Managing users on Jazz Authorization Server

Jazz Authorization Server is based on the IBM WebSphere Liberty server. Because Jazz Authorization Server authenticates users, it must be configured with a user registry.

Before you begin

WebSphere Liberty server has capabilities similar to the full WebSphere® Application Server; it can be configured to use an LDAP registry, or users can be defined in local files. For information about configuring authentication in WebSphere Liberty server, see Configuring a user registry for the Liberty profile.

About this task

Installation of Jazz Authorization Server creates a directory that is named JazzAuthServer in the installation location. The JazzAuthServer_install_dir/wlp/usr/servers/jazzop/defaults directory includes sample files for both a basic, file-based user registry and an LDAP user registry.
  • The localUserRegistry.xml template file defines only the ADMIN and clmadmin users, with passwords the same as the user IDs.
  • The ldapUserRegistry.xml file is a template for an LDAP registry configuration.
To customize the files in the defaults directory, copy them up one level to the JazzAuthServer_install_dir/wlp/usr/servers/jazzop directory. An easy way to copy the files is to start and then stop the Jazz Authorization Server by running the following commands:
  1. start-jazz.bat
  2. stop-jazz.bat
Then, modify the files in the jazzop directory.

Configuring the Jazz Authorization Server to use a file-based user registry

To configure the Jazz Authorization Server to use a file-based user registry, complete the next steps.

Before you begin

It is assumed that you copied the files in the JazzAuthServer_install_dir/wlp/usr/servers/jazzop/defaults directory up one level to the jazzop directory as described in About this task at the top of the page.

Procedure

  1. Open the JazzAuthServer_install_dir/wlp/usr/servers/jazzop/localUserRegistry.xml file in an editor.
    1. Add a user ID.
    2. Add an associated password by using either of the following methods.
      • Enter a password as cleartext.
      • Run the JazzAuthServer_install_dir/wlp/bin/securityUtility script to encode the password. After the script completes, copy the output to the password attribute associated with the user ID.
        Tip: To run the securityUtility script, use the following syntax:

        securityUtility encode userPassword

        where userPassword is the password to encode.

  2. Save your changes and close the file.

Configuring the Jazz Authorization Server to use an LDAP user registry

To configure the Jazz Authorization Server to use an LDAP user registry instead of a file-based user registry, complete the following steps.

Before you begin

It is assumed that you copied the files in the JazzAuthServer_install_dir/wlp/usr/servers/jazzop/defaults directory up one level to the jazzop directory as described in About this task at the top of the page.

Procedure

  1. Open the JazzAuthServer_install_dir/wlp/usr/servers/jazzop/appConfig.xml file in an editor.
    1. Comment out or delete the line that includes this content: 
      <include location="localUserRegistry.xml" optional="true"/>
    2. Uncomment the line that contains this content: 
      <include location="ldapUserRegistry.xml" optional="true"/>
    3. If the group name that is used for Jazz administrator access is not JazzAdmins, complete the next steps.
      1. In the <oauth-roles> element, edit the following line.
        <group name="JazzAdmins"/>
      2. Change the group name attribute value from JazzAdmins to the name of your Jazz administrator group. For example, in the following sample configuration, the clientManager role is granted to members of the YourJazzAdmins group.
        <oauth-roles>
  <authenticated>
    <special-subject type="ALL_AUTHENTICATED_USERS"/>
  </authenticated>
  <clientManager>
    <group name="YourJazzAdmins"/>
  </clientManager>
</oauth-roles>

      For more information, see Configuring an OpenID Connect Provider to accept client registration requests.

    4. Save your changes and close the file.
  2. Open the JazzAuthServer_install_dir/wlp/usr/servers/jazzop/ldapUserRegistry.xml file in an editor.
    1. Modify the <ldapRegistry> element for your LDAP registry.
      For information about changes to the <ldapRegistry> element, see Configuring a user registry for the Liberty profile.
      Note: The configuration parameters are basically the same as the parameters that are used to configure LDAP for WebSphere Application Server, except that they must be entered into an XML file instead of specified in an administrative UI.
    2. Save your changes and close the file.

Enabling SAML as an identity provider

Jazz Authorization Server supports Security Assertion Markup Language (SAML) web browser single sign-on (SSO) in the WebSphere Application Server Liberty profile, which enables web applications to delegate user authentication to a SAML identity provider instead of a configured user registry.

Before you begin

It is assumed that you copied the files in the JazzAuthServer_install_dir/wlp/usr/servers/jazzop/defaults directory up one level to the jazzop directory as described in About this task at the top of the page.

About this task

Starting in the Rational solution for CLM version 6.0.1, Jazz Authorization Server supports SAML web browser SSO in the Liberty profile. SAML is an OASIS open standard for representing and exchanging user identity, authentication, and attribute information. A SAML assertion is an XML formatted token that is used to transfer user identity and attribute information from the identity provider (IdP) of a user to a trusted service provider (SP) as part of completing an SSO request. For more information, see SAML web single sign-on.

