E
dit
A
ttach
P
rintable
r9 - 2023-06-14 - 06:43:45 -
ShubjitNaik
You are here:
TWiki
>
Deployment Web
>
DeploymentInstallingUpgradingAndMigrating
>
JazzAuthorizationServer
>
JASandSAML
<div id="header-title" style="padding: 10px 15px; border-width:1px; border-style:solid; border-color:#FFD28C; background-image: url(<nop>https://jazz.net/wiki/pub/Deployment/WebPreferences/TLASE.jpg); background-size: cover; font-size:120%"> ---+!! Configuring Jazz Authorization Server with a SAML !IdP <img src="https://jazz.net/wiki/pub/Deployment/WebPreferences/todo.png" alt="todo.png" width="50" height="50" align="right"> %DKGRAY% Authors: Main.ShubjitNaik <br> Build basis: IBM Engineering Lifecycle Management and Jazz Authorization Server Version 7.0.2 and higher %ENDCOLOR%</div></sticky> <!-- Page contents top of page on right hand side in box --> <sticky><div style="float:right; border-width:1px; border-style:solid; border-color:#DFDFDF; background-color:#F6F6F6; margin:0 0 15px 15px; padding: 0 15px 0 15px;"> %TOC{title="Page contents"}% </div></sticky> <sticky><div style="margin:15px;"></sticky> [[https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language][SAML]] (Security Assertion Markup Language) is an OASIS open standard for representing and exchanging user identity, authentication, and attribute information. A SAML assertion is an XML formatted token that is used to transfer user identity and attribute information from the identity provider (!IdP) of a user to a trusted service provider (SP) as part of completing an SSO request. With the introduction of [[JazzAuthorizationServer][Jazz Authorization Server]] (JAS), we can configure IBM Engineering Lifecycle Management Solution to redirect authentication to a SAML Identity Provider via JAS. For additional information on SAML and !WebSphere Liberty visit our [[https://www.ibm.com/support/knowledgecenter/SSEQTP_liberty/com.ibm.websphere.wlp.doc/ae/cwlp_saml_web_sso.html][Infocenter Page]] The focus of this article is showcase configuring ELM and JAS with [[https://simplesamlphp.org/][SimpleSAMLphp]] as the !IdP. ---++ Limitations When the user authentication is delegated from JAS to a SAML !IdP there are a few limitations: * ELM Version 7.0.1 and lower - Authenticating through a SAML !IdP works for Browser based clients * Thick Clients (Eclipse, Visual Studio) and Command line utilities can be configured to authenticate directly via JAS and LDAP. * ELM Version 7.0.2 and higher- Starting version 7.0.2 you can configure [[EnableJASAppPasswords][Application Passwords]] for Non-Web Clients * There is a requirement of an LDAP server (User Registry) for JAS for ID Token and Application Passwords mapping and for ELM for User-to-group role mapping (Or SCIM can be used) ---++ Overview of Configuration Overview of the different steps involved in this configuration. * Configure JAS with an LDAP server (LDAP server should replicate ELM users from SAML !IdP) * Configure [[ConfigureCACertificates][CA Certificates]] for JAS * Setup ELM with JAS or Migrate and existing setup from container authentication to JAS * Enable SAML feature and configurations in JAS * Export the Metadata from JAS to SAML !IdP * Copy the SAML !IdP [[https://en.wikipedia.org/wiki/SAML_metadata][metadata]] to JAS * Test Configurations ---++ Configure JAS with LDAP and ELM with JAS Although the authentication is redirected and performed by the SAML !IdP, ELM still needs to connect to the LDAP (via Advanced Properties in JTS) server for User-to-group role mapping (!JazzAdmins, !JazzUsers and so on) and JAS as well needs to be configured with the same LDAP server for ID Token and Application Passwords mapping. Most customers don't expose the LDAP server working with the SAML !IdP and instead create a replica with limited attributes and passwords disabled. As a pre-req , first configure JAS with the LDAP server and then setup ELM [[https://jazz.net/wiki/bin/view/Deployment/JASUserRegistryConfig][Configure JAS with LDAP]] <br> ---++ Enable JAS to support SAML 2.0 Extracting the instructions from [[https://www.ibm.com/docs/en/elm/7.0.2?topic=server-enabling-saml-as-identity-provider][ELM Documentation]] and [[https://www.ibm.com/docs/en/was-liberty/nd?topic=liberty-configuring-saml-web-browser-sso-in][Liberty Documentation]] * Edit =JazzAuthServer_install_dir/wlp/usr/servers/jazzop/server.xml= and uncomment the following features <verbatim><feature>samlWeb-2.0</feature> <feature>ssl-1.0</feature></verbatim> * Edit =JazzAuthServer_install_dir/wlp/usr/servers/jazzop/appConfig.xml= and uncomment/update the =samlWebSso2.0= and =authFilter= elements <verbatim><samlWebSso20 id="defaultSP" spCookieName="jazzop_sso_cookie_idp" forceAuthn="true" authFilterRef="samlAuthFilter" spLogout="true" enabled="true" > </samlWebSso20> <authFilter id="samlAuthFilter"> <requestUrl id="samlRequestUrl" urlPattern="/authorize" matchType="contains" /> <userAgent id="samlUserAgent" agent="Mozilla|Opera" matchType="contains"/> </authFilter></verbatim> * If you have a requirement to change the ID from =defaultSP= to a custom ID then add the following section in =appConfig.xml= <verbatim><samlWebSso20 id="defaultSP" enabled="false"> </samlWebSso20></verbatim> * For additional details on the SAML attributes and filters visit this [[https://www.ibm.com/docs/en/was-liberty/nd?topic=configuration-samlwebsso20][Liberty Documentation]] * With the above configuration JAS is now configured