IBM® Product Master supports SAML 2.0 web single sign-on with
Just In Time (JIT) provisioning for the Admin UI and Persona-based UI.
About this task
Security Assertion Markup Language (SAML) is an OASIS open standard for
representing and exchanging user identity, authentication, and attribute information. JIT enables
more efficient integration of SAML to provide a seamless application login experience for users as
it automates user account and group creation. SAML JIT now does not need a local LDAP for user
authentication and instead relies on SAML attributes that are received as claims in the SAML
assertion to retrieve user attributes and groups. WebSphere® Liberty acts as a SAML service provider. A web user authenticates to a SAML identity
provider, which produces an SAML assertion, and WebSphere Liberty SAML service provider consumes a SAML assertion to establish a security
context for the web user and grants access to the IBM Product
Master Admin UI and Persona-based UI web applications. Admin UI and Persona-based UI applications extract SAML attributes that are
received as claims in the SAML assertion to create users and roles in the Product Master. It is important to set the SAML assertion
attribute mappings on the SSO partners. Note: You must have a valid role in the
Product Master to be able to log in to the application. Roles
created as a result of the SAML login are created with default ACG permissions. It is the
Administrator's responsibility to assign the correct role to the user or update the permission in
the roles. The newly created roles are not added to the
$TOP/mdmui/dynamic/mdm-rest/mdmce-roles.json file. The user is assigned a basic
role, and allowed login to the
Persona-based UI. You can disable
the role creation in the SSO Configuration lookup table. For more information, see
Configuring SSO properties.
Procedure
- Configure the Product Master.
- Enable the SAML Web browser SSO.
- Configure SSO partners.
- Configure SSO in the browser.