You can configure the Jazz™ Authorization Server to use the
System for Cross-domain Identity Management (SCIM) for the WebSphere® Application Server Liberty profile. SCIM is a standard for cloud-based identity
management for single sign-on (SSO) in browsers.
Starting in Rational® solution for
Collaborative Lifecycle Management (CLM) 6.0.2,
Jazz Authorization Server
supports SCIM in the Liberty profile. SCIM is a RESTful protocol for identity account management
operations. For more information about the SCIM feature, see Configuring SCIM for user and group member management.
Procedure
- If Jazz Authorization Server is running, stop it, as described in Managing users on Jazz Authorization Server.
- Enable the Jazz Authorization Server to support
SCIM 1.0.
- In an editor, open the
JazzAuthServer_install_dir/wlp/usr/servers/jazzop/server.xml
file.
- Add the following code for the SCIM feature in the <featureManager>
section:
<feature>scim-1.0</feature>
- Save your changes and close the file.
- In an editor, configure these files:
JazzAuthServer_install_dir/wlp/usr/servers/jazzop/appConfig.xml
and
JazzAuthServer_install_dir/wlp/usr/servers/jazzop/ldapUserRegistry.xml.
For instructions about configuring the files, see Configuring the Jazz Authorization Server to use an LDAP user registry and then return
to this procedure for the SCIM feature.
For the ldapUserRegistry.xml file, the following sample code shows an
example of an LDAP registry on Microsoft Active Directory
for
SCIM:<ldapRegistry
id="your_id" realm="SampleLdapADRealm"
host="your_host_name.com" port=your_port_number" ignoreCase="true"
baseDN="cn=users,dc=asmith,dc=test"
bindDN="cn=wasbind,cn=users,dc=asmith,dc=test"
bindPassword="{xor}HTYxOx9vbmo="
ldapType="Microsoft Active Directory">
</ldapRegistry>
<federatedRepository>
<primaryRealm name="FVTRegistry">
<participatingBaseEntry name="cn=users,dc=asmith,dc=test"/>
</primaryRealm>
</federatedRepository>
<administrator-role>
<user>TestJazzAdmin1</user>
</administrator-role>
For the ldapUserRegistry.xml file, the following sample code shows an example
of an LDAP registry on IBM
Tivoli® Directory
Server:<ldapRegistry
id="your_id" realm="SampleLdapIDSRealm" ignoreCase="true"
host="your_host_name" port="your_port_number"
baseDN="o=basedn.com"
recursiveSearch="true"
ldapType="IBM Tivoli Directory Server">
</ldapRegistry>
<administrator-role>
<user>clmadmin</user>
<user>mtmadmin</user>
</administrator-role>
- Confirm your Jazz Authorization Server configuration
with LDAP with the following URLs.
If you cannot see any information at these URLs, the CLM
application cannot access any of your user registry information.- Start the Jazz Authorization Server, as described
in Managing users on Jazz Authorization Server.
- Open a browser window outside the Jazz Authorization Server host
environment.
- Confirm the Jazz Authorization Server with this
URL:
https://fully_qualified_domain_name_of_JAS_server:defined_port/oidc/endpoint/jazzop/.well-known/openid-configuration
- Confirm the SCIM API for Groups with this URL:
https://fully_qualified_domain_name_of_JAS_server:defined_port/ibm/api/scim/Groups
- Confirm the SCIM API for Users with this URL:
https://fully_qualified_domain_name_of_JAS_server:defined_port/ibm/api/scim/Users
What to do next
- With the SCIM feature enabled and the Jazz Authorization Server started,
configure the SCIM feature for the Jazz Team Server,
see step 8
of Running the setup by using Custom setup in the setup wizard.
Notes: - Jazz Security Architecture SSO must be enabled before you can configure the SCIM
feature on Jazz Team Server.
If you did not enable SSO when you installed CLM, enable
it, as described in Enabling CLM applications for Jazz Security Architecture single sign-on.
- Jazz Team Server
must be running.
- Pop-up windows must be enabled so that you can log in to the Jazz Authorization Server.
- With the Jazz Team Server
configured for the SCIM feature, synchronize the Jazz Team Server
with the external user registry and import users, see Importing users from an external user registry.