Enable SAML SP-Initiated web single sign-on (SSO)

Follow these instructions to develop code for service provider initiated web single sign-on (SSO). By default, the WebSphere Application Server SAML Trust Association Interceptor (TAI) supports IdP-initiated SSO. When custom code is in place, the SAML TAI can be configured to support SP-initiated SSO. This task assumes that we have enabled the system to use the SAML web SSO feature. This task provides an example class and the steps to configure SP-initiated SSO.

1. Develop a SAML authentication request provider that implements the interface....
   com.ibm.wsspi.security.web.saml.AuthnRequestProvider

   The method getAuthnRequest(HttpServletRequest req, String errorMsg, String acsUrl, ArrayList<String> ssoUrls) must return a map that includes four entries with the following keys:

   AuthnRequestProvider.SSO_URL

   The SAML identity provider's Single-Sign-On URL.

   AuthnRequestProvider.RELAY_STATE

   The relayState as defined by the SAML Web Browser single-sign-on profile.

   AuthnRequestProvider.REQUEST_ID

   The value for this key must match the ID attribute's value in the AuthnRequest message.

   AuthnRequestProvider.AUTHN_REQUEST

   A Base64 encoded AuthnRequest message as defined in the spec. Your code is responsible for generating the AuthnRequest message.

       public HashMap <String, String> getAuthnRequest(HttpServletRequest req, String errorMsg, String acsUrl, ArrayList<String> ssoUrls)
   	throws NotImplementedException 
       {
       //create map with following keys
       HashMap <String, String> map = new HashMap <String, String>();
   	       
       String ssoUrl = "https://example.com/saml20/Login";
   	map.put(AuthnRequestProvider.SSO_URL, ssoUrl);
   
   	String relayState = generateRandom();
   	map.put(AuthnRequestProvider.RELAY_STATE, relayState);
   
   	String requestId = generateRandom();
   	map.put(AuthnRequestProvider.REQUEST_ID, requestId);
   	        
   	//create AuthnRequest	        	        
   	String authnMessage = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>"
   				   +"<samlp:AuthnRequest xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" "
   				   +"ID=\""+requestID+"\" Version=\"2.0\" "
   				   + "IssueInstant=\"" +getUTC()+ "\" ForceAuthn=\"false\" IsPassive=\"false\""
   				   + "ProtocolBinding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" "
   				   + "AssertionConsumerServiceURL=\"" +acs+"\" "
   				   + "Destination=\"" +destination +"\"> "
   				   + "<saml:Issuer xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\">"
   				   + issuer
   				   +"</saml:Issuer> <samlp:NameIDPolicy"
   				   +"Format=\"urn:oasis:names:tc:SAML:2.0:nameid-format:transient\""
   				   +"SPNameQualifier=\"mysp\""
   				   +"AllowCreate=\"true\" /> <samlp:RequestedAuthnContext Comparison=\"exact\"> "
   				   +"<saml:AuthnContextClassRef xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\">"
   			         +"urn:oasis:names:tc:SAML:2.0:ac:classes:</samlp:RequestedAuthnContext> </samlp:AuthnRequest>";
   
       map.put(AuthnRequestProvider.AUTHN_REQUEST, authnMessage);
       return map;
       }
   

2. Put a jar file containing our custom class in the WAS_HOMElib/ext directory.

3. Configure the SAML web SSO TAI to use your AuthnRequest message.

   1. Log on to the WAS administrative console and click...
      Security | Global security | Web and SIP security | Trust association | Interceptors | com.ibm.ws.security.web.saml.ACSTrustAssociationInterceptor

   2. For Custom properties, click new, then complete the following custom property information, where id is what we assigned to the SSO Service Provider (SP) for which we want this property to apply:
      • Name: sso_<id>.sp.login.error.page
      • Value: The class name of our custom AuthnRequestProvider implementation.