Example : Configuring Jazz Authorization Server with a SAML IDP

SAML (Security Assertion Markup Language) is an OASIS open standard for representing and exchanging user identity, authentication, and attribute information. A SAML assertion is an XML formatted token that is used to transfer user identity and attribute information from the identity provider (IdP) of a user to a trusted service provider (SP) as part of completing an SSO request.

With the introduction of Jazz Authorization Server (JAS), we can configure IBM Engineering Lifecycle Management Solution to redirect authentication to a SAML Identity Provider via JAS. For additional information on SAML and WebSphere Liberty visit our Infocenter Page

The focus of this article is showcase configuring ELM and JAS with SimpleSAMLphp as the IDP.

Limitations

• ELM Version 7.0.1 and lower - Authenticating through a SAML IDP works for Browser based clients
  • Thick Clients (Eclipse, Visual Studio) and Command line utilities can be configured to authenticate directly via JAS and LDAP.
• ELM Version 7.0.2 and higher- Starting version 7.0.2 you can configure Application Passwords for Non-Web Clients
• There is a requirement of an LDAP server for User-to-group role mapping

Overview of Configuration

Overview of the different steps involved in this configuration.

• Configure JAS with an LDAP server (LDAP server should include all the users from SAML IDP)
• Configure CA Certificates for JAS
• Setup ELM with JAS or Migrate and existing setup from container authentication to JAS
• Enable SAML feature and configurations in JAS
• Copy the SAML IDP metadata to JAS
• Export the Metadata from JAS to share with SAML IDP
• Test Configurations

Configure JAS with LDAP and ELM with JAS

Although the authentication is redirected and performed by the SAML IDP, JAS and ELM still needs to connect to the LDAP server for User-to-group role mapping (JazzAdmins, JazzUsers and so on). Most customers don't expose the LDAP server working with the SAML IDP and instead create a replica with limited attributes and passwords disabled.

As a pre-req , first configure JAS with the LDAP server and setup ELM Configure JAS with LDAP

Heading 2 (use sentence-style capitalization)

Sub-Section text Sub-Section text Sub-Section text Sub-Section text Sub-Section text Sub-Section text Sub-Section text Sub-Section text Sub-Section text Sub-Section text Sub-Section text Sub-Section text Sub-Section text Sub-Section text Sub-Section text Sub-Section text Sub-Section text Sub-Section text Sub-Section text Sub-Section text Sub-Section text Sub-Section text Sub-Section text Sub-Section text Sub-Section text

Heading 2 (use sentence-style capitalization)

Sub-Section text Sub-Section text Sub-Section text Sub-Section text Sub-Section text Sub-Section text Sub-Section text Sub-Section text Sub-Section text Sub-Section text Sub-Section text Sub-Section text Sub-Section text Sub-Section text Sub-Section text Sub-Section text Sub-Section text Sub-Section text Sub-Section text Sub-Section text Sub-Section text Sub-Section text Sub-Section text Sub-Section text Sub-Section text

Heading 1

Related topics: Deployment web home, Deployment web home

External links:

• IBM

Additional contributors: TWikiUser, TWikiUser