Tired of entering your password? I know I am. If I didn’t have to type in my password 20 times every day, I would have finished fixing all the defects in ClearQuest. Ok, that’s hyperbole, but it really is a pain, isn’t it? Wouldn’t it be great if you could log in once to access all your applications? The good old people writing security standards have been nice enough to give us a solution. It is called “single sign on”. With more and more DevOps products integrating with each other it is becoming even more important to have a centralized identity management solution where you can sign in once, and access multiple applications.
Single sign-on (SSO) prevents the need to sign on to multiple applications separately. Rather than having to sign on for each application, the user signs in once at an identity provider (IP) and this provides tokens to provide to other web applications and services. A token is like an ID card. You show it wherever you go and it is trusted in many places. If the ID card is trusted, you can do things such as rent a car, walk into a secure building, fly on a plane, and so forth. The same goes for SSO tokens. For any application that is set up to trust the token, it will allow you to log in to that application as the authenticated user. SSO makes it easier and more secure to use different applications, because you only need to log in once and you only do so on the trusted login site.
Authentication and authorization are separate in SSO. The first time a user connects to one of the applications, the user must authenticate by logging in. While the token is valid (usually in 24 to 48 hours), the user does not need to authenticate again. Instead the previously obtained token is used to authorize access to the application.
CHOOSING AN IDENTITY PROVIDER
There are several SSO standards available. ClearQuest supports the following:
Of these, OIDC and SAML2 have a user experience that is more friendly, consistent and configurable than LTPA2. These two provides automatic browser redirects to the identity provider login site. So when the use tries to access a site and needs authentication, they will be taken to this login site. The login site is usually customizable, which allows the enterprise to provide a consistent login page that provides information about your enterprise and what applications might be available to the user. For example, Jazz Authorization Server provides a login page you can customized. The default login page is shown below. The users logging in always see same login page and will trust it when it asks for their credentials.
If you are integrating ClearQuest with Jazz applications, then the best approach is to use OpenID Connect with the Jazz Authorization Server. This provides the most seamless user experience. You will be able to create and navigate links and perform rich hovers without having to login again.
Setting up SSO can be a complicated and time-consuming process. It involves a combination of setup on the WebSphere Application Server (WAS), ClearQuest, and the identity provider. We have written a script to automate most of the process. The script only works for OIDC and SAML2 (this might change in the future), and there are still some manual steps you will need to do. We recommend using one of these two SSO technologies and the supplied script for setting up SSO. Detailed information about ClearQuest SSO support and configuration, including the configuration script, can be found in this technote:
What single sign on provider does your company use? Will it work with ClearQuest? I’d love to hear if you think ClearQuest needs to support additional SSO features or technologies. Please add your thoughts and questions below, or email me: firstname.lastname@example.org.