Configuring SAML SSO
IBM® Product Master supports SAML 2.0 web single sign-on with Just In Time (JIT) provisioning for the Admin UI and Persona-based UI. Security Assertion Markup Language (SAML) is an OASIS open standard for representing and exchanging user identity, authentication, and attribute information. JIT enables more efficient integration of SAML to provide a seamless application login experience for users as it automates user account and group creation. SAML JIT now does not need a local LDAP for user authentication and instead relies on SAML attributes that are received as claims in the SAML assertion to retrieve user attributes and groups.
About this task
Note: You must have a valid role in the Product Master to be able to log in to the application.
Roles created as a result of the SAML login are created with default ACG permissions. It is the
Administrator's responsibility to assign the correct role to the user or update the permission in
the roles. The newly created roles are not added to the
$TOP/mdmui/dynamic/mdm-rest/mdmce-roles.json file. The user is assigned a basic
role, and allowed login to the Persona-based UI. You can
disable the role creation in the SSO Configuration lookup table. For more information, see Configuring SSO properties.
Procedure
- Configure Product Master.
- Enable the SAML Web browser SSO.
- Configure SSO partners.
- Enable SAML Service Provider Initiated (SP-Initiated) web SSO.
- Configure SSO in the browser.