="1" cellpadding="3" cellspacing="3" headerbg="#D5CCB1" headercolor="#666666" databg="#FAF0D4, #F3DFA8" headerrows="1" footerrows="1" }% |<b>Ldap !UserId Attribute<b>|<b>SCIM Property to !UserId Mapping</b>|<b>User Name</b>| | sAMAccountName, uid | _userName_ (default value) | LDAP User Uid | | mail | _emails_ | LDAP User Email | | mail | _emails/type=work_ | LDAP User Email 2 | | mobile | _phoneNumbers/type=mobile_ | LDAP User Mobile | <br> ---+++ SCIM Property to User ID Mapping attribute Parameters * SCIM provider displays user information in following format<verbatim> {"emails":[{"value":"shubjitnaik@testmail.com", "where":"work"},{"value":"shubjit1@homemail.com", "where":"home"}], "location":"https:\/\/jasserver:9643\/ibm\/api\/scim\/Users\/uid=shubjit,ou=Users,dc=ldap,dc=com", "displayName":"Shubjit Naik","schemas":["urn:scim:schemas:core:1.0"],"id":"uid=shubjit,ou=Users,dc=ldap,dc=com", "name":{"formatted":"Shubjit Naik","givenName":"Shubjit","familyName":"Naik"},"userName":"shubjit"} </verbatim> * To retrieve this information access the URL format below <verbatim>https://[JAS_SERVER]:[JAS_PORT]/ibm/api/scim/Users/uid=shubjit,ou=Users,dc=ldap,dc=com</verbatim> * By default, the =userName= attribute value is used as CLM login Id, in this case it is =shubjit= * In the above example if you wish to use email to Login to clm, changing the value of "SCIM Property to User ID mapping" to =emails= would not work as there are multiple email addresses associated with the user and it would result in an error * The format to be used here is =emails/where=work= which will extract =shubjitnaik@testmail.com= as the value to Login to CLM ---++ Enable an Existing CLM setup for Jazz Security Architecture * Complete the Jazz Authorization Server SCIM Setup, Configuration and testing as per instructions within this article * Enable CLM applications for Jazz Security Architecture single sign-on following the instructions on our [[https://www.ibm.com/support/knowledgecenter/SSYMRC_6.0.6.1/com.ibm.jazz.install.doc/topics/t_JsaSso_CLM_apps_enable.html][InfoCenter]] * Access the JTS Setup URL and click next until you reach step 6 * "Select a type of User Registry", select SCIM and follow instructions similar to a new JTS setup * Click Test Connection and Next to save the Configuration ---++ Importing Users * By default User Synchronization operation by default picks *UserID=sAMAccountName* for Microsoft AD and *UserId=uid* for IBM Tivoli Directory Server and !ApacheDS. * If you wish to change the User ID mapping, follow the instructions under "Configure SCIM Property To UserID Mapping" in this article * Test by importing a user manually * Click on *Users > Active Users > Import Users* * Enter a search term, click on the User and Import the user * In the Active User Page, click on the newly imported user and confirm the !UserId maps to what you intended to configure * If the verification is complete, you can then "Synchronize the users from configured groups to CLM * Navigate to https:/jtsserver:port/jts/admin page > Home and Click on =Synchronize Jazz Team Server Users With External User Registry= ---+++++!! Related topics: [[JazzAuthorizationServer][Jazz Authorization Server]], [[DeploymentWebHome][Deployment web home]] ---+++++!! External links: * [[https://www.ibm.com][IBM]] <sticky></div></sticky>
Edit
|
Attach
|
P
rintable
|
V
iew topic
|
Backlinks:
We
b
,
A
l
l Webs
|
H
istory
:
r29
|
r24
<
r23
<
r22
<
r21
|
More topic actions...
Deployment
Deployment web
Planning and design
Installing and upgrading
Migrating and evolving
Integrating
Administering
Monitoring
Troubleshooting
Community information and contribution guidelines
Create new topic
Topic list
Search
Advanced search
Notify
RSS
Atom
Changes
Statistics
Web preferences
NOTE: Please use the Sandbox web for testing
Status icon key:
To do
Under construction
New
Updated
Constant change
None - stable page
Smaller versions of status icons for inline text:
Copyright © by IBM and non-IBM contributing authors. All material on this collaboration platform is the property of the contributing authors.
Contributions are governed by our
Terms of Use.
Please read the following
disclaimer
.
Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more
here
.