Rally Advanced Security and Administration

Print this topicEmail this topicSave as PDF

Rally Advanced Security and Administration (RASA) provides teams who work in secure environments with options to control the data that is stored in the subscription, as well as the ability to integrate login authentication with existing identity management systems.

The features in RASA are included free with Unlimited Edition subscriptions. Enterprise Edition users who would like to use these features may contact their account representative to add the RASA product for an additional fee.

Rally Advanced Security and Administration consists of the following topics:

File extension validation

You may control what file types may be uploaded as attachments to work items. When this policy is enabled in a subscription, Rally will validate the extension of files to be uploaded, and reject any that do not match the specified types.

To set up a list of allowed file types:

  1. Click the Setup link in the upper-right corner of any Rally page.
  2. Click the Subscription tab.
  3. Click the Actions menu button, and select Edit Subscription.... A pop-up editor window displays.
  4. Under the CONTEXT section will be the Allowed File Attachments field.
  5. Click the pull-down menu next to the field, and select the Attachments allow only the specified file extensions option.
  6. A text box will appear underneath the field. Enter the extensions of file types you want to allow as attachments. Place each extension on a new line.
  7. Once all of the file types are entered, select Save & Close in the editor window to confirm the changes.

IP filtering

You may use IP filtering to set a list or range of IP addresses that can log in. Any IP address not listed in these settings will not be able to access the Rally tool, even with the proper credentials.

Sample error from invalid IP address

To set up IP filtering:

  1. Click the Setup link in the upper-right corner of any Rally page.
  2. Click the Subscription tab.
  3. Click the Actions menu button, and select Edit Subscription.... A pop-up editor window displays.
  4. Under the CONTEXT section will be the IP Range field.
  5. Click the drop-down menu next to the IP Range field, and select the Restrict access to specified IPs option.
  6. A text box will appear underneath the IP Range field. You may enter multiple single IP addresses into this box, and/or a IP address range in CIDR notation.
  7. Once all IP information is entered, select Save & Close in the editor window to confirm the changes.

IP filter settings

Single Sign-On (SSO)

If you have an SAML 2.0-compliant Identity Provider (IdP), you may configure the Rally subscription to log into Rally via Single Sign-On (SSO). The key to this secure internet SSO is your web browser. The browser interacts with the SAML 2.0 compliant Identity Provider, validates user credentials, creates the SAML assertion, and then sends the assertion to Rally.

When accessing Rally using the URL that your Identity Provider created during the set up process, it works like this:

  1. Users log into their Identity Management System.
  2. Their browser is provided with a SAML token.
  3. The SAML token is sent to Rally’s Ping Federate Server.
  4. If the user is a valid Rally user for the selected subscription, an authenticated token is sent back to their web browser.
  5. The browser sends the authenticated token to Rally ALM and we accept it and let them into the corresponding subscription.

Setting up SSO

In order to set up SSO, your company needs to have a SAML 2.0-compliant identity management system working, and you need to locate the administrator in your company who runs it. Your identify management system administrator must be able to log in and configure your identity management system. Identifying this person is typically the hardest part of the process; Rally recommends locating this person before setting up any calls with Rally about SSO.

If you don’t have an identity management System set up, we recommend that you contact Ping Identity or Symplified. Both of these are Rally partners with expertise in implementing SSO.

Below is a general overview of the steps needed to set up SSO:

  1. You must already have a SAML 2.0-compliant identity management system working, for example, Ping Connect, CA SiteMinder, Oracle Access Manager (COREid), or Tivoli Access Manager.
  2. Contact Rally Support to open a new case. Rally Support will work with the administrator of your identity management system. This is typically not the same as the Rally subscription administrator, and is often someone in your company’s IT Department.
  3. Rally Support will send the Rally Service Provider (SP) metadata.xml file to you. This includes information such as our SSO server, which protocols we support and our public signing key. This metadata.xml is a standard part of the SAML 2.0 standard.
  4. Configure an Identity Provider (IdP) to SP connection within your software using the Rally metadata. xml file as an input value.
  5. Export the IdP metadata.xml file with your public key certificate embedded. This file will include your own information such as your SSO server, protocols supported, and your public key.
    • Ensure that your SAML_SUBJECT is in the form of your Rally ID, for example, <customername>@<domain>.
    • If the mapping cannot be met, Rally user IDs must be changed to match the format presented by the SAML_SUBJECT before this will work.
  6. Securely transfer this file to Rally Support. This can take place over email if both sides support SSL.
  7. Rally Support will deliver this file to Rally Operations. Rally Operations will set up our SSO software for this particular connection. We will also ensure that the correct subscription ID is mapped to the connection, and Rally Support ensures that SSO is enabled for that subscription.
  8. Verify that you can login through your IdP endpoint.
  9. Provide your users with the re-direct URL for your users to login to Rally through SSO.

