Set up Single Sign-On (SSO)
Rally On-Demand customers with a SAML 2.0-compliant Identity Provider (IdP) can configure their Rally subscription to log in to Rally through Single Sign-On (SSO). The key to secure Internet SSO is the web browser. The browser interacts with the user's SAML 2.0-compliant Identity Provider, validates the user credentials, creates the SAML assertion, and sends the assertion to Rally.
Note: The Rally Work item connectors and the Rally SCM connectors are not compatible with this feature; however, these connectors can be used in SSO Exception Mode.
How it works
First, access Rally using the URL that your Identity Provider created during the setup process. Next, log in to your Identity Management System.
- Your browser is provided with a SAML token.
- The SAML token is sent to Rally's Ping Federate Server.
- If you are a valid Rally user for the selected subscription, an authenticated token is sent back to your web browser.
- The browser sends the authenticated token to Rally.
- Rally accepts it and lets you into the corresponding subscription.
In order to set up SSO, your company must have a SAML 2.0-compliant Identity Management System (such as Ping Connect or CA SiteMinder, Oracle Access Manager (COREid), or Tivoli Access Manager), and a technical person (often an IT administrator) who runs it. Your Identify Management System administrator must be able to log in and configure your Identity Management system. For testing purposes, you will likely want to provide this individual with temporary access to Rally.
If you don't have an Identity Management System set up, we recommend that you contact Ping Identity or Symplified. Both companies are Rally partners with expertise in implementing SSO.
- Contact Support to open a new case. Rally Support will work with your Identity Management System administrator of your Identity Management System.
- Rally Support sends the Rally Service Provider metadata.xml file to you. This includes information such as our SSO server, which protocols we support and our public signing key. This metadata.xml is a standard part of the SAML 2.0 standard.
- Configure an Identity Provider (IdP) to Rally Service Provider connection within your software using the Rally metadata.xml file as an input value.
- Export the IdP metadata.xml file with your public key certificate embedded. This file will include your own information such as your SSO server, protocols supported, and your public key.
Note: This service is only available for customers with active production subscriptions. Free, Sandbox and Trial subscriptions are not eligible for this service.
- Your SAML_SUBJECT must be in the form of your Rally ID, for example <customername>@<domain>. Rally cannot modify this for you. For testing purposes, you may have your Rally subscription administrator add your IT administration to your Rally subscription.
- If the mapping cannot be met, Rally user IDs must be changed to match the format presented by the SAML_ SUBJECT before this will work.
Set up Active Directory Federation Services (ADFS) SSO
- Open your AD FS 2.0 management application.
- Expand Trust Relationships in the left menu, and click Relying Party Trusts.
- From the Actions menu, select Add Relying Party Trust.
- Click Start to begin the Wizard.
- Select the Import data about the relying party from a file option.
- Locate the Rally metadata.xml file on your system and select Open, then click Next on the Wizard screen.
- Enter your Display name and click Next.
- Select your organization's Authorization rules. Typically, most environments will use the Permit all users option.
- Click Next, then click Close.
- Ensure the Open the Edit Claim Rules dialog for this relying party trust when the wizard closes field is selected, then click Close.
- In the Edit Claim Rules window, select Add Rule.
- Select a Claim rule template and click Next.
- Add a Claim rule name, select the attribute desired, and modify the attributes.
*In this example, the Active Directory attribute and map LDAP properties for the outgoing claim. The LDAP attribute is email address. The outgoing claim type is set to Name ID (Depending on your company's IdP configuration, you may need to select another option besides Name ID).
- Click Finish.
- Click Close.
- You can now export your metadata.xml file from your browser to provide to Rally Support through your case regarding setup of the SSO instance, so that Rally's Operations team can implement this to finalize the setup. Once this is completed, Rally Support will confirm your SSO URL and ensure that you are able to login properly.
Frequently asked questions
Who holds the public key certificates (is there a third-party clearing house like Ping Identity) or is Rally providing the certificate server?
