Topic
  • 5 replies
  • Latest Post - ‏2017-09-06T20:55:46Z by Charlie McGarvey
PARTHKAUSHIK
PARTHKAUSHIK
12 Posts

Pinned topic SAML Link in Work Task notification email

‏2017-08-04T12:31:55Z |

Hi,

 

We are using idp initiated SAML. And we access tririga via a link something like this :- http://idpprovider/applications/Tririga . Can we pass this link in FRONT_END_SERVER in web.properites so that the users can click on the link they get in the email of a worktask and can be redirected to Tririga. 

 

Thanks,

 

Parth

  • jefflong_wipro
    jefflong_wipro
    19 Posts

    Re: SAML Link in Work Task notification email

    ‏2017-08-30T14:12:24Z  

    Hello,

     

    Please see the following APAR link: http://www-01.ibm.com/support/docview.wss?uid=swg1IV88274

     

    SAML does not support basic authentication for non-browser clients.

     

    Thanks

  • Charlie McGarvey
    Charlie McGarvey
    11 Posts

    Re: SAML Link in Work Task notification email

    ‏2017-08-30T17:42:03Z  

    Hello,

     

    Please see the following APAR link: http://www-01.ibm.com/support/docview.wss?uid=swg1IV88274

     

    SAML does not support basic authentication for non-browser clients.

     

    Thanks

    This disposition of the APAR is disappointing for enterprise class software.  This will significantly hinder migrations to cloud based implementations (and the adoption of Watson features).

    Updated on 2017-08-30T19:59:28Z at 2017-08-30T19:59:28Z by Charlie McGarvey
  • jefflong_wipro
    jefflong_wipro
    19 Posts

    Re: SAML Link in Work Task notification email

    ‏2017-09-06T16:51:07Z  

    This disposition of the APAR is disappointing for enterprise class software.  This will significantly hinder migrations to cloud based implementations (and the adoption of Watson features).

    Hello,

     

    Please understand that this is not a self imposed limitation set forth by TRIRIGA support and development.  This is a SAML limitation in that, in a non-HTTP/non-browser client, you do not have access to the HTTP body which means you cannot read the SAML token.  

     

    This is why we offer alternatives as a way to work around SAML limitations to HTTP Redirect and HTTP POST binding identified in the SAML spec.  We recommend an alternative best practice in the link provided earlier to set up a separate non-SAML SSO solution for non-browser client users which can support basic or NTLM authentication.  

     

    Keep in mind the OP was talking about using an emailed link.  You mention how this is disappointing for enterprise class software.  This is not unique to TRIRIGA.  For example, using a Microsoft Outlook client with a tool such as Outlook Anywhere (enterprise software) to allow users to access their email remotely (a likely scenario for the OP), one must also choose basic or NTLM authentication in configuring Outlook Anywhere as well.

     

    In the end, this is a limitation of SAML and HTTP Redirect and HTTP POST binding.

     

    I hope this helps clarify/explain this issue some.

     

    Thanks

  • Charlie McGarvey
    Charlie McGarvey
    11 Posts

    Re: SAML Link in Work Task notification email

    ‏2017-09-06T18:22:31Z  

    Hello,

     

    Please understand that this is not a self imposed limitation set forth by TRIRIGA support and development.  This is a SAML limitation in that, in a non-HTTP/non-browser client, you do not have access to the HTTP body which means you cannot read the SAML token.  

     

    This is why we offer alternatives as a way to work around SAML limitations to HTTP Redirect and HTTP POST binding identified in the SAML spec.  We recommend an alternative best practice in the link provided earlier to set up a separate non-SAML SSO solution for non-browser client users which can support basic or NTLM authentication.  

     

    Keep in mind the OP was talking about using an emailed link.  You mention how this is disappointing for enterprise class software.  This is not unique to TRIRIGA.  For example, using a Microsoft Outlook client with a tool such as Outlook Anywhere (enterprise software) to allow users to access their email remotely (a likely scenario for the OP), one must also choose basic or NTLM authentication in configuring Outlook Anywhere as well.

     

    In the end, this is a limitation of SAML and HTTP Redirect and HTTP POST binding.

     

    I hope this helps clarify/explain this issue some.

     

    Thanks

    Thanks for the clarification and taking the time to explain it.    I didn't realize that "you do not have access to the HTTP body which means you cannot read the SAML token."   Getting a the infrastructure on the cloud side of the application to support NTLM will be a challenge for many customers.

  • Charlie McGarvey
    Charlie McGarvey
    11 Posts

    Re: SAML Link in Work Task notification email

    ‏2017-09-06T20:55:46Z  

    Hello,

     

    Please see the following APAR link: http://www-01.ibm.com/support/docview.wss?uid=swg1IV88274

     

    SAML does not support basic authentication for non-browser clients.

     

    Thanks

    The policy for many large organizations to access official information states that authentication has to have (at a minimum) "What you have.  And, What you know."   For many IBM TRIRIGA customers,  the PKI infrastructure to support the policy is Smart Cards, Pins, and SAML.   Extending NTLM to the cloud providers is not allowed, against policy, or just expensive.  Regardless of the technical issues - not being able to use key components of the tool prevents moving to cloud providers like IBM.