Step 1: Configuring single sign-on settings in License Metric Tool

Edit online

As the first step, configure single sign-on settings in License Metric Tool.

Before you begin

Gather necessary information
Before you start the configuration, gather the following information:
  • URL to the login page of the Identity Provider. It is the URL to which an unauthenticated request is redirected. After the request is authenticated by the Identity Provider, the user is redirected to License Metric Tool.

    For example: https://ADFS_host_name/adfs/ls/IdPInitiatedSignOn.aspx?LoginToRP=https://LMT_host_name:9081/ibm/saml20/defaultSP.

  • URL of the Trusted Issuer. It is the URL to the certificate issuer of the Identity Provider that is needed to establish a trust relationship.

    For example, http://ADFS_host_name/adfs/services/trust.

  • Public certificate of the Identity Provider in the key_name.cer format.
Enable SSL
Ensure that SSL is enabled in License Metric Tool and in the Identity Provider.
Backup files
Before you start configuring single sign-on, back up the following files:
  • server.xml
    • Linux lmt_install_dir/wlp/usr/servers/server1
    • Windows lmt_install_dir\wlp\usr\servers\server1
  • web.xml
    • Linux lmt_install_dir/wlp/usr/servers/server1/apps/tema.war/WEB-INF
    • Windows lmt_install_dir\wlp\usr\servers\server1\apps\tema.war\WEB-INF
Note: If you set up the session timeout for Single Sign-On, remember that it should be longer than the session timeout that is set up for License Metric Tool. Otherwise, change the settings in License Metric Tool. For more information, see: Setting session timeout.
Create users
Create License Metric Tool users who will use the single sign-on. During the creation of the users, select Single Sign-on as the authentication method. Ensure that all user names are fully-qualified names that contain the full domain name, for example: user@domain.example. Also, ensure that at least one user is an Administrator.

Linux If the License Metric Tool server is installed on Linux, and users in the Identity Provider use the camel-case naming convention, create users following the same convention in License Metric Tool. Otherwise, the users are not be able to generate audit snapshots.

Note: User token is not available after a single sign-on user is created. If you need the token, for example to run REST API calls, ask the License Metric Tool administrator to provide it for you.

Procedure

  1. Log in to License Metric Tool, and click Management > Single Sign-On Settings.
  2. Select SAML as the single sign-on method.

    The Instance ID filed is automatically filled with the defaultSP value. It is the identifier of the License Metric Tool service. Together with the License Metric Tool URL, it forms the overall Service Provider ID: https://LMT_host_name:LMT_port/ibm/saml20/defaultSP.

    Based on this value, the SAML Assertion Consumer Service URL is built: https://LMT_host_name:LMT_port/ibm/saml20/defaultSP/acs. The URL should be used for the configuration of the Identity Provider.

  3. Specify the URL to the login page of the Identity Provider that you will use to single sign-on to License Metric Tool.
    For example:
    https://ADFS_host_name/adfs/ls/IdPInitiatedSignOn.aspx?LoginToRP=https://LMT_host_name:9081/ibm/saml20/defaultSP
    Important: Ensure that the URL that you specify is correct. The address is not validated. If you make a typo in the URL, you might need to manually revert the SSO configuration.
  4. Provide the public certificate of the Identity Provider. Click Browse to locate the key_name.cer certificate that you created.
  5. Provide the URL of the certificate issuer of the Identity Provider. It is the issuer name of the Identity Provider as it appears in the SAML assertion.
    For example:
    http://ADFS_host_name/adfs/services/trust
    Important: Ensure that the URL that you specify is correct. The address is not validated. If you make a typo in the URL, you might need to manually revert the SSO configuration.
  6. Click Save.
  7. Optional: To use a custom certificate for the SSO setup, see: Using a CA-signed (custom) certificate for SSO based on SAML. Otherwise, continue to the next step.
  8. Click the Download Service Provider Metadata link, and save the spMetadata.xml file.
    Note: When the SAML single sign-on entry is created, only the Delete button, and the Download SP Metadata link are enabled. If the download link is not displayed, restart the License Metric Tool server.

What to do next

Based on the spMetadata.xml file, configure Identity Provider for single sign-on.