FAQ for Migrating Rally Customers from Okta to AuthHub as the federated IdP

What is happening?

• Rally is transitioning its single-sign on (SSO) solution from Okta to VIP AuthHub. Your users will continue to authenticate with your own identity provider (IdP), using the same SSO credentials they currently use. Your IdP’s Rally application will need to be reconfigured to point to Broadcom’s B2C AuthHub instance, and vice versa.
  

Why are we doing this?

• Broadcom as a corporation has adopted VIP AuthHub for SSO. VIP AuthHub is a platform that is more robust, scalable for our customers to access all of Broadcom’s SaaS products. 

How will this be coordinated?

• Rally Support will work with your company’s Rally Subscription Administrator(s) to transition your subscription to our new SSO solution. After your IdP and AuthHub have been configured to communicate with each other, you will have the opportunity to test the new SSO pathway with a small set of users before transitioning your entire subscription.
  

Who needs to be involved?

• Rally Support will work with your company’s Rally Subscription Administrator(s), as well as your internal IT team and IdP administrator who manages your SSO configurations.
  
  

What are the benefits of this change? 

• VIP AuthHub is a trusted, highly reliable SSO solution. If your company adopts other Broadcom SaaS applications, you should be able to use a single connection from your IdP to Broadcom’s B2C AuthHub instance. This would eliminate the need to configure separate SSO connections for each application. 

How does this affect our subscription?

• Once your subscription has been transitioned to VIP AuthHub, there should be no change in how you access Rally. You can continue to initiate a login either at your company’s IdP or at Rally. There should be no impact on your SSO users. SSO users will continue to use their current credentials. 

Do we have to change our usernames and passwords? 

• No, your SSO usernames and passwords will continue to be stored & managed by your own IdP, and do not need to change.
  
  

What if we use both SSO and Rally authentication?

• Rally subscriptions that are configured to authenticate by either SSO or Rally need to be transitioned as described above. When authenticating with SSO, your IdP will then route users through Broadcom’s B2C AuthHub. 
• When authenticating directly with Rally, those usernames and passwords are not affected.
  
  

What if we use SSO with exceptions?

• Rally subscriptions that are set to “SSO with exceptions” mode need to be transitioned as described above. When authenticating with SSO, your IdP will then route users through Broadcom’s B2C AuthHub. When the users on the exception list authenticate directly with Rally, there will be no change.

Can we set up SP (Service Provider) and IdP initiated logins?

• Yes, we support both IdP- and SP-initiated logins.  Subscriptions in "hybrid" mode (Rally or SSO authentication) only support IdP-initiated login for SSO, and logins at the Rally login page have to be non-SSO.
• But subs in "SSO auth" or "SSO with exceptions" support both IdP-initiated and SP-initiated SSO. For SP-initiated, just enter the username at the Rally login prompt and click Login, and the user will be redirected to their IdP to authenticate.
  
  

It will be necessary to send over the following information in the assertion. This information must not be blank.  It must be populated:

• SAML Subject must the the Rally username, in email address format
  • If the SAML Subject cannot be the Rally username, please advise what SAML Attribute field will contain the Rally username, and what - if any - algorithmic manipulation is needed to compose the Rally username.
• You may also include the following optional attribute statements in the assertion. They are not currently used by Rally, but may be in the future. 
  • email (this is a separate attribute from Subject above and may not be the same)
  • firstName
  • lastName
  • displayName

If your company is using Azure

• We will need to know the schema being used
  • Example: we're expecting the attribute firstName, but with Azure, it's being sent as http://schemas.xmlsoap.org/ws/2005/05/identity/claims/firstName

Is there a charge for this migration?

• No. Rally Support will work through this migration with customers at no charge.

What do we need to do to make this change?

• Rally Support will reach out to initiate the process of transitioning to AuthHub SSO.
• If you wish to initiate this change sooner due to other scheduling, please contact Rally Support.
  
  

Who do we contact if we need to make a change to our SSO configuration?

• Rally Support will reach out to initiate the process of transitioning to AuthHub SSO.
• If you wish to initiate this change sooner due to other scheduling, please contact Rally Support.

How do I get support if there is a problem after-hours?

• Contact Rally Support