Single sign-on authentication in Engineering Lifecycle Management

Edit online

Single sign-on (SSO) authentication is a mechanism where multiple related but independent software applications are configured so that a user logs in once and gains access to all systems, without the need to re-authenticate. IBM® Engineering Lifecycle Management supports several types of single sign-on authentication. Use the protocol that is appropriate for your deployment configuration and needs.

Kerberos/SPNEGO SSO authentication

Engineering Workflow Management supports Kerberos/SPNEGO authentication. The following clients can authenticate with a server that is configured for this protocol:
  • Engineering Workflow Management browser-based client
  • Engineering Workflow Management Eclipse client
  • Engineering Workflow Management .NET clients:
    • Engineering Workflow Management client for Microsoft Visual Studio IDE
    • Engineering Workflow Management Windows Explorer integration
    • Engineering Workflow Management MS-SCCI Provider
  • Engineering Workflow Management SCM command-line interface
  • Jazz build clients:
    • Jazz Build Agent
    • Jazz Build Engine for the Eclipse client
    • Jazz Build Engine for IBM i
    • Jazz Build Engine for z/OS
    • Jazz Build System Toolkit
  • Jazz repository tools command-line interface

For more information, see Configuring Kerberos/SPNEGO single sign-on authentication.

Jazz Security Architecture SSO authentication

Jazz Security Architecture SSO is an authentication protocol based on the OpenID Connect standard. It is an alternative single sign-on protocol to Kerberos/SPNEGO SSO, WebSphere Liberty server with Lightweight Third-Party Authentication (LTPA) SSO. Jazz Security Architecture SSO is supported on all platforms and allows for single sign-on across applications that are installed in a mix of WebSphere Liberty server.

Authentication services are provided by the Jazz® Authorization Server, which must be installed somewhere in your network.
Restriction: Installation of the Jazz Authorization Server on IBM i and z/OS systems is not supported.
In addition, Jazz Security Architecture SSO must be enabled on the Jazz Team Server and deployed Engineering Lifecycle Management applications. Authentication administration is simplified because only the Jazz Authorization Server must be configured for authentication (for example, to use an LDAP user registry); WebSphere Liberty server that hosts the Engineering Lifecycle Management applications is not configured for authentication. The Jazz Authorization Server validates user credentials and issues access tokens that can be shared across applications.

Also, Jazz Security Architecture SSO eliminates the requirement for paired configuration of OAuth consumer keys. All applications that are configured for Jazz Security Architecture SSO can communicate with each other without a configuration for every possible source and destination relationship.

For new installations, you enable Jazz Security Architecture SSO by selecting it as an option during the installation process. For more information, see Installing IBM Engineering Lifecycle Management by using IBM Installation Manager.

For existing installations, you enable Jazz Security Architecture SSO by performing a migration procedure after you upgrade to the current release. For more information, see Enabling applications for Jazz Security Architecture single sign-on.

You can also use a variant of OIDC authentication where the Jazz Application Server is configured to delegate a third party identity provider to validate user credentials. See Application Passwords for Native Client Authentication with OpenID Connect for more details.

SSO authentication

You can configure single sign-on in a distributed environment on by using the LTPA authentication protocol. For detailed instructions, see this Deployment wiki article.