+

Search Tips   |   Advanced Search

Use the SAML web single sign-on (SSO) feature

  1. Install the SAML Assertion Consumer Service (ACS) application on each appserver or cluster that will be accepting a SAMLResponse from the identity provider.

    • Using the administrative console:

        app_server_root/installableApps/WebSphereSamlSP.ear

    • Using a python script:

        cd app_server_root/bin
        ./wsadmin.sh -f installSamlACS.py install nodeName serverName

      ...or...

        wsadmin -f installSamlACS.py install clusterName

  2. Enable SAML TAI:

    • Using wsadmin:

        cd app_server_root/bin directory
        ./wsadmin -lang jython
        wsadmin> AdminTask.addSAMLTAISSO('-enable true -acsUrl https://WAS_HOST:WC_defaulthost_secure/samlsps/URI_pattern')
        wsadmin> AdminConfig.save()
        wsadmin> quit

      Restart affected appservers to implement changes.

    • Using the administrative console.

      1. Select...

  3. Configure the TAI

    1. Click...

        Interceptors > New

      ...and in the Interceptor class name field enter...

        com.ibm.ws.