For on-demand users, Rally has a Ping Federate server installed, which holds a copy of the public key for your Identity Management System. This allows us to validate tokens without storing any private certificates. If you have more than one subscription ID, you will need to create a different Service Provider connection for each Rally subscription ID you would like to authenticate with SSO.
Can we provide our own certificate servers?
Yes, you can use any SAML-2.0 compliant Identity Management System behind your firewall to communicate with our Ping Federate server. You need to provide this certificate in the format requested above.
This is for authentication. Are you doing authorization, too, or do you plan to do so?
No, we have no plans to do authorization.
What are some of the challenges we need to be aware of?
SSO requires some configuration time on both sides. The Identity Management System is typically managed by your IT Department, a group that Rally does not always work with. It may take some time to identify the contact in your IT group who can create the new Service Provider connection and public key XML metadata file that Rally will need to enable SSO. Please be sure to identify this individual before setting up any calls with Rally Support.
Is there a best practice for adoption, for example start with a small group and scale, or just turn it on and go?
For existing customers, there is a hybrid mode that allows both SSO and Rally authentication. We recommend using this mode while setting it up, and only switching to SSO-only authentication after all users have been able to log in using SSO. Remember, if you do switch to SSO-only authentication, users will only be able to log in to Rally from behind your corporate firewall. If you want users to be able to log in to Rally when at home (or from any web location that is not behind your firewall), you should set up your Rally connection for hybrid mode.
What happens if a user forgets their password?
The answer depends on what kind of SSO the subscription has been configured for:
- Subscriptions using SSO only mode will have to reset with their internal IT team, since Rally doesn't have access to that password repository.
- Subscriptions using SSO hybrid mode can either reset their Rally password, (SSO token still won't work) or reset their SSO password internally (Rally password still won't work).
Today users get password expiration notification emails warning that their password will expire soon. Will those be eliminated when we switch to SSO only with exceptions mode?
Yes, these will be eliminated for anyone not on the exception list.
After switching to SSO only with exceptions mode, can an SSO-only user get to the password change in the profile page, or will that section no longer be displayed?
This will no longer display on the profile page.
What would happen if an SSO-only user goes to the Rally login page and clicks Forgot my password?
The Rally system will send them a link with the SSO information for your subscription.
Can we use integrations and apps?
Currently, integrations do not support SAML-based authentication. It is possible to write an integration that can acquire a SAML token from an Identity Provider, but no one has done this yet. Customers who are using integrations or the Web Services API will most likely want to use SSO with exceptions mode. Use of the Web Services API through custom Rally applications in the browser is supported, since they can get a cookie as part of the login process.
How long does it take to get it working?
Once you identify the proper contact in your IT Department, it takes a few days to get SSO running.
Is Rally's SSO available for all Rally editions and is there an extra cost?
SSO is included with Unlimited Edition subscriptions at no extra cost. If you are using Enterprise Edition, contact your Rally account manager to discuss upgrading to Unlimited Edition.
Can we test this on Sandbox?
SSO is not available on sandbox.rallydev.com. It can safely be tested in hybrid mode on production without interfering with other users in your subscription.
If I disable a user's SSO account, are they immediately logged out of Rally?
No. If they were logged into Rally when their SSO account was disabled, they will still be able to access Rally until they log out or until their session times out and they are forced to re-authenticate.
How do I export a metadata file from ADFS?
In general, the ADFS metadata is here: https://server/FederationMetadata/2007-06/FederationMetadata.xml. You can save the file.
What does an example metadata file look like?
</ds:Signature><md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"><md:AssertionConsumerService isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://sso.rallydev.com/sp/ACS.saml2" index="0"/></md:SPSSODescriptor><md:ContactPerson contactType="administrative"><md:Company>Rally Software Development Corp.</md:Company><md:GivenName>Operations</md:GivenName><md:SurName>Team</md:SurName><md:EmailAddress>firstname.lastname@example.org</md:EmailAddress><md:TelephoneNumber>303-565-2800</md:TelephoneNumber></md:ContactPerson></md:EntityDescriptor>