Jazz Authorization Server (JAS) is a Liberty OpenID Connect Provider and it can be configured to further delegate authentication to a
SAML Identity Provider or a
Third Party OIDC Provider. The expectation is for Single Sign-On and Sign-Out to work between ELM and non-ELM applications that are both configured to use the same Provider.
The focus on this Article is on Single Sign-On and Logout. It is assumed that you have configured JAS with either a SAML IdP or a Third Party OIDC Provider.
This workaround would work if you can directly access the SAML or OIDC Logout URL
Note:
The following is found to work with ELM and JAS 7.0.2. This is not an officially tested and supported method.
Configuring Single Sign-On
When configured with a Third Party OIDC Provider, no changes are needed.
The default configuration of Jazz Authorization Server configured with SAML IdP indicates the IdP to force the user to re-authenticate. We would need to change this configuration for SSO to work between ELM and Non-ELM applications.
Steps to update the configuration:
Configuring Single Sign-Out
With the default configurations the Logout operations from ELM does not complete. You would need to perform the following additional configuration in ELM.
- Request your Administrator to share the SAML or OIDC Logout URL
- Example Microsoft ADFS federation logout URL
https://[AFDF_Server]/adfs/ls/?wa=wsignout1.0
- In each ELM application
jts, ccm, qm, rm, gc and dcc
perform the following:
- Access Advanced Properties
https://[ELM_URL]/[app]/admin#action=com.ibm.team.repository.admin.configureAdvanced
- Search for the property
Web Logout URI
and update the value to the Logout URL received
- Search for the property
Trusted URIs for client authorization and redirection
and update the value with the Logout URL received
- Test Logout from ELM Applications
Testing
After applying the Single Sign-On and Sign Out configurations mentioned in the previous steps, following are the results
- Single Sign-On is achieved between ELM and Non-ELM applications
- Logout from an ELM Application will logout via the IdP logout URL and all other ELM Applications are logged out
- Logout from a Non-ELM application - ELM applications are NOT logged out immediately
- Post the SSO timeout which is set to 2 hours by default (can be changed), the applications are redirected to the IdP and existing sessions are logged out
Troubleshooting
Error: Bad Request
If you encounter the following error, you would need to increase the Request Field size limit on the Reverse Proxy server
Increasing the Request Field Size on IBM HTTP Server
- Edit the file
[IHS_HOME]\conf\httpd.conf
- Add the parameter
LimitRequestFieldSize 16380
along with section that define ThreadLimit
External links: