Single sign-on authentication in CLM

Single sign-on (SSO) authentication is a mechanism where multiple related but independent software applications are configured so that a user logs in once and gains access to all systems, without the need to reauthenticate. Rational® solution for Collaborative Lifecycle Management (CLM) supports several types of single sign-on authentication. Use the protocol that is appropriate for your deployment configuration and needs.
Note: The current release does not support a combination of Kerberos/SPNEGO SSO authentication and Jazz Security Architecture SSO authentication.

Kerberos/SPNEGO SSO authentication

Rational Team Concert® supports Kerberos/SPNEGO authentication. The following clients can authenticate with a server that is configured for this protocol:
  • Rational Team Concert browser-based client
  • Rational Team Concert Eclipse client
  • Rational Team Concert .NET clients:
    • Rational Team Concert Client for Microsoft Visual Studio IDE
    • Rational Team Concert Windows Explorer integration
    • Rational Team Concert MS-SCCI Provider
  • Rational Team Concert SCM command-line interface
  • Jazz build clients:
    • Jazz Build Agent
    • Jazz Build Engine for the Eclipse client
    • Jazz Build Engine for IBM i
    • Jazz Build Engine for z/OS
    • Jazz Build System Toolkit
  • Jazz repository tools command-line interface

For more information, see Configuring Kerberos/SPNEGO single sign-on authentication.

Jazz Security Architecture SSO authentication

Jazz Security Architecture SSO is an authentication protocol based on the OpenID Connect standard. It is an alternative single sign-on protocol to Kerberos/SPNEGO SSO, WebSphere Application Server with Lightweight Third-Party Authentication (LTPA) SSO, or Apache Tomcat SSO. Jazz Security Architecture SSO is supported on all platforms and allows for single sign-on across applications that are installed in a mix of WebSphere Application Server and Tomcat servers.

Authentication services are provided by the Jazz Authorization Server, which must be installed somewhere in your network.
Restriction: Installation of the Jazz Authorization Server on IBM i and z/OS systems is not supported.
In addition, Jazz Security Architecture SSO must be enabled on the Jazz Team Server and deployed CLM applications. Authentication administration is simplified because only the Jazz Authorization Server must be configured for authentication (for example, to use an LDAP user registry); WebSphere Application Server and Tomcat servers that host CLM applications are not configured for authentication. The Jazz Authorization Server validates user credentials and issues access tokens that can be shared across applications.

Also, Jazz Security Architecture SSO eliminates the requirement for paired configuration of OAuth consumer keys. All applications that are configured for Jazz Security Architecture SSO can communicate with each other without a configuration for every possible source and destination relationship.

For new installations, you enable Jazz Security Architecture SSO by selecting it as an option during the installation process. For more information, see Installing the Rational solution for Collaborative Lifecycle Management by using IBM Installation Manager.

For existing installations, you enable Jazz Security Architecture SSO by performing a migration procedure after you upgrade to the current release. For more information, see Enabling CLM applications for Jazz Security Architecture single sign-on.

WebSphere Application Server with Lightweight Third-Party Authentication (LTPA) SSO authentication

You can configure single sign-on in a distributed environment on WebSphere Application Server by using the LTPA authentication protocol. With LTPA, a user's login credentials are stored in a session cookie that is available for the current browser session only. This cookie contains the LTPA token. For more information, see Deploying Apache Tomcat or WebSphere Application Server by using single sign-on authentication.

WebSphere Liberty SSO authentication

You can configure single sign-on in a distributed environment on WebSphere Liberty by using the LTPA authentication protocol. For detailed instructions, see this Deployment wiki article.

Apache Tomcat SSO authentication

Apache Tomcat supports single sign-on authentication only when all applications are installed on the same server. For more information, see Deploying Apache Tomcat or WebSphere Application Server by using single sign-on authentication.

video icon Watch videos

CLM playlist
Jazz.net channel
User Education channel

learn icon Learn more

CLM learning circle
Agile learning circle
Learning circles

ask icon Ask questions

Jazz.net forum
developerWorks forums

support icon Get support

Support Portal
Deployment wiki
Support blog