EditAttachPrintable
r7 - 2021-08-10 - 13:35:46 - ShubjitNaikYou are here: TWiki >  Deployment Web > DeploymentInstallingUpgradingAndMigrating > JazzAuthorizationServer > LogoutJASSAMLOIDC

Configure Single Sign-On and Single Sign-Out for ELM configured with a SAML or OIDC Provider new.png

Authors: ShubjitNaik
Build basis: Engineering Lifecycle Management and Jazz Authorization Server 7.0.2 and Higher

Jazz Authorization Server (JAS) is a Liberty OpenID Connect Provider and it can be configured to further delegate authentication to a SAML Identity Provider or a Third Party OIDC Provider. The expectation is for Single Sign-On and Sign-Out to work between ELM and non-ELM applications that are both configured to use the same Provider.

The focus on this Article is on Single Sign-On and Logout. It is assumed that you have configured JAS with either a SAML IdP or a Third Party OIDC Provider.

Note: The following is found to work with ELM and JAS 7.0.2. This is not an officially tested and supported method.

Configuring Single Sign-On

When configured with a Third Party OIDC Provider, no changes are needed.

The default configuration of Jazz Authorization Server configured with SAML IdP indicates the IdP to force the user to re-authenticate. We would need to change this configuration for SSO to work between ELM and Non-ELM applications.

Steps to update the configuration:

  • Edit appConfig.xml file located at [JAS_HOME]\wlp\usr\server\jazzop\appConfig.xml
  • Search for samlWebSso20 section and update the parameter forceAuthn to forceAuthn="false" and add parameter spLogout="true"
       <samlWebSso20 
          id="defaultSP"
          spCookieName="jazzop_sso_cookie_idp"
          forceAuthn="false" 
          authFilterRef="samlAuthFilter"
          spLogout="true" >
       </samlWebSso20>
  • Test Single Sign-On between ELM and Non-ELM applications

Configuring Single Sign-Out

With the default configurations the Logout operations from ELM does not complete. You would need to perform the following additional configuration in ELM.

  • Request your Administrator to share the SAML or OIDC Logout URL
    • Example Microsoft ADFS federation logout URL https://[AFDF_Server]/adfs/ls/?wa=wsignout1.0
  • In each ELM application jts, ccm, qm, rm, gc and dcc perform the following:
    • Access Advanced Properties https://[ELM_URL]/[app]/admin#action=com.ibm.team.repository.admin.configureAdvanced
    • Search for the property Web Logout URI and update the value to the Logout URL received
    • Search for the property Trusted URIs for client authorization and redirection and update the value with the Logout URL received
  • Test Logout from ELM Applications

Testing

After applying the Single Sign-On and Sign Out configurations mentioned in the previous steps, following are the results

  • Single Sign-On is achieved between ELM and Non-ELM applications
  • Logout from an ELM Application will logout via the IdP logout URL and all other ELM Applications are logged out

  • Logout from a Non-ELM application - ELM applications are NOT logged out immediately
    • Post the SSO timeout which is set to 2 hours by default (can be changed), the applications are redirected to the IdP and existing sessions are logged out

Troubleshooting

Error: Bad Request

If you encounter the following error, you would need to increase the Request Field size limit on the Reverse Proxy server

bad_request.png

Increasing the Request Field Size on IBM HTTP Server

  • Edit the file [IHS_HOME]\conf\httpd.conf
  • Add the parameter LimitRequestFieldSize 16380 along with section that define ThreadLimit

Related topics: Jazz Authorization Server Landing Page, Configure ELM with a Third Party OIDC provider

External links:

Edit | Attach | Printable | Raw View | Backlinks: Web, All Webs | History: r19 | r9 < r8 < r7 < r6 | More topic actions...
 
This site is powered by the TWiki collaboration platformCopyright © by IBM and non-IBM contributing authors. All material on this collaboration platform is the property of the contributing authors.
Contributions are governed by our Terms of Use. Please read the following disclaimer.
Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.