Add SAML web single sign-on (SSO) trust association interceptor (TAI) using wsadmin
The addSAMLTAISSO command adds the Security Assertion Markup Language (SAML) trust association interceptor (TAI) in the security configuration of the WAS.
- Start the WAS.
- Start wsadmin utility from the app_server_root/bin directory by entering the command: wsadmin -lang jython.
- At the wsadmin prompt, enter the following command:
AdminTask.addSAMLTAISSO('-enable true -acsUrl https://host:<sslport>/samlsps/<any URI pattern String>')
where hostname is the host name of the system on which WebSphere Application Server is installed, and sslport is the Web server SSL port number (WC_defaulthost_secure).
We can use the following parameters with this command:
There are additional SAML web SSO TAI custom properties that are not supported by the addSAMLTAISSO command, but we can add these custom properties using wsadmin configureInterceptor. For a complete list of the supported SAML TAI properties, see the SAML web SSO TAI custom properties topic.
Parameter Description -acsUrl Required. It specifies the assertion consumer service (ACS) URL. -enable This parameter specifies whether to enable or disable trust association. We can specify either true or false. -ssoId Optional and is specified as an integer. It is the identifier for the group of custom properties defined for the SSO service provider partner. If this parameter is not specified, the next available identifier is used. -securityDomainName This parameter specifies the name of the security domain of interest and is specified as a String. If a value for this parameter is not specified, the command uses the global security configuration. -trustStoreName This parameter specifies the truststore name if not using the system default truststore. -keyStoreName This parameter specifies the keystore name if not using the system default keystore. -keyName This parameter specifies the key name used to decrypt the encrypted SAML assertion. -keyAlias This parameter specifies the key alias used to decrypt the encrypted SAML assertion. -keyPassword This parameter specifies the key password used to decrypt the encrypted SAML assertion. -idMap This parameter specifies how the SAML token is mapped to the subject. We can specify one of the following values:
- idAssertion - the user specified in the SAML assertion is not checked in the local registry
- localRealm - the SAML token user is verified in the local user registry
- localRealmThenAssertion - if the user is not found in the local registry, IDAssertion is used
Results
The SAML web SSO TAI is now added for this WebSphere Application Server.
Example
The following example adds the SAML TAI to the global security configuration:AdminTask.addSAMLTAISSO('-enable true -acsUrl https://test1.abc.com:9443/samlsps/acs')
The following example adds the SAML TAI SSO service provider partner to the security domain myDomain1:
AdminTask.addSAMLTAISSO('-securityDomainName myDomain1 -enable true -acsUrl https://test2.xyz.com:9444/samlsps/acs2')
SAML web single sign-on (SSO) TAI custom properties