Configuring Jazz Team Server single sign-on authentication for Publishing Document Builder

You can set Publishing Document Builder to use Jazz Team Server (JTS) single sign-on (SSO) authentication.

About this task

This type of authentication is supported on WebSphere® Application Server and WebSphere Application Server Liberty Profile . The Liberty server must be configured for https connections.

The following types of SSO authentication are supported:

Jazz Security Architecture SSO authentication: Jazz Security Architecture SSO is an authentication protocol based on the OpenID Connect standard. Authentication services are provided by the Jazz Authorization Server, which must be installed somewhere in your network.
WebSphere Application Server with Lightweight Third-Party Authentication (LTPA) SSO authentication: With LTPA, a user's login credentials are stored in a session cookie that is available for the current browser session only. This cookie contains the LTPA token.

Note: When Publishing Document Builder is configured with Jazz SSO authentication, if you are logged in to Publishing Document Builder, you do not have to enter the data source credentials again when generating a document with data from any IBM Engineering Lifecycle Management (ELM) applications that use the same JTS. To take advantage of not having to reauthenticate, see the following details:

The Authentication Method is set to Auto when connection is created for the data source
Publishing Document Builder does not have to be deployed on the same domain as the Engineering Lifecycle Management applications.
If the data source connection is to ELM application registered with another JTS, then you must provide connection credentials when generating a document.
Publishing Document Builder must operate in HTTPS mode, for example https://hostname:port/rpeng/)
This setting does not work for scheduled document generations.

Install and configure Jazz Team Server with a SSO authentication
Register Publishing Document Builder with Jazz Team Server
Set up Publishing Document Builder with Jazz Team Server SSO authentication

Install and configure Jazz Team Server with a SSO authentication

Procedure

Install Jazz Team Server.
Enable one of the following SSO (single sign-on) authentication types:
- Jazz Security Architecture
  For new installations, you enable Jazz Security Architecture SSO by selecting it as an option during the installation process. For more information, see Installing IBM Engineering Lifecycle Management by using IBM Installation Manager.
  
  For existing installations, you enable Jazz Security Architecture SSO by performing a migration procedure after you upgrade to the current release. For more information, see Enabling Jazz Security Architecture single sign-on after an upgrade.
- IBM WebSphere Application Server with Lightweight Third-Party Authentication (LTPA)
To deploy SSO on WebSphere Application Server, see the Deploying WebSphere Application Server by using single sign-on authentication topic.
Deploy and start the Jazz Team Server and other ELMapplications on the application server.
For the Jazz Security Architecture SSO authentication type, ensure that you deploy and start Jazz Authorization Server.
Run the Custom setup wizard to configure the server.

Register Publishing Document Builder with Jazz Team Server

Procedure

Start Publishing Document Builder.
Log in to the Administration page of the JTS. Point your web browser to https://qualified.hostname.com:9443/jts/admin
Click the Server tab.
In the Configuration section, click Registered Applications.
In the Registered Applications section, click Add.

In the Add Application window, complete the following information about your application.

Option	Description
Application Name	A name for the application, for example `/rpeng`. It must be unique among all applications that are registered with the JTS.
Discovery URL	The service contribution resource (SCR) URL for the application. In general, for the Discovery URL, add /scr to the end of the public URL of the application. For example, if the public URL is https://`qualified.hostname.com`:`port`/rpeng, the corresponding SCR URL would be https://`qualified.hostname.com`:`port`/rpeng/scr.
Application Type	After you type the Discovery URL, wait a few moments and the Jazz Team Server will detect the type of application that you are registering.
Consumer Secret	Type a consumer secret for the application that you are registering. JTS automatically generates a consumer key.
Functional User ID	Type the user ID of the functional user that performs background tasks, for example `pub_user` .
Authorization Server URL	Enter https://`qualified.hostname.com`:9643/oidc/endpoint/jazzop.
Administrator User ID	Enter administrator credentials, for example `ADMIN`.
Administrator Password	Enter the administrative password.

Click Finish.

Results

Publishing Document Builder appears in the list of applications in the Jazz home menu.

Set up Publishing Document Builder with Jazz Team Server SSO authentication

Procedure

Log in to Publishing Document Builder as an administrator.
To administer the application, click Administration menu in the product banner.
Select Administer from the drop-down menu.
Click Runtime Variables tab.
In the Runtime Variables tab, expand Authentication Switching, and click the Edit link.
In the Authentication type drop-down list, select JTS Authentication.
Click Save.
In a browser, open the URL for Publishing Document Builder. The authentication is delegated to the JTS single sign-on page.