SAML (Security Assertion Markup Language) is an OASIS open standard for representing and exchanging user identity, authentication, and attribute information. A SAML assertion is an XML formatted token that is used to transfer user identity and attribute information from the identity provider (IdP) of a user to a trusted service provider (SP) as part of completing an SSO request.
With the introduction of
Jazz Authorization Server (JAS), we can configure IBM Engineering Lifecycle Management Solution to redirect authentication to a SAML Identity Provider via JAS. For additional information on SAML and WebSphere Liberty visit our
Infocenter Page
The focus of this article is showcase configuring ELM and JAS with
SimpleSAMLphp as the IDP.
Limitations
When the user authentication is delegated from JAS to a SAML IDP there are a few limitations:
- ELM Version 7.0.1 and lower - Authenticating through a SAML IDP works for Browser based clients
- Thick Clients (Eclipse, Visual Studio) and Command line utilities can be configured to authenticate directly via JAS and LDAP.
- ELM Version 7.0.2 and higher- Starting version 7.0.2 you can configure Application Passwords for Non-Web Clients
- There is a requirement of an LDAP server for User-to-group role mapping
Overview of Configuration
Overview of the different steps involved in this configuration.
- Configure JAS with an LDAP server (LDAP server should include all the users from SAML IDP)
- Configure CA Certificates for JAS
- Setup ELM with JAS or Migrate and existing setup from container authentication to JAS
- Enable SAML feature and configurations in JAS
- Copy the SAML IDP metadata to JAS
- Export the Metadata from JAS to share with SAML IDP
- Test Configurations
Configure JAS with LDAP and ELM with JAS
Although the authentication is redirected and performed by the SAML IDP, JAS and ELM still needs to connect to the LDAP server for User-to-group role mapping (JazzAdmins, JazzUsers and so on).
Most customers don't expose the LDAP server working with the SAML IDP and instead create a replica with limited attributes and passwords disabled.
As a pre-req , first configure JAS with the LDAP server and setup ELM
Configure JAS with LDAP
Heading 2 (use sentence-style capitalization)
Sub-Section text Sub-Section text Sub-Section text Sub-Section text Sub-Section text Sub-Section text Sub-Section text Sub-Section text Sub-Section text Sub-Section text Sub-Section text Sub-Section text Sub-Section text Sub-Section text Sub-Section text Sub-Section text Sub-Section text Sub-Section text Sub-Section text Sub-Section text Sub-Section text Sub-Section text Sub-Section text Sub-Section text Sub-Section text
Heading 2 (use sentence-style capitalization)
Sub-Section text Sub-Section text Sub-Section text Sub-Section text Sub-Section text Sub-Section text Sub-Section text Sub-Section text Sub-Section text Sub-Section text Sub-Section text Sub-Section text Sub-Section text Sub-Section text Sub-Section text Sub-Section text Sub-Section text Sub-Section text Sub-Section text Sub-Section text Sub-Section text Sub-Section text Sub-Section text Sub-Section text Sub-Section text
Heading 1
External links: