Set up Single Sign-On (SSO)

Print this topicEmail this topic

Rally On-Demand customers with a SAML 2.0-compliant Identity Provider (IdP) can configure their Rally subscription to log in to Rally through Single Sign-On (SSO). The key to secure Internet SSO is the web browser. The browser interacts with the user's SAML 2.0-compliant Identity Provider, validates the user credentials, creates the SAML assertion, and sends the assertion to Rally.

Note: The Rally Work item connectors and the Rally SCM connectors are not compatible with this feature; however, these connectors can be used in SSO Exception Mode.

How it works

First, access Rally using the URL that your Identity Provider created during the setup process. Next, log in to your Identity Management System.

  1. Your browser is provided with a SAML token.
  2. The SAML token is sent to Rally's Ping Federate Server.
  3. If you are a valid Rally user for the selected subscription, an authenticated token is sent back to your web browser.
  4. The browser sends the authenticated token to Rally.
  5. Rally accepts it and lets you into the corresponding subscription.

Setup

In order to set up SSO, your company must have a SAML 2.0-compliant Identity Management System (such as Ping Connect or CA SiteMinder, Oracle Access Manager (COREid), or Tivoli Access Manager), and a technical person (often an IT administrator) who runs it. Your Identify Management System administrator must be able to log in and configure your Identity Management system. For testing purposes, you will likely want to provide this individual with temporary access to Rally.

If you don't have an Identity Management System set up, we recommend that you contact Ping Identity or Symplified. Both companies are Rally partners with expertise in implementing SSO.

  1. Contact Support to open a new case. Rally Support will work with your Identity Management System administrator of your Identity Management System.
  2. Note: This service is only available for customers with active production subscriptions. Free, Sandbox and Trial subscriptions are not eligible for this service.

  3. Rally Support sends the Rally Service Provider metadata.xml file to you. This includes information such as our SSO server, which protocols we support and our public signing key. This metadata.xml is a standard part of the SAML 2.0 standard.
  4. Configure an Identity Provider (IdP) to Rally Service Provider connection within your software using the Rally metadata.xml file as an input value.
  5. Export the IdP metadata.xml file with your public key certificate embedded. This file will include your own information such as your SSO server, protocols supported, and your public key.
    • Your SAML_SUBJECT must be in the form of your Rally ID, for example <customername>@<domain>. Rally cannot modify this for you. For testing purposes, you may have your Rally subscription administrator add your IT administration to your Rally subscription.
    • If the mapping cannot be met, Rally user IDs must be changed to match the format presented by the SAML_ SUBJECT before this will work.
  6. Securely transfer this file to Rally Support from the Contact Support link from inside the Rally product. This can also take place over email if both sides support SSL.
  7. Rally Support delivers this file to Rally Operations. Rally Operations will set up our SSO software for this particular connection. We will also ensure that the correct subscription ID is mapped to the connection and that SSO is enabled for that subscription.
  8. Verify that you can log in through your IdP endpoint.
  9. Provide your users with the re-direct URL for your users to log in to Rally through SSO.

Set up Active Directory Federation Services (ADFS) SSO

  1. Open your AD FS 2.0 management application.
  2. Expand Trust Relationships in the left menu, and click Relying Party Trusts.
  3. From the Actions menu, select Add Relying Party Trust.
  4. Click Start to begin the Wizard.
  5. Select the Import data about the relying party from a file option.
  6. Locate the Rally metadata.xml file on your system and select Open, then click Next on the Wizard screen.
  7. Enter your Display name and click Next.
  8. Select your organization's Authorization rules. Typically, most environments will use the Permit all users option.
  9. Click Next, then click Close.
  10. Ensure the Open the Edit Claim Rules dialog for this relying party trust when the wizard closes field is selected, then click Close.
  11. In the Edit Claim Rules window, select Add Rule.
  12. Select a Claim rule template and click Next.
  13. Add a Claim rule name, select the attribute desired, and modify the attributes.

    *In this example, the Active Directory attribute and map LDAP properties for the outgoing claim. The LDAP attribute is email address. The outgoing claim type is set to Name ID (Depending on your company's IdP configuration, you may need to select another option besides Name ID).

  14. Click Finish.
  15. Click Close.
  16. You can now export your metadata.xml file from your browser to provide to Rally Support through your case regarding setup of the SSO instance, so that Rally's Operations team can implement this to finalize the setup. Once this is completed, Rally Support will confirm your SSO URL and ensure that you are able to login properly.

Note:
  • The name portion of the Rally login ID (peter@company.com) must be identical to the login ID that the Identity Management System uses. If these login IDs are different, SSO will not work for that use, and you will need to update the Rally login IDs to match.
    • If you have Identity Management usernames in the format of “peter,” many IdP systems will allow concatenation of the @company.com portion. This enables the IdP usernames to match the “peter@company.com” format.
  • Disabling a user in your IdP system will not immediately end their session in Rally. A logged-in user will continue to have access until they log out of Rally, their session times out, or a subscription administrator disables the account in Rally.
  • Your identity provider must synchronize its clock to a reliable time source; otherwise the tokens it generates will be invalid and SSO will fail.
  • SSO for Rally On-Premises subscriptions is available as an LDAP (not SSO) solution. Contact Rally Support for details.

