Configure the IBM Product Master (Accelerated deployment)

Before configuring SAML SSO, complete the following task.

Configuring SSO properties

You need to enable SSO properties. To enable SSO properties, proceed as follows.
  1. Enable SSO authentication in the Login.wpcs file. To enable SSO authentication, you must set the wpcOnlyAuthentication flag in the Login.wpcs file to false in case SSO authentication is required. The Login.wpcs file identifies the authentication mechanism.
    1. Click Data Model Manager > Scripting > Scripts Console.
    2. Select Login script from the drop-down list.
    3. Click Edit for the Login.wpcs script.
    4. Find and set the wpcOnlyAuthentication flag to false.
  2. Populate SAML attributes in the SSO Configuration lookup table from Admin UI.
    1. Import the mdm-env.zip file located at $TOP/mdmui/env-export/mdm-env, if not already done.
    2. Go to Product Manager > Lookup Table > Lookup Table Console.
    3. Select SSO Configuration lookup table and add a role.
    4. Populate all the attributes as follows.
    Attribute Name Description of attribute
    Id The primary key of the lookup table entry is auto generated.
    SSO Type SAMLv2.0
    Create Role After you log in to the IBM Product Master,
    • True: User roles are created, if the roles do not exist.
    • False: User roles are not created and the Administrator needs to manually create roles.
    First Name Attribute The user attribute, which represents the given name in the SAML assertion, for example,

    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

    .
    Last Name Attribute The user attribute, which represents the surname in the SAML assertion, for example, http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
    Mail ID Attribute The user attribute, which represents the mail ID in the SAML assertion, for example,

    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

    .
    Telephone Number Attribute The user attribute, which represents the telephone number in the SAML assertion, for example,

    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/telephone

    .
    Fax Number Attribute The user attribute, which represents the fax number in the SAML assertion, for example,

    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/fax

    .
    Postal Address Attribute The user attribute, which represents the postal address in the SAML assertion, for example,

    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/address

    .
    Title Attribute The user attribute, which represents the title in the SAML assertion, for example,

    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/title

    .
    Roles Attribute The member-of attribute, which represents the group in the SAML assertion, for example,

    http://schemas.xmlsoap.org/claims/Group
    Organization Attribute The user attribute, which represents the organization in the SAML assertion. For example,

    http://schemas.xmlsoap.org/claims/organization

    This attribute is required only for the Vendor Persona users. The vendor user is created under the Vendor Organization Hierarchy based on the value of the organization attribute. Possible values are: Vendor1OU, ParentOU/Vendor1OU, and so on.

Configuring OpenID Connect (OIDC) properties

You need to enable SSO properties. To enable SSO properties, proceed as follows.
  1. Enable SSO authentication in the Login.wpcs file. To enable SSO authentication, you must set the wpcOnlyAuthentication flag in the Login.wpcs file to false in case SSO authentication is required. The Login.wpcs file identifies the authentication mechanism.
    1. Click Data Model Manager > Scripting > Scripts Console.
    2. Select login script from the drop-down list.
    3. Click Edit for the Login.wpcs script.
    4. Find and set the wpcOnlyAuthentication flag to false.
  2. In the Admin UI, add the OIDC attributes in the SSO Configuration Lookup table.
    1. Import the mdm-env.zip file located at $TOP/mdmui/env-export/mdm-env, if not already done.
    2. Go to Product Manager > Lookup Table > Lookup Table Console.
    3. Select SSO Configuration Lookup table and add a role.
    4. Populate all the attributes as follows.
    Attribute Description
    Id The primary key of the lookup table entry, this is auto generated.
    SSO Type OIDC
    Create Role False
    First Name Attribute firstName
    Last Name Attribute lastName
    Mail Id Attribute email
    Roles Attribute roles
    Organization Attribute Leave this field empty as the OIDC does not support the Vendor feature.