SSO with exceptions

Rally SSO provides two standard options for login control — SSO-only and hybrid (SSO or web) authentication. SSO-only is the most secure; only users authenticated on your network may log in.

However, Rally integrations for third party applications such as Quality Center and JIRA cannot access the subscription data via the web services API when using the SSO-only mode.

To provide the best security while enabling integrations, a third mode is available — SSO-only with exceptions. As our integrations require a username to fetch the subscription data, these users may be added to an exception list (or whitelist) to log into Rally with standard web access.

You may request to use this mode when setting up your SSO with Rally Support. If you are already using SSO, follow these steps to create an exception list:

  1. Click the Setup link in the upper-right corner of any Rally page.
  2. Click the Subscription tab.
  3. Click the Actions menu button, and select Edit Subscription.... A pop-up editor window displays.
  4. Under the CONTEXT section will be the Authentication field.
  5. Click the pull-down menu directly to the right of the Authentication field, and select the SSO authentication with exceptions option.
  6. A SSO Exceptions text box will appear underneath the pull-down menus. Enter any usernames that you would like to have permission to access Rally outside of your network, including usernames used for integrations. Enter one username per line, and use the full user@company.com format.
  7. Once all usernames are entered, select Save & Close in the editor window to confirm the changes.

Where to set exceptions for SSO

Custom log out landing page

You may specify what URL your users are directed to when they log out of a Rally subscription using SSO. This is useful if your organization has special requirements for logging out of applications, or if you would like to provide your users with links to other resources.

To use a custom log out landing page:

  1. Click the Setup link in the upper-right corner of any Rally page.
  2. Click the Subscription tab.
  3. Click the Actions menu button, and select Edit Subscription.... A pop-up editor window displays.
  4. Under the CONTEXT section will be the Authentication field.
  5. Click the drop-down menu with the heading of On SSO log out, take user to:.
  6. Select the Specified URL option.
  7. A text field will appear underneath the pull-down menu. Enter the URL of the page you would like users directed to upon log out.
  8. Click Save & Close in the editor window to confirm the changes.

Where to set a custom landing page

SSO FAQs

Who holds the public key certificates (is there a third-party clearing house like Ping Identity) or is Rally providing the certificate server?
For on-demand, Rally has a Ping Federate server installed, which holds a copy of the public key for the customer’s Identity Management System. This allows us to validate tokens without storing any private certificates. If you have more than one subscription ID, you will need to create a different Service Provider connection for each Rally subscription ID you would like to authenticate with SSO.

Can we provide our own certificate server(s)?
Yes, you can use any SAML-2.0 compliant Identity Management System behind your firewall to communicate with our PingFederate server. You just need to provide this certificate in the format requested above.

This is for authentication. Are you doing authorization, too, or do you have plan to do so?
No, we have no plans to do authorization.

What are some of the challenges we need to be aware of?
SSO requires some configuration time on both sides. The Identity Management System is typically managed by your IT Department, a group that Rally does not always work with. It may take some time to identify the contact in your IT group who can create the new Service Provider connection and public key XML metadata file that Rally will need to enable SSO.

Is there a best practice adoption, for example start with a small group and scale, or just turn it on and go?
For existing customers, there is a hybrid mode that allows both SSO and Rally authentication. It would make sense to try it with a handful of users first. We recommend using this mode while setting it up, and only switching to SSO-only authentication after all users have been able to log in using SSO. Remember, if you do switch to SSO- only authentication, users will only be able to log into Rally from behind your corporate firewall. If you want users to be able to log into Rally when at home (or from any web location that is not behind your firewall), you should setup your Rally connection for hybrid mode.

Can we use integrations and apps?
Currently, integrations do not support SAML-based authentication. It is possible to write an integration that can acquire a SAML token from an Identity Provider, but no one has done this yet. Customers who are using integrations or the Web Services API will most likely want to use SSO with exceptions mode. Use of the Web Services API via custom Rally applications in the browser is supported, since they can get a cookie as part of the login process.

How long does it take to get it working?
Once you identify the proper contact in your IT Department, it takes a few days to get SSO up and running.

Can we test this on Sandbox?
SSO is not available on sandbox.rallydev.com. It can safely be tested in hybrid mode on production without interfering with other users in your subscription.

© 2012 Rally Software Development Corp | Legal