Enabling SAML as an identity provider
Jazz® Authorization Server supports Security Assertion Markup Language (SAML) web browser single sign-on (SSO) in the WebSphere Liberty, which enables web applications to delegate user authentication to a SAML identity provider instead of a configured user registry.
Before you begin
About this task
Starting in version 6.0.1, Jazz Authorization Server supports SAML web browser SSO in the Liberty profile. SAML is an OASIS open standard for representing and exchanging user identity, authentication, and attribute information. A SAML assertion is an XML formatted token that is used to transfer user identity and attribute information from the identity provider (IdP) of a user to a trusted service provider (SP) as part of completing an SSO request. For more information, see SAML web single sign-ons.
To configure the Jazz Authorization Server as a SAML SSO service provider (SP), complete the next steps.
Enable the Jazz Authorization Server to support
- Open the JazzAuthServer_install_dir/wlp/usr/servers/jazzop/server.xml file in an editor.
Locate the SAML xml section and follow the instructions between the
<!-- end of SAML>comments to enable the SAML and SSL features.
JazzAuthServer_install_dir/wlp/usr/servers/jazzop/appConfig.xmlfile in an editor.
Locate the SAML xml section between the
<!-- end of SAML>comments. Uncomment the
The EWM Eclipse client and other non-browser clients (such as repotools commands) do not directly support the SAML protocol, so this configuration excludes them from using the SAML identity provider for authentication. Instead, the Jazz Authorization Server uses its configured user registry to authenticate such clients. However, it is possible to use the configuration described in Application Passwords for Native Client Authentication with OpenID Connect to enable the EWM Eclipse client and some other non-browser clients to indirectly authenticate with the SAML identity provider by using application passwords that are obtained using SAML authentication.Example: The following sample code shows the SAML section of an appConfig.xml file that is edited to support SAML 2.0.
<samlWebSso20 id="defaultSP" spCookieName="jazzop_sso_cookie_idp" forceAuthn="true" authFilterRef="samlAuthFilter"> </samlWebSso20> <authFilter id="samlAuthFilter"> <requestUrl id="samlRequestUrl" urlPattern="/authorize" matchType="contains" /> <userAgent id="samlUserAgent" agent="Mozilla|Opera" matchType="contains" /> </authFilter>
- Save your changes and close the file.
Export the spmetadata.xml file from the Jazz Authorization Server (SAML SP) by
following the instructions in step 2 of Configuring SAML web browser SSO in the Liberty profile.
Tip: The spmetadata.xml file contains the keystore pairs that allow secure communication between the SAML IdP and the Jazz Authorization Server (SP).
- In a browser window, export the spmetadata.xml file by using the following
https://host_name:ssl_port/ibm/saml20/defaultSP/samlmetadataNote: The port number is defined in the appConfig.xml file.
- Save the file and record the location. Important: If you are not prompted to save the file, then there is a problem with the SAML configuration in the Jazz Authorization Server and the spmetadata.xml file is not exported. Check the SAML settings in the appConfig.xml and server.xml files.
- In a browser window, export the spmetadata.xml file by using the following URL:
- For the Jazz Authorization Server to communicate with the SAML IdP, the server must be registered as a partner in the IdP. Registering and enabling a partner depends on the SAML implementation in your IdP. Follow the SAML documentation to register and enable the partner.
- Export the SAML IdP metadata file so that you can add it to the Jazz Authorization Server. Follow the steps to export the metadata file for the IdP.
Copy the metadata file that you exported in step 4 to the following
Test the Jazz Authorization Server connection to
the SAML IdP by using the following URL:
https://JazzAuthServer:port/oidc/endpoint/jazzop/authorizeNote: The port number is defined in the appConfig.xml file.
If you configured the Jazz Authorization Server correctly, the SAML IdP login window opens.Note: Logging in now generates an error, which you can ignore. The purpose of this step is to ensure that the SAML login window is displayed.
If your deployment includes a mix of Eclipse and web clients, you must configure the Jazz Authorization Server to support
either a file-based user registry server or a Lightweight Directory Access Protocol (LDAP) server.
This step provides a mechanism for Eclipse clients to authenticate.
Remember: Web clients retrieve group information directly from the SAML IdP.
- For instructions about using a file-based registry server, see Configuring the Jazz Authorization Server to use a file-based user registry. Important: The user passwords that are stored in the IdP supersede any user passwords that are defined in the Jazz Authorization Server.Note: Assign group roles to users by creating members in the JazzAdmins, JazzUsers, JazzGuests, and JazzProjectAdmins groups.
- For instructions about using an LDAP server, see Configuring the Jazz Authorization Server to use an LDAP user registry.
- For more information about configuring SAML, see the following WebSphere Liberty documentation:
- For instructions about using a file-based registry server, see Configuring the Jazz Authorization Server to use a file-based user registry.
- Start the Jazz Authorization Server, as described in Managing users on Jazz Authorization Server.
Validate the Jazz Authorization Server
Open a browser window outside the Jazz Authorization Server host
environment and go to the following URL:
Verify that the user registry is configured correctly by going to the following URL:
- Open a browser window outside the Jazz Authorization Server host environment and go to the following URL: