Configuring authentication with application password support
Configuring a new deployment to support application passwords with a Jazz Authorization Server (JAS) delegating authentication to an external identity provider requires several steps. Additional steps are needed when migrating an existing deployment to support application passwords.
Configuring new deployment
Before you begin
- Deploy Engineering Lifecycle Management with JSA SSO (OIDC) configured, but not delegated authentication in JAS. Delegated authentication adds an extra layer of complexity and another set of variables that are easier to figure out after a system is set up and is working correctly.
- Deploy Engineering Lifecycle Management with a JAS that is configured to authenticate using the same LDAP registry that the external identity provider uses. Follow the documentation to install and configure JAS with LDAP, and install and configure Engineering Lifecycle Management to use JAS for authentication. Configure JTS to synchronize users either directly with the LDAP registry or by using SCIM with JAS. Go through the setup procedure and make sure authentication is working across all applications.
- Configure JAS to delegate authentication to an external identity provider. First, get it working with browser clients only so that you can get the configuration working correctly without using the application passwords variable. There are three options for an external identity provider:
About this task
Procedure
Migrating a previous release
Converting a pre-7.0.2 installation to support application passwords involves all the steps that are required for a new installation, plus a couple of additional steps.
Before you begin
- Step 1: Perform the migration to the 7.0.2 release, for both the Engineering Lifecycle Management applications and the JAS.
- Step 2: Perform all the configuration steps as described in Configuring new deployment.
- Step 3: Make sure that the <oauthProvider> element in the
JazzAuthServer/wlp/usr/servers/jazzop/appConfig.xml
file includes thepasswordGrantRequiresAppPassword="true"
attribute.
The 7.0.1 and later versions have the passwordGrantRequiresAppPassword="true"
attribute, but if the pre-7.0.2 version was copied from the old installation, it needs to be
added.
All client registrations need to be updated to add two additional attributes. Note that you can
also use the client administration UI at /oidc/endpoint/jazzop/clientManagement
in
JAS to make the changes, but since every registration must be changed, it is easier to perform bulk
changes with the JAS CLI tools:
Procedure
- Set a command shell to the
JazzAuthServer/cli
directory. - Dump the client registration data to a file by executing the
lsclient -u username:password> client-reg.json
command, where "username:password" is replaced by your administrator username and password, which is separated by a colon. - Edit the
client-reg.json
file. Changefalse
totrue
in each line that has the"appPasswordAllowed" : false,
text. - In every line that starts with grant_types, add password to the
list of values. That is, change
"grant_types" : [ "authorization_code", "client_credentials", "implicit", "refresh_token", "urn:ietf:params:oauth:grant-type:jwt-bearer" ],
to"grant_types" : [ "authorization_code", "client_credentials", "implicit", "password", "refresh_token", "urn:ietf:params:oauth:grant-type:jwt-bearer" ],
.It does not matter where in the list it is added; the output is alphabetically ordered. - Load the modified client registration data back into the JAS by executing the
ldclient -u username:password client-reg.json
command.