CA Agile Central SaaS (Rally)CA Agile Central On Premise (Rally)
Information regarding why Rally SSO is linked with Broadcom Support Portal and the necessary changes.
What is happening?
Rally is transitioning its single-sign on (SSO) solution from PingFederate to Okta. Your users will continue to authenticate with your own identity provider (IdP), using the same SSO credentials they currently use. Your IdP’s Rally application will need to be reconfigured to point to Broadcom’s B2C Okta instance, and vice versa.
Broadcom as a corporation has adopted Okta for SSO in order to make it easier for our customers to access all of Broadcom’s SaaS products.
Rally Support will work with your IdP administrator to transition your subscription to our new SSO solution. After your IdP and Okta have been configured to communicate with each other, you will have the opportunity to test the new SSO pathway with a small set of users before transitioning your entire subscription.
Rally Support will work with your company’s Rally Subscription Administrator(s), as well as your internal IT team who manages your SSO configurations.
How does this affect our subscription?
Once your subscription has been transitioned to Okta, there should be no change in how you access Rally. You can continue to initiate a login either at your company’s IdP or at Rally. SSO users will continue to use their current credentials. Are there any benefits to this change? Okta is a trusted, highly reliable SSO solution. If your company adopts other Broadcom SaaS applications, you should be able to use a single connection from your IdP to Broadcom’s B2C Okta instance. This would eliminate the need to configure separate SSO connections for each application. Are there any detrimental effects of this change? Your IdP administrator and subscription administrator will need to work with Rally Support to perform the transition. Once that is complete, there should be no impact on your SSO users. Do we have to change our usernames and passwords? No, your SSO usernames and passwords will continue to be stored by your own IdP, and do not need to change. If your subscription allows some or all users to authenticate directly with Rally, those usernames and passwords do not need to be changed, either. What if we don’t use SSO at all? Rally subscriptions that do not use SSO are not affected by this change. Such users would continue to log in directly to Rally, no configuration changes are necessary, and this message may be disregarded.
What if we use both SSO and Rally authentication?
Rally subscriptions that can authenticate by either SSO or Rally need to be transitioned as described above. When authenticating with SSO, your IdP will then route users through Broadcom’s B2C Okta. When authenticating directly with Rally, there will be no change.
Can we set up SP and IDP initiated logins?
Yes, we support both IdP- and SP-initiated logins. Subscriptions in "hybrid" mode (Rally or SSO authentication) only support IdP-initiated login for SSO, and logins at the Rally login page have to be non-SSO.
But subs in "SSO auth" or "SSO with exceptions" support both IdP-initiated and SP-initiated SSO. For SP-initiated, just enter the username at the Rally login prompt and click Login, and the user will be redirected to their IdP to authenticate.
What if we use SSO with exceptions?
Rally subscriptions that are set to “SSO with exceptions” mode need to be transitioned as described above. When authenticating with SSO, your IdP will then route users through Broadcom’s B2C Okta. When the users on the exception list authenticate directly with Rally, there will be no change.
If Okta is in the cloud, does this mean a malicious actor could access our subscription?
All authentication redirection to Okta is encrypted with TLS security. Your users’ SSO passwords are never transmitted to Okta. Only the Okta IdP configuration provisioned for your IdP will be able to authenticate the users of your subscription. Administration of Broadcom’s B2C Okta instance is strictly controlled by Broadcom IT.
It will be necessary to send over the following information in the assertion. This information must not be blank. It must be populated:
SAML Subject must the the Rally username, in email address format
If the SAML Subject cannot be the Rally username, please advise what SAML Attribute field will contain the Rally username, and what - if any - algorithmic manipulation is needed to compose the Rally username.
email (this is a separate attribute from Subject above and may not be the same)