Set up SSO authentication

Single sign-on (SSO) is an authentication process that allows users to access multiple applications using a single username and password. The SSO solution frees the users from entering their usernames and password repeatedly when switching between applications. This topic provides details on how to set up SSO authentication for connecting to ALM.

If you upgrade ALM to 15.5 from an earlier version with SSO enabled, to make sure SSO still works as expected, you should re-deploy the SSO components after the upgrade. For details, see Step 3: Deploy SSO components.

Note: For CAC (Common Access Card) and SiteMinder authentication, see the ALM External Authentication Configuration Guide.

How ALM supports SSO

ALM supports SSO via SAML 2.0 and acts as a service provider (SP) for SSO. Alternatively, it supports SSO via OpenID Connect (OIDC) and acts as a Relying Party (RP). You must implement a federation service to act as an identity provider (IdP) with federation protocol of SAML 2.0 or OIDC.

The ALM SSO solution works as follows:

  1. A user logs on to an application that can serve as the identity provider (IdP).
  2. The user requests the access to an ALM resource.
  3. ALM sends an authentication request to the IdP to obtain the user information. With the user information, ALM attempts to locate a matching user for the IdP user in ALM and decides whether or not to grant the user the access to the ALM resource.

    Scenario Description and result
    A matching user exists in ALM ALM checks the IdP user by Identity Key and IdP ID. If both of these are located to one ALM user, the IdP user is authorized.
    No matching user exists in ALM

    The user is not authorized and cannot log in.

    If auto user-provisioning is enabled, ALM will run the auto user-provisioning process to create or find a matching user in ALM. For details, see Auto user-provisioning configurations.

Back to top

Steps to set up SSO authentication

Follow the steps below one by one to complete the SSO configuration.

Step 0: Preparation

Step 1: Configure ALM as SP

Step 2: Configure default IdP

Step 3: Deploy SSO components

Step 4: Register ALM as SP in IdP

Step 5: Map IdP users with ALM users

Step 6: Validate IdP

Step 7: Enable SSO

(Optional) Step 8: Add additional IdPs

Back to top