as a SAML Service Provider (SP) ---++ Export SP Metadata from JAS For Jazz Authorization Server to communicate with the SAML !IdP, the server must be registered as a partner in the !IdP. You can download / export the SP metadata from JAS to register it as a partner. Registering and enabling a partner depends on the SAML implementation in your !IdP, you can follow the SAML documentation or contact you Administrator. When JAS is configured as a SAML Service Provider you can download/export the metadata * Start Jazz Authorization Server =JazzAuthServer_install_dir/start_jazz= * Download the SP metadata by accessing the following URL <verbatim>https://jas.example.org/ibm/saml20/defaultSP/samlmetadata</verbatim> * If you are not prompted to save the file, review your SAML configurations in the appConfig.xml and server.xml file on JAS * If you have changed the default ID in JAS SAML configurations, replace =defaultSP= in the URL with the ID that you have defined * Metadata from JAS needs to be generated again if there is a change in certificates * Share the =spMetadata.xml= file with SAML !IdP administrator ---++ Import SAML !IdP Metadata into JAS For the Jazz Authorization Server to communicate with the SAML !IdP you must import the SAML !IdP metadata file * Request for the SAML !IdP metadata file from your SAML administrator * Some of the SAML Identity Providers provide URLs to download metadata directly, example of ADFS and !SimpleSAMLphp are given below. * Example Microsoft ADFS: You can download the metadata for Microsoft ADFS by accessing the URL <verbatim>https://adfs.example.org/federationmetadata/2007-06/federationmetadata.xml</verbatim> * Example !SimpleSAMLphp: You can download the metadata for !SimpleSAMLphp by accessing the URL <verbatim>https://simplesamlphp.example.org/simplesaml/saml2/idp/metadata.php</verbatim> * Rename the !IdP metadata file to =idpMetadata.xml= (Case sensitive if JAS is running on UNIX based systems) * Copy the =idpMetadata.xml= to =JazzAuthServer_install_dir/wlp/usr/servers/jazzop/resources/security= ---++ SAML !IdP Examples ---+++ !SimpleSAMLphp [[https://simplesamlphp.org/][SimpleSAMLphp]] is a PHP-written application that deals with authentication. Its main focus is to provide support for SAML as a Service Provider (SP) or an Identity Provider (!IdP). In this example, !SimpleSAMLphp is the Identity Provider (!IdP). The following steps demonstrate how to install and configure !SimpleSAMLphp. * Download and install the !SimpleSAMLphp package from their [[https://simplesamlphp.org/download/][website]] * For prerequisites and details, see [[https://simplesamlphp.org/docs/latest/simplesamlphp-install.html][SimpleSAMLphp Installation and Configuration]] * To enable the !IdP functionality, see the [[https://simplesamlphp.org/docs/latest/simplesamlphp-idp.html][SimpleSAMLphp Identity Provider QuickStart]] * Configure Authentication and metadata for the local Identity Provider and remote Service Provider, for instructions, see [[https://simplesamlphp.org/docs/latest/simplesamlphp-idp.html][SimpleSAMLphp Identity Provider QuickStart]] * Here is an example of the file =saml20-idp-hosted.php= <verbatim><?php $metadata['__DYNAMIC:1__'] = [ 'host' => 'simplesaml.example.org', // X.509 key and certificate. Relative to the cert directory. 'privatekey' => 'simplesaml.key', 'certificate' => 'simplesaml.crt', /* Authentication source to use. Must be one that is configured in 'config/authsources.php'. */ 'auth' => 'example-userpass', 'userid.attribute' => 'uid', 'attributes.NameFormat' => 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri' ];</verbatim> ---++++ Import JAS SP Metadata to !SimpleSAMLphp !SimpleSAMLphp include a Metadata converter UI which can be used to covert the metadata format that can be added to =saml20-sp-remote.php= * Access the URL sample =https://simplesaml.example.org/simplesaml/admin/metadata-converter.php= * Upload the JAS spMetadata.xml file and click Parse * Copy the converted data into =metadata/saml20-sp-remote.php= * Configure additional additional options required for your SP configuration, see [[https://simplesamlphp.org/docs/latest/simplesamlphp-reference-sp-remote.html][SP remote metadata reference]] * Test the Authentication Flow ---+++ Microsoft ADFS ---+++++!! Related topics: [[DeploymentWebHome][Deployment web home]], [[DeploymentWebHome][Deployment web home]] ---+++++!! External links: * [[https://www.ibm.com][IBM]] ---+++++!! Additional contributors: Main.TWikiUser, Main.TWikiUser <sticky></div></sticky>
E
dit
|
A
ttach
|
P
rintable
|
V
iew topic
|
Backlinks:
We
b
,
A
l
l Webs
|
H
istory
: r9
<
r8
<
r7
<
r6
<
r5
|
M
ore topic actions
Deployment
Deployment web
Planning and design
Installing and upgrading
Migrating and evolving
Integrating
Administering
Monitoring
Troubleshooting
Community information and contribution guidelines
Create new topic
Topic list
Search
Advanced search
Notify
RSS
Atom
Changes
Statistics
Web preferences
NOTE: Please use the Sandbox web for testing
Status icon key:
To do
Under construction
New
Updated
Constant change
None - stable page
Smaller versions of status icons for inline text:
Copyright © by IBM and non-IBM contributing authors. All material on this collaboration platform is the property of the contributing authors.
Contributions are governed by our
Terms of Use.
Please read the following
disclaimer
.
Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more
here
.