Configure SAML Web Inbound TAI

We can configure a SAML Web Inbound Trust Association Interceptor (TAI) to authenticate and validate a SAML token sent in the request header of a Web request. The SAML token must be Base-64 or UTF-8 encoded, and can be compressed in GZIP format. The token header in the HTTP request can be one of the following formats:

• Authorization=[headerName="SAML_HERE]
• Authorization=[headerName="SAML_HERE"]
• headerName=[SAML_HERE]

Add a new interceptor

1. From the WebSphere administrative console, select...
   Security > Global security > Web and SIP security > Trust association > Interceptors > New

2. Enter the interceptor class name:
   com.ibm.ws.security.web.inbound.saml.WebInboundSamlTAI

3. Set SAML Web Inbound TAI Custom Properties

4. Apply and Save the configuration updates.

   Saving without applying our changes will discard the custom properties.

5. Define the following custom property information for General properties. Go to...
   Security > Global security > Custom properties > New

   ...and add...

   Name: com.ibm.websphere.security.InvokeTAIbeforeSSO
   Value: com.ibm.ws.security.web.inbound.saml.WebInboundSamlTAI

   If this property is already defined, then add com.ibm.ws.security.web.inbound.saml.WebInboundSamlTAI to the existing value, which is separated by a comma to create a list.

6. Import the SAML issuer's signer certificate to the truststore of the WAS.

   1. In the administrative console, click...
      Security SSL certificate and key management Key stores and certificates > NodeDefaultTrustStoreSigner certificates

      Use CellDefaultTrustStore instead of NodeDefaultTrustStore for a deployment manager.

   2. Click Add.

   3. Complete the certificate information, then click Apply.

7. Add the SAML issuer name (or the value of the realmName or the attribute value of the configured realmIdentifier) to the list of inbound trusted realms. For each SAML issuer used with our WAS service provider, grant inbound trust to all the realms used by the SAML issuer. We can grant inbound trust to the SAML issuer using the administrative console.

   1. Click...
      Global Security > user account repository > Configure > Trusted authentication realms - inbound > Add External Realm

   2. Fill in the external realm name.

   3. Click OK and Save changes to the master configuration.

8. Restart the WAS.

These steps establish the minimum configuration required to configure a Trust Association Interceptor for a WAS that can process SAML tokens sent in the request header of an inbound web request.