WAS v8.5 > Secure applications > Authenticate users > SAML web single sign-on

Enable the system to use the SAML web SSO feature

Before we can use the SAML Web SSO feature we...

• Install the SAML Assertion Consumer Service (ACS)
• Enable SAML TAI

We do not need to install the SAML ACS application if we are using our own business application as the SAML ACS application,

1. Install the SAML ACS application.
   cd app_server_root/bin
   wsadmin -f installSamlACS.py install node server

   ...or...

   wsadmin -f installSamlACS.py install clusterName

2. Enable SAML TAI.

   • Using wsadmin...

     1. Run...
        cd app_server_root/bin
        wsadmin -lang jython
        wsadmin> AdminTask.addSAMLTAISSO('-enable true -acsUrl https://host:sslport/samlsps/<any URI pattern string>')
        wsadmin> AdminConfig.save()
        wsadmin> quite

        ...where hostname is the host name of the system where WebSphere Application is installed and sslport is WC_defaulthost_secure.

     2. Restart the WAS.

   • Using dmgr console...

     1. Go to...
        Security | Global security | Web and SIP security | Trust association | General Properties | Enable trust association | Interceptors | New

     2. In the Interceptor class name field, set...
        com.ibm.ws.security.web.saml.ACSTrustAssociationInterceptor

     3. Under Custom properties, set...

        Name: sso_1.sp.acsUrl
        Value: https://host:sslport/samlsps/<any URI pattern string>

        We can specify a wildcard value instead of a specific URI pattern string...

        https://server/ContextRoot/ep1/path1/p*
        https://server/ContextRoot/ep1/path1/*
        https://server/ContextRoot/ep1/*

     4. Click New and enter the following custom property information:
        Name: sso_1.sp.idMap
        Value: idAssertion.

     5. Click OK.

     6. Go to...
        Security | Global security | Custom properties | New

        ...and define the following custom property information under General properties:

        Name: com.ibm.websphere.security.DeferTAItoSSO
        Value: com.ibm.ws.security.web.saml.ACSTrustAssociationInterceptor

        If this custom property already exists, edit its value to add...

        com.ibm.ws.security.web.saml.ACSTrustAssociationInterceptor

     7. Click New and define the following custom property information under General properties:
        Name: com.ibm.websphere.security.InvokeTAIbeforeSSO
        Value: com.ibm.ws.security.web.saml.ACSTrustAssociationInterceptor

     8. Click OK.

     9. Restart WAS.

Results

The SAML TAI is now enabled for WAS.

After enabling the SAML Web SSO feature, configure WAS as a service provider (SP) partner to participate in the IdP-initiated single sign-on scenarios with other identity providers.

Related concepts

SAML web single sign-on

SAML web SSO TAI custom properties

+

Search Tips   |   Advanced Search