To configure the Jazz Authorization Server as a SAML SSO service provider (SP), complete the next steps.

Procedure

  1. Enable the Jazz Authorization Server to support SAML 2.0.
    1. Open the JazzAuthServer_install_dir/wlp/usr/servers/jazzop/server.xml file in an editor.
    2. Locate the SAML xml section and follow the instructions between the <!-- SAML> and <!-- end of SAML> comments to enable the SAML and SSL features.
    3. Open the JazzAuthServer_install_dir/wlp/usr/servers/jazzop/appConfig.xml file in an editor.
    4. Locate the SAML xml section between the <!-- SAML> and <!-- end of SAML> comments. Uncomment the <samlWebSso2.0> and <authFilter> elements.
      Note: The mapTouserRegistry="User" property ensures that users are recognized by the Jazz Authorization Server. You need this property only if your deployment includes Rational® solution for Collaborative Lifecycle Management (CLM) clients that are based on Eclipse technology. If you are using CLM web clients only, which retrieve group information directly from SAML, you do not need to use the mapToUserRegistry="User" property.
      Example: The following sample code shows the SAML section of an appConfig.xml file that is edited to support SAML 2.0.
      <samlWebSso20 
   id="defaultSP" 
      spCookieName="jazzop_sso_cookie_idp"
      forceAuthn="true"
      authFilterRef="samlAuthFilter">
</samlWebSso20>

<authFilter id="samlAuthFilter">
   <requestUrl id="samlRequestUrl" urlPattern="/authorize" matchType="contains" />
   <userAgent id="samlUserAgent" agent="Mozilla|Opera" matchType="contains" />
</authFilter>
    5. Save your changes and close the file.
  2. Export the spmetadata.xml file from the Jazz Authorization Server (SAML SP) by following the instructions in step 2 of Configuring SAML web browser SSO in the Liberty profile.
    Tip: The spmetadata.xml file contains the keystore pairs that allow secure communication between the SAML IdP and the Jazz Authorization Server (SP).
    1. In a browser window, export the spmetadata.xml file by using the following URL:

      https://host_name:ssl_port/ibm/saml20/defaultSP/samlmetadata

      Note: The port number is defined in the appConfig.xml file.
    2. Save the file and record the location.
      Important: If you are not prompted to save the file, then there is a problem with the SAML configuration in the Jazz Authorization Server and the spmetadata.xml file is not exported. Check the SAML settings in the appConfig.xml and server.xml files.
  3. For the Jazz Authorization Server to communicate with the SAML IdP, the server must be registered as a partner in the IdP. Registering and enabling a partner depends on the SAML implementation in your IdP. Follow the SAML documentation to register and enable the partner.
  4. Export the SAML IdP metadata file so that you can add it to the Jazz Authorization Server. Follow the steps to export the metadata file for the IdP.
  5. Copy the metadata file that you exported in step 4 to the following location:

    JazzAuthServer_install_dir/wlp/usr/servers/jazzop/resources/security/idpmetadata.xml

  6. Test the Jazz Authorization Server connection to the SAML IdP by using the following URL:

    https://JazzAuthServer:port/oidc/endpoint/jazzop/authorize

    Note: The port number is defined in the appConfig.xml file.

    If you configured the Jazz Authorization Server correctly, the SAML IdP login window opens.

    Note: Logging in now generates an error, which you can ignore. The purpose of this step is to ensure that the SAML login window is displayed.
  7. If your deployment includes a mix of Eclipse and web clients, you must configure the Jazz Authorization Server to support either a file-based user registry server or an LDAP server. This step provides a mechanism for Eclipse clients to authenticate.
    Remember: Web clients retrieve group information directly from the SAML IdP.
  8. Start the Jazz Authorization Server.
  9. Validate the Jazz Authorization Server configuration.
    1. Open a browser window outside the Jazz Authorization Server host environment and go to the following URL:

      host_name:ssl_port/oidc/endpoint/jazzop/.well-known/openid-configuration

    2. Verify that the user registry is configured correctly by going to the following URL:

      host_name:ssl_port/oidc/endpoint/jazzop/registration

Related concepts:
Deploying and starting Jazz Authorization Server
Related tasks:
Installing the Rational solution for Collaborative Lifecycle Management by using IBM Installation Manager
Related information:
Configuring LDAP user registries with the Liberty profile
Securing the Liberty profile and its applications

video icon Watch videos

CLM playlist
Jazz.net channel
User Education channel

learn icon Learn more

CLM learning circle
Agile learning circle
Learning circles

ask icon Ask questions

Jazz.net forum
developerWorks forums

support icon Get support

Support Portal
Deployment wiki
Support blog