Skip to Main Content
Cloud Platform


This is an IBM Automation portal for Cloud Platform products. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).


Shape the future of IBM!

We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:

Search existing ideas

Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,

Post your ideas
  1. Post an idea.

  2. Get feedback from the IBM team and other customers to refine your idea.

  3. Follow the idea through the IBM Ideas process.


Specific links you will want to bookmark for future use

Welcome to the IBM Ideas Portal (https://www.ibm.com/ideas) - Use this site to find out additional information and details about the IBM Ideas process and statuses.

IBM Unified Ideas Portal (https://ideas.ibm.com) - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM.

ideasibm@us.ibm.com - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.


Status Submitted
Categories ClearCase
Created by Guest
Created on Jun 27, 2022

ClearCase compatibility with Azure AD

a. How from Architectural perspective Azure AD joined devices are not supported (since it is the future)? From a technical point of view, it is actually not currently possible to do this on Windows hosts because Azure AD is not backward compatible with "legacy" AD. The process token that ClearCase needs does not contain the Azure AD groups in ANY fashion. Thus an "on prem" (or laptop) host that is ONLY a member of an Azure AD domain will not have any group membership. A "legacy" AD Domain is REQUIRED for the ClearCase Windows LAN client to function. In theory, since Azure AD apparently has an LDAP interface, a Linux server may work against Azure AD but that has not been tested. (AD team) : It’s not true in Azure AD we have 2 options are available now as below to have group info in SAML response. Group based possible to configured with that required group information travel. We can create group respective roles in Azure AD and map with group. By that way also group information possible to travel in SAML response. Apart from LDAP Azure AD also start supporting Kerberos after doing some tweaks for your reference below URL may helps you to understand and figure out solution for clearcase. https://techcommunity.microsoft.com/t5/itops-talk-blog/deep-dive-how-azure-ad-kerberos-works/ba-p/3070889 b. The upcoming roadmap of the product to make it support for future ? I have to check this further internally before I can give a definite answer, will get back to you on this. (AD Team) : Please try it with much faster way because even MS itself started session to remove onprem AD and move workload to Azure AD. So, try to make changes or supportable option in CC for Azure AD auto pilot devices.
Idea priority High
  • Guest
    Sep 28, 2022

    The issues are:

    1. ClearCase uses Windows "Process tokens" to manage access, and determine the credentials to place in the Remote Procedure Calls to the remote servers. Thus the user ID and groups need to be in those process tokens. Unfortunately, When Azure AD is the ONLY mechanism used to log in users, those tokens are for a local user account with no domain membership. You can see this by running "whoami" and "whoami /groups"

    2. ClearCase (on windows) accesses the source and cleartext pools using the Windows Server Message Block file sharing protocol. This also depends on Windows process tokens to manage file-share access. Neither the "Workstation" file share client nor the "Server" service can determine the user's AzureAD credentials.

    Thus the technical challenge is that the Microsoft services needed for Dynamic views to work do not themselves support Azure AD.

    It is possible to enroll a host in both an Azure AD domain AND a "Legacy" AD domain. This is a "best of both worlds" configuration which can allow "passwordless" authentication for "Legacy AD domain" user accounts if the domains are properly configured. See https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication for more information.