Configuring Jazz Authorization Server with a SAML IDP

SAML (Security Assertion Markup Language) is an OASIS open standard for representing and exchanging user identity, authentication, and attribute information. A SAML assertion is an XML formatted token that is used to transfer user identity and attribute information from the identity provider (IdP) of a user to a trusted service provider (SP) as part of completing an SSO request.

With the introduction of Jazz Authorization Server (JAS), we can configure IBM Engineering Lifecycle Management Solution to redirect authentication to a SAML Identity Provider via JAS. For additional information on SAML and WebSphere Liberty visit our Infocenter Page

The focus of this article is showcase configuring ELM and JAS with SimpleSAMLphp as the IDP.

Limitations

• ELM Version 7.0.1 and lower - Authenticating through a SAML IDP works for Browser based clients
  • Thick Clients (Eclipse, Visual Studio) and Command line utilities can be configured to authenticate directly via JAS and LDAP.
• ELM Version 7.0.2 and higher- Starting version 7.0.2 you can configure Application Passwords for Non-Web Clients
• There is a requirement of an LDAP server (User Registry) for JAS for ID Token and Application Passwords mapping and for ELM for User-to-group role mapping (Or SCIM can be used)

Overview of Configuration

Overview of the different steps involved in this configuration.

• Configure JAS with an LDAP server (LDAP server should replicate ELM users from SAML IDP)
• Configure CA Certificates for JAS
• Setup ELM with JAS or Migrate and existing setup from container authentication to JAS
• Enable SAML feature and configurations in JAS
• Export the Metadata from JAS to SAML IDP
• Copy the SAML IDP metadata to JAS
• Test Configurations

Configure JAS with LDAP and ELM with JAS

Although the authentication is redirected and performed by the SAML IDP, JAS and ELM still needs to connect to the LDAP server for User-to-group role mapping (JazzAdmins, JazzUsers and so on) and JAS as well needs to be configured with the same LDAP server for ID Token and Application Passwords mapping. Most customers don't expose the LDAP server working with the SAML IDP and instead create a replica with limited attributes and passwords disabled.

As a pre-req , first configure JAS with the LDAP server and then setup ELM Configure JAS with LDAP

Enable JAS to support SAML 2.0

Extracting the instructions from ELM Documentation and Liberty Documentation

• Edit JazzAuthServer_install_dir/wlp/usr/servers/jazzop/server.xml and uncomment the following features

  <feature>samlWeb-2.0</feature>
  <feature>ssl-1.0</feature>

• Edit JazzAuthServer_install_dir/wlp/usr/servers/jazzop/appConfig.xml and uncomment/update the samlWebSso2.0 and authFilter elements

  <samlWebSso20 
        id="defaultSP"
        spCookieName="jazzop_sso_cookie_idp"
        forceAuthn="true" 
        authFilterRef="samlAuthFilter"
                  spLogout="true"
        enabled="true" >
  </samlWebSso20>
  
  <authFilter id="samlAuthFilter">
          <requestUrl id="samlRequestUrl" urlPattern="/authorize" matchType="contains" />
          <userAgent id="samlUserAgent" agent="Mozilla|Opera" matchType="contains"/>
  </authFilter>

• If you have a requirement to change the ID from defaultSP to a custom ID then add the following section in appConfig.xml

  <samlWebSso20 id="defaultSP" enabled="false">  
  </samlWebSso20>

• For additional details on the SAML attributes and Filters visit this Liberty Documentation

With the above configuration JAS is now a SAML Service Provider

Export SP Metadata from JAS

Now that JAS is configured with Certificates and SAML Configurations you can export the Metadata from JAS to be added as an SP/Relying Party on the SAML IDP

• Start Jazz A

Heading 1

Related topics: Deployment web home, Deployment web home

External links:

• IBM

Additional contributors: TWikiUser, TWikiUser