Jazz® Authorization Server serves as an OpenID Connect provider (OIDC) for single sign-on
(SSO) for Engineering Lifecycle Management applications. It supports Kerberos/SPNEGO in WebSphere® Liberty server, which can be configured as an authentication option with OIDC.
Ensure that the following prerequisites are completed before you configure Engineering Lifecycle Management server for Kerberos/SPNEGO authentication:
- The server that hosts the Jazz Authorization Server and Reverse Proxy must be a Domain member of
the Domain Controller that is used in the Kerberos/SPNEGO setup.
- Jazz Authorization Server is configured to use LDAP as the user registry, which is configured with
the Active Directory Server, which is hosted on the Microsoft Windows Domain Controller.
- A Kerberos keytab file (krb5.keytab) that is created by mapping the
principal name that matches your planned Public URI for Jazz Authorization Server. See, Prerequisites for Kerberos Configuration.
- A Kerberos config file that contains details of Kerberos Realm, KDC, and Domain. See, Prerequisites for Kerberos Configuration.
Restriction: Kerberos in Combination with OIDC works for web clients Authentication
through
Jazz Authorization Server. For nonweb clients (repotools, Eclipse client, and so on) and to
map user groups to security roles (JazzAdmins, JazzUsers, and so on), you must configure the user
registry that contains all the users and groups with
Jazz Authorization Server and with
Jazz Team Server (teamserver.properties). For instructions about configuring a user registry with
Jazz Authorization Server, see
Configuring the Jazz Authorization Server to use an LDAP user registry.
-
To enable the Jazz Authorization Server to support Kerberos/SPNEGO, open the
JazzAuthServer_install_dir/wlp/usr/servers/jazzop/server.xml file in an editor
and add the spnego-1.0 feature within the featureManager section.
<featureManager>
...
<feature>adminCenter-1.0</feature>
<feature>spnego-1.0</feature>
...
</featureManager>
- To enable the Kerberos configuration in Jazz Authorization Server:
- Copy the krb5.conf and krb5.krytab files at
the JazzAuthServer_install_dir/wlp/usr/servers/jazzop/resources/security
location.
- Open the
JazzAuthServer_install_dir/wlp/usr/servers/jazzop/appConfig.xml file in an
editor and configure OIDC to delegate authentication to SPNEGO.
<oauthProvider id="JazzOP"
allowSpnegoAuthentication="true"
httpsRequired="true"
autoAuthorize="true"
customLoginURL="/jazzop/form/login"
accessTokenLifetime="7201"
authorizationGrantLifetime="604801"
trackOAuthClients="true">
<databaseStore dataSourceRef="OAuthFvtDataSource" />
</oauthProvider>
- Add the
spnego element in the appConfig.xml
file.
<spnego id="mySpnego"
canonicalHostName="true"
disableFailOverToAppAuthType="false"
trimKerberosRealmNameFromPrincipal="true"
includeClientGSSCredentialInSubject="false"
krb5Config="${server.config.dir}/resources/security/krb5.ini"
krb5Keytab="${server.config.dir}/resources/security/kerberos.keytab"
servicePrincipalNames="HTTP/elm.example.com"
authFilterRef="spnegoFilter">
</spnego>
Note: elm.example.com is the principal name that is configured as mentioned in the
prerequisites, which matches the public URI. The path to krb5Config and krb5Keytab can be changed to
the location according to your requirement.
- The authentication with Kerberos/SPNEGO with OIDC works for Web Clients only, hence,
you must configure the filters to filter out the nonweb clients by adding the
<authFilter> elements.
Note: The
Engineering Workflow Management Eclipse client and other nonbrowser clients (such as repo
tools commands) do not directly support delegated authentication from
Jazz Authorization Server.
Hence, this configuration excludes them from using delegated authentication. Instead, the
Jazz Authorization Server uses its configured user registry to authenticate such clients. However, you can
enable the
Engineering Workflow Management Eclipse client and some other nonbrowser clients to
indirectly authenticate via Kerberos/SPNEGO by using application passwords that are obtained that
uses delegated authentication. See,
Application Passwords for Native Client Authentication with OpenID
Connect.
The following sample code shows the SPENGO configuration with the filters
configured:
<spnego id="mySpnego"
canonicalHostName="true"
disableFailOverToAppAuthType=“false”
trimKerberosRealmNameFromPrincipal="true"
includeClientGSSCredentialInSubject="false"
krb5Config="${server.config.dir}/resources/security/krb5.ini"
krb5Keytab="${server.config.dir}/resources/security/kerberos.keytab"
servicePrincipalNames="HTTP/elm.example.com"
authFilterRef="spnegoFilter">
</spnego>
<authFilter id="spnegoFilter">
<requestUrl id="spnegoRequestUrl" urlPattern="/authorize"
matchType="contains" />
<userAgent id="spnegoWebAgent" agent="Mozilla|Opera"
matchType="contains"/>
<userAgent id="MacClients" agent="Mac OS"
matchType="notContain"/>
</authFilter>
Note: You can add more filters according to your requirements. The previous example
authFilter allows fallback authentication for the clients on MacOS, which are not
part of the Domain.
- Test the Kerberos/SPNEGO authentication by accessing the application URLs on one of the
Client machines, which is a domain member.
- Configure Web Browsers to support Kerberos/SPNEGO. See Configuring SPNEGO Authentication in Liberty
- Access the Application URL.
For example:
https://JazzAuthServerURL/oidc/endpoint/jazzop/authorize.
If the Jazz Authorization Server is correctly configured with Kerberos/SPNEGO, it does not ask for the login
credentials but shows a client_id warning, which you can ignore.
- Configure Jazz Authorization Server to support Lightweight Directory Access Protocol
(LDAP).
The actions in this step provide a mechanism to authenticate nonweb clients.