Frequently asked questions

Who holds the public key certificates (is there a third-party clearing house like Ping Identity) or is Rally providing the certificate server?

For on-demand users, Rally has a Ping Federate server installed, which holds a copy of the public key for your Identity Management System. This allows us to validate tokens without storing any private certificates. If you have more than one subscription ID, you will need to create a different Service Provider connection for each Rally subscription ID you would like to authenticate with SSO.

Can we provide our own certificate servers?

Yes, you can use any SAML-2.0 compliant Identity Management System behind your firewall to communicate with our Ping Federate server. You need to provide this certificate in the format requested above.

This is for authentication. Are you doing authorization, too, or do you plan to do so?

No, we have no plans to do authorization.

What are some of the challenges we need to be aware of?

SSO requires some configuration time on both sides. The Identity Management System is typically managed by your IT Department, a group that Rally does not always work with. It may take some time to identify the contact in your IT group who can create the new Service Provider connection and public key XML metadata file that Rally will need to enable SSO. Please be sure to identify this individual before setting up any calls with Rally Support.

Is there a best practice for adoption, for example start with a small group and scale, or just turn it on and go?

For existing customers, there is a hybrid mode that allows both SSO and Rally authentication. We recommend using this mode while setting it up, and only switching to SSO-only authentication after all users have been able to log in using SSO. Remember, if you do switch to SSO-only authentication, users will only be able to log in to Rally from behind your corporate firewall. If you want users to be able to log in to Rally when at home (or from any web location that is not behind your firewall), you should set up your Rally connection for hybrid mode.

What happens if a user forgets their password? 

The answer depends on what kind of SSO the subscription has been configured for:

  1. Subscriptions using SSO only mode will have to reset with their internal IT team, since Rally doesn't have access to that password repository.
  2. Subscriptions using SSO hybrid mode can either reset their Rally password, (SSO token still won't work) or reset their SSO password internally (Rally password still won't work).

Today users get password expiration notification emails warning that their password will expire soon. Will those be eliminated when we switch to SSO only with exceptions mode?

Yes, these will be eliminated for anyone not on the exception list. 

After switching to SSO only with exceptions mode, can an SSO-only user get to the password change in the profile page, or will that section no longer be displayed?

This will no longer display on the profile page. 

What would happen if an SSO-only user goes to the Rally login page and clicks Forgot my password?

The Rally system will send them a link with the SSO information for your subscription. 

Can we use integrations and apps?

Currently, integrations do not support SAML-based authentication. It is possible to write an integration that can acquire a SAML token from an Identity Provider, but no one has done this yet. Customers who are using integrations or the Web Services API will most likely want to use SSO with exceptions mode. Use of the Web Services API through custom Rally applications in the browser is supported, since they can get a cookie as part of the login process.

How long does it take to get it working?

Once you identify the proper contact in your IT Department, it takes a few days to get SSO running.

Is Rally's SSO available for all Rally editions and is there an extra cost?

SSO is included with Unlimited Edition subscriptions at no extra cost. If you are using Enterprise Edition, contact your Rally account manager to discuss upgrading to Unlimited Edition.

Can we test this on Sandbox?

SSO is not available on sandbox.rallydev.com. It can safely be tested in hybrid mode on production without interfering with other users in your subscription.

If I disable a user's SSO account, are they immediately logged out of Rally?

No. If they were logged into Rally when their SSO account was disabled, they will still be able to access Rally until they log out or until their session times out and they are forced to re-authenticate.

How do I export a metadata file from ADFS?

In general, the ADFS metadata is here: https://server/FederationMetadata/2007-06/FederationMetadata.xml. You can save the file.

What does an example metadata file look like?

See below:

  <md:EntityDescriptor entityID="sso.rallydev.com" cacheDuration="PT1440M" ID="OIvWOHILu615UWA1jGGTkq6SvQa" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
  <ds:SignedInfo>
  <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
  <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
  <ds:Reference URI="#OIvWOHILu615UWA1jGGTkq6SvQa">
  <ds:Transforms>
  <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
  <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
  </ds:Transforms>
  <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
  <ds:DigestValue>0jMS2Redw9hkax3mk0gs0zvN92A=</ds:DigestValue>
  </ds:Reference>
  </ds:SignedInfo>
  <ds:SignatureValue>
    A8AoyWPlgCZ4vhqDkDylu530TFiv1+374ekc8xzOKMUsn2B2H4IbVfrqou4SdIRK/WU52lkkItc6
    CbznJokbWZSoxfpEe9aAuLMJn4cS6Ln1qDCw0X3BXCPQ6+H16Yy3ZTYq5gSHo18GEOqe9iW9872k
    RfPgcVNAuqszdxTY5BkX7v5g9Grc8ALNYYVWssMaXJUNdm/oiq//WYAZxxFXa7f3kEY2ltQKaaQv
    3n/SLWzDAdBl1NNBaRC4a1QyrInec019AjpoQ2W+h4FER121xUlGyx0AX+M0ZEmY3+7PuusC6sWS
    af1jdUid9E2jNxTJJwvmqSPOKBKIXAnM1okrJA==
  </ds:SignatureValue>
  <ds:KeyInfo>
  <ds:X509Data>
  <ds:X509Certificate>
    MIIDPjCCAiagAwIBAgIGAS2WHAUZMA0GCSqGSIb3DQEBBQUAMGAxCzAJBgNVBAYTAlVTMQswCQYD
    VQQIEwJDTzEQMA4GA1UEBxMHQm91bGRlcjEXMBUGA1UEChMOUmFsbHkgU29mdHdhcmUxGTAXBgNV
    BAMTEHNzby5yYWxseWRldi5jb20wHhcNMTEwMTE3MjIzMjU0WhcNMzgwNjA0MjEzMjU0WjBgMQsw
    CQYDVQQGEwJVUzELMAkGA1UECBMCQ08xEDAOBgNVBAcTB0JvdWxkZXIxFzAVBgNVBAoTDlJhbGx5
    IFNvZnR3YXJlMRkwFwYDVQQDExBzc28ucmFsbHlkZXYuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOC
    AQ8AMIIBCgKCAQEAlfegSpv/FnbkyoZshy3pm5zghS/losCo026l1Li2MO4ZVuWncbaXduMmg36F
    1qFJGxS3OYepXdhgQaLrfk1WqqILwM++xuGLCoeaKfsnXXuDVa2AtzQwBk7TyMCWFyVw1+AOT9wX
    /cX1Pd77nenQ9rq5Cc51PxfciEtD/r0M9XtVv3R2shOH4yKAslRGbEpoepENsy+vSid/vprlEqXL
    c+jQ59WbXffl1qZDf9xB7CeQhdefeklsEzXIpVvYeyYV+J0D7V0GvJRchokEb3IQYRUIefElrAGi
    7f5HEU8rat7bReHzLgzN80OS6UzS0affQZ+LUwXeRN0ACPYspe+72QIDAQABMA0GCSqGSIb3DQEB
    BQUAA4IBAQCUPiGKwasTqvkQxEsqFDFL4FWVJUii6Io5Jh+aBbHhUKqZ7Z6CrnXFVFmQa9avrAmd
    yzE6kkPDWUioYVoENrM2nxjGpsqic7f/uw23cctl2OJxmqLdHUPEapf77VRsiGXQvcnrfevo2Iw7
    6RKho9QLIEU3kOAcM/cZnUxxaK0H3yLsCjuUptiLWqUvqYKuyMheHd4gsZl7t6yGtM0oEyTs8xLS
    smYrHIvQyyXWdJxQar3+lWg9K8qJbxQdbcp4E5ipafKluPmXuG09wujIDgIpyLeu/ALCKiOCvRlp
    BH9qLawXx7oGN4skw4SoQTI8dnZ+mrP6qADWOT79cIc0OHvM
  </ds:X509Certificate>
  </ds:X509Data>
  <ds:KeyValue>
  <ds:RSAKeyValue>
  <ds:Modulus>
    lfegSpv/FnbkyoZshy3pm5zghS/losCo026l1Li2MO4ZVuWncbaXduMmg36F1qFJGxS3OYepXdhg
    QaLrfk1WqqILwM++xuGLCoeaKfsnXXuDVa2AtzQwBk7TyMCWFyVw1+AOT9wX/cX1Pd77nenQ9rq5
    Cc51PxfciEtD/r0M9XtVv3R2shOH4yKAslRGbEpoepENsy+vSid/vprlEqXLc+jQ59WbXffl1qZD
    f9xB7CeQhdefeklsEzXIpVvYeyYV+J0D7V0GvJRchokEb3IQYRUIefElrAGi7f5HEU8rat7bReHz
    LgzN80OS6UzS0affQZ+LUwXeRN0ACPYspe+72Q==
  </ds:Modulus>
  <ds:Exponent>AQAB</ds:Exponent>
  </ds:RSAKeyValue>
  </ds:KeyValue>
  </ds:KeyInfo>
  </ds:Signature><md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"><md:AssertionConsumerService isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://sso.rallydev.com/sp/ACS.saml2" index="0"/></md:SPSSODescriptor><md:ContactPerson contactType="administrative"><md:Company>Rally Software Development Corp.</md:Company><md:GivenName>Operations</md:GivenName><md:SurName>Team</md:SurName><md:EmailAddress>operations@rallydev.com</md:EmailAddress><md:TelephoneNumber>303-565-2800</md:TelephoneNumber></md:ContactPerson></md:EntityDescriptor>
English

Feedback

Please send us your feedback regarding our help site. For feedback regarding the Rally product, click here to open a support case or click here to submit a new feature request
English
By submitting this form, you accept the Mollom privacy policy.
© 2014 Rally Software Development Corp | Legal