Configuring the Jazz Authorization Server for the SCIM feature

You can configure the Jazz® Authorization Server to use the System for Cross-domain Identity Management (SCIM) for the IBM® WebSphere® Liberty. SCIM is a standard for cloud-based identity management for single sign-on (SSO) in browsers.

Starting in version 6.0.5, Jazz Authorization Server supports SCIM in the IBM WebSphere Liberty. SCIM is a RESTful protocol for identity account management operations. For more information about the SCIM feature, see Configuring SCIM for user and group member management.

Before you begin

To use SCIM, you must have Jazz Security Architecture single sign-on (SSO) enabled and you must use Lightweight Directory Access Protocol (LDAP). If you did not enable SSO when you installed IBM Engineering Lifecycle Management applications, enable it, as described in Enabling applications for Jazz Security Architecture single sign-on.

If you have not already done so, copy the files in the JazzAuthServer_install_dir/wlp/usr/servers/jazzop/defaults directory up one level to the jazzop directory, as described in Managing users on Jazz Authorization Server.

Electronic signature communicates with the user registry (for example, LDAP) using the registry provider registered in the advanced settings at com.ibm.team.repository.service.jts.internal.userregistry.ExternalUserRegistryInternalService. If the LDAP is changed, the user registry provider cannot verify the user credentials, resulting in login failure.

Restriction: When you configure your Jazz Authorization Server to use the System for Cross-domain Identity Management (SCIM), you cannot use the Electronic signatures features in Engineering Lifecycle Management applications.

Procedure

  1. If Jazz Authorization Server is running, stop it, as described in Managing users on Jazz Authorization Server.
  2. Enable the Jazz Authorization Server to support SCIM 1.0.
    1. In an editor, open the JazzAuthServer_install_dir/wlp/usr/servers/jazzop/server.xml file.
      1. Add the following code for the SCIM feature in the <featureManager> section:
        <feature>scim-1.0</feature>
      2. Save your changes and close the file.
    2. In an editor, configure these files: JazzAuthServer_install_dir/wlp/usr/servers/jazzop/appConfig.xml and JazzAuthServer_install_dir/wlp/usr/servers/jazzop/ldapUserRegistry.xml. For instructions about configuring the files, see Configuring the Jazz Authorization Server to use an LDAP user registry and then return to this procedure for the SCIM feature.
      For the ldapUserRegistry.xml file, the following sample code shows an example of an LDAP registry on Microsoft Active Directory for SCIM:
      <ldapRegistry 
	       id="your_id" realm="SampleLdapADRealm" 
		host="your_host_name.com" port=your_port_number" ignoreCase="true" 
		baseDN="cn=users,dc=asmith,dc=test" 
		bindDN="cn=wasbind,cn=users,dc=asmith,dc=test" 
		bindPassword="{xor}HTYxOx9vbmo="
		ldapType="Microsoft Active Directory">
		
    </ldapRegistry>

	<federatedRepository>
		<primaryRealm name="FVTRegistry">
			<participatingBaseEntry name="cn=users,dc=asmith,dc=test"/>
		</primaryRealm>
	</federatedRepository>

	<administrator-role>
      <user>TestJazzAdmin1</user>
	</administrator-role>
      For the ldapUserRegistry.xml file, the following sample code shows an example of an LDAP registry on IBM Tivoli Directory Server:
      <ldapRegistry
	id="your_id" realm="SampleLdapIDSRealm" ignoreCase="true"
        	host="your_host_name" port="your_port_number"
        	baseDN="o=basedn.com"
		 recursiveSearch="true"
        	ldapType="IBM Tivoli Directory Server">  
    </ldapRegistry>
	
	<administrator-role>
		<user>elmadmin</user>
		<user>mtmadmin</user>	
	</administrator-role>
  3. Confirm your Jazz Authorization Server configuration with LDAP with the following URLs.
    If you cannot see any information at these URLs, the Engineering Lifecycle Management application cannot access any of your user registry information.
    1. Start the Jazz Authorization Server, as described in Managing users on Jazz Authorization Server.
    2. Open a browser window outside the Jazz Authorization Server host environment.
    3. Confirm the Jazz Authorization Server with this URL: 
      https://fully_qualified_domain_name_of_JAS_server:defined_port
/oidc/endpoint/jazzop/.well-known/openid-configuration
    4. Confirm the SCIM API for Groups with this URL: 
      https://fully_qualified_domain_name_of_JAS_server:defined_port
/ibm/api/scim/Groups
    5. Confirm the SCIM API for Users with this URL: 
      https://fully_qualified_domain_name_of_JAS_server:defined_port
/ibm/api/scim/Users

What to do next

  1. With the SCIM feature enabled and the Jazz Authorization Server started, configure the SCIM feature for the Jazz Team Server, see step 9 of Running the setup by using Custom setup in the setup wizard.
    Notes:
    • Jazz Security Architecture SSO must be enabled before you can configure the SCIM feature on Jazz Team Server. If you did not enable SSO when you installed Engineering Lifecycle Management, enable it, as described in Enabling applications for Jazz Security Architecture single sign-on.
    • Jazz Team Server must be running.
    • Pop-up windows must be enabled so that you can log in to the Jazz Authorization Server.
  2. With the Jazz Team Server configured for the SCIM feature, synchronize the Jazz Team Server with the external user registry and import users, see Importing users from an external user registry.