Use IBM CIS SSO with Incorta

To enable single sign on (SSO) using IBM CIS, you must configure IBM CIS and Incorta.

Perform the following steps for each tenant using IBM CIS SSO.

  1. Configure IBM CIS, see Configure IBM CIS.
  2. Enable SSO for a tenant, see Enable SSO for a Tenant.
  3. Create a Configuration file, see Create a Configuration file a Configuration file).
  4. Modify the server.xml file to reference the IBM CIS configuration file. See Modify server.xml.
  5. Restart Incorta.

Configure IBM CIS

Define a Connection/Service in IBM CIS for Generic SAML2.0 Service Provider. Choose the connection management from the left side panel and configure the following parameters:

Assertion Consumer Service URL. Follow the format http://<incortaHostName>/incorta/!<tenantName>/

Provider ID. This value is used to diffrentiat between different service providers. Incorta treat each tenant as a seperate service: <entityID>/<tenantname>

  • <entityID>: The value of "entityID" attribute in the IBM CIS metadata file.
  • <tenantname>: Tenant name. Identity Mapping Rule. Copy and past the below snippet this is where the loginName being set in the SAML response:

Value:

importPackage(Packages.com.tivoli.am.fim.trustserver.sts);
importPackage(Packages.com.tivoli.am.fim.trustserver.sts.uuser);
importPackage(Packages.com.tivoli.am.fim.trustserver.sts.utilities);
importClass(Packages.com.tivoli.am.fim.trustserver.sts.uuser.Attribute);
importClass(Packages.com.tivoli.am.fim.trustserver.sts.uuser.AttributeStatement);
importPackage(Packages.com.ibm.ws.util);
importPackage(Packages.org.json.simple);
importClass(Packages.com.tivoli.am.fim.trustserver.sts.uuser.Attribute);
// prepare attribute list
var principalAttr = new Attribute("name","urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress",stsuu.getAttributeValueByName("tagvalue_credattrs_mail") + "");
var emailAddress = new Attribute("emailAddress","urn:oasis:names:tc:SAML:2.0:assertion",stsuu.getAttributeValueByName("tagvalue_credattrs_mail") + "");
var NameID = new Attribute("Name ID","urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress",stsuu.getAttributeValueByName("tagvalue_credattrs_mail") + "");
var firstName = new Attribute("firstName","urn:oasis:names:tc:SAML:2.0:assertion",stsuu.getAttributeValueByName("tagvalue_credattrs_givenName") + "");
var lastName = new Attribute("lastName","urn:oasis:names:tc:SAML:2.0:assertion",stsuu.getAttributeValueByName("tagvalue_credattrs_surname") + "");
var loginName = new Attribute("loginName","urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified",stsuu.getAttributeValueByName("AZN_CRED_PRINCIPAL_NAME") + "");
//Clear the stsuu to create a new one limited to required attributes in the SAML response.
stsuu.clear();
// add attributes to stsuu
stsuu.addPrincipalAttribute(principalAttr);
stsuu.addAttribute(NameID);
stsuu.addAttribute(emailAddress);
stsuu.addAttribute(firstName);
stsuu.addAttribute(lastName);
stsuu.addAttribute(loginName);