Configuring Jazz Authorization Server with a SAML IdP
Authors: ShubjitNaikBuild basis: IBM Engineering Lifecycle Management and Jazz Authorization Server Version 7.0.2 and higher
SAML (Security Assertion Markup Language) is an OASIS open standard for representing and exchanging user identity, authentication, and attribute information. A SAML assertion is an XML formatted token that is used to transfer user identity and attribute information from the identity provider (IdP) of a user to a trusted service provider (SP) as part of completing an SSO request.
With the introduction of Jazz Authorization Server (JAS), we can configure IBM Engineering Lifecycle Management Solution to redirect authentication to a SAML Identity Provider via JAS. For additional information on SAML and WebSphere Liberty visit our Infocenter Page
The focus of this article is showcase configuring ELM and JAS with SimpleSAMLphp as the IdP.
Limitations
When the user authentication is delegated from JAS to a SAML IdP there are a few limitations:- ELM Version 7.0.1 and lower - Authenticating through a SAML IdP works for Browser based clients
- Thick Clients (Eclipse, Visual Studio) and Command line utilities can be configured to authenticate directly via JAS and LDAP.
- ELM Version 7.0.2 and higher- Starting version 7.0.2 you can configure Application Passwords for Non-Web Clients
- There is a requirement of an LDAP server (User Registry) for JAS for ID Token and Application Passwords mapping and for ELM for User-to-group role mapping (Or SCIM can be used)
Overview of Configuration
Overview of the different steps involved in this configuration.- Configure JAS with an LDAP server (LDAP server should replicate ELM users from SAML IdP)
- Configure CA Certificates for JAS
- Setup ELM with JAS or Migrate and existing setup from container authentication to JAS
- Enable SAML feature and configurations in JAS
- Export the Metadata from JAS to SAML IdP
- Copy the SAML IdP metadata to JAS
- Test Configurations
Configure JAS with LDAP and ELM with JAS
Although the authentication is redirected and performed by the SAML IdP, ELM still needs to connect to the LDAP (via Advanced Properties in JTS) server for User-to-group role mapping (JazzAdmins, JazzUsers and so on) and JAS as well needs to be configured with the same LDAP server for ID Token and Application Passwords mapping. Most customers don't expose the LDAP server working with the SAML IdP and instead create a replica with limited attributes and passwords disabled. As a pre-req , first configure JAS with the LDAP server and then setup ELM Configure JAS with LDAPEnable JAS to support SAML 2.0
Extracting the instructions from ELM Documentation and Liberty Documentation- Edit
JazzAuthServer_install_dir/wlp/usr/servers/jazzop/server.xml
and uncomment the following features<feature>samlWeb-2.0</feature> <feature>ssl-1.0</feature>
- Edit
JazzAuthServer_install_dir/wlp/usr/servers/jazzop/appConfig.xml
and uncomment/update thesamlWebSso2.0
andauthFilter
elements<samlWebSso20 id="defaultSP" spCookieName="jazzop_sso_cookie_idp" forceAuthn="true" authFilterRef="samlAuthFilter" spLogout="true" enabled="true" > </samlWebSso20> <authFilter id="samlAuthFilter"> <requestUrl id="samlRequestUrl" urlPattern="/authorize" matchType="contains" /> <userAgent id="samlUserAgent" agent="Mozilla|Opera" matchType="contains"/> </authFilter>
- If you have a requirement to change the ID from
defaultSP
to a custom ID then add the following section inappConfig.xml
<samlWebSso20 id="defaultSP" enabled="false"> </samlWebSso20>
- For additional details on the SAML attributes and filters visit this Liberty Documentation
- With the above configuration JAS is now configured as a SAML Service Provider (SP)
Export SP Metadata from JAS
For Jazz Authorization Server to communicate with the SAML IdP, the server must be registered as a partner in the IdP. You can download / export the SP metadata from JAS to register it as a partner. Registering and enabling a partner depends on the SAML implementation in your IdP, you can follow the SAML documentation or contact you Administrator. When JAS is configured as a SAML Service Provider you can download/export the metadata- Start Jazz Authorization Server
JazzAuthServer_install_dir/start_jazz
- Download the SP metadata by accessing the following URL
https://jas.example.org/ibm/saml20/defaultSP/samlmetadata
-
- If you are not prompted to save the file, review your SAML configurations in the appConfig.xml and server.xml file on JAS
- If you have changed the default ID in JAS SAML configurations, replace
defaultSP
in the URL with the ID that you have defined - Metadata from JAS needs to be generated again if there is a change in certificates
- Share the
spMetadata.xml
file with SAML IdP administrator
Import SAML IdP Metadata into JAS
For the Jazz Authorization Server to communicate with the SAML IdP you must import the SAML IdP metadata file- Request for the SAML IdP metadata file from your SAML administrator
- Some of the SAML Identity Providers provide URLs to download metadata directly, example of ADFS and SimpleSAMLphp are given below.
- Example Microsoft ADFS: You can download the metadata for Microsoft ADFS by accessing the URL
https://adfs.example.org/federationmetadata/2007-06/federationmetadata.xml
- Example SimpleSAMLphp: You can download the metadata for SimpleSAMLphp by accessing the URL
https://simplesamlphp.example.org/simplesaml/saml2/idp/metadata.php
- Rename the IdP metadata file to
idpMetadata.xml
(Case sensitive if JAS is running on UNIX based systems) - Copy the
idpMetadata.xml
toJazzAuthServer_install_dir/wlp/usr/servers/jazzop/resources/security
SAML IdP Examples
SimpleSAMLphp
SimpleSAMLphp is a PHP-written application that deals with authentication. Its main focus is to provide support for SAML as a Service Provider (SP) or an Identity Provider (IdP). In this example, SimpleSAMLphp is the Identity Provider (IdP). The following steps demonstrate how to install and configure SimpleSAMLphp.- Download and install the SimpleSAMLphp package from their website
- For prerequisites and details, see SimpleSAMLphp Installation and Configuration
- To enable the IdP functionality, see the SimpleSAMLphp Identity Provider QuickStart
- Configure Authentication and metadata for the local Identity Provider and remote Service Provider, for instructions, see SimpleSAMLphp Identity Provider QuickStart
- Here is an example of the file
saml20-idp-hosted.php
<?php $metadata['__DYNAMIC:1__'] = [ 'host' => 'simplesaml.example.org', // X.509 key and certificate. Relative to the cert directory. 'privatekey' => 'simplesaml.key', 'certificate' => 'simplesaml.crt', /* Authentication source to use. Must be one that is configured in 'config/authsources.php'. */ 'auth' => 'example-userpass', 'userid.attribute' => 'uid', 'attributes.NameFormat' => 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri' ];
Import JAS SP Metadata to SimpleSAMLphp
SimpleSAMLphp include a Metadata converter UI which can be used to covert the metadata format that can be added tosaml20-sp-remote.php
- Access the URL sample
https://simplesaml.example.org/simplesaml/admin/metadata-converter.php
- Upload the JAS spMetadata.xml file and click Parse
- Copy the converted data into
metadata/saml20-sp-remote.php
- Configure additional additional options required for your SP configuration, see SP remote metadata reference
- Test the Authentication Flow
Microsoft ADFS
Related topics: Deployment web home, Deployment web home
External links:
Additional contributors: TWikiUser, TWikiUser

Contributions are governed by our Terms of Use. Please read the following disclaimer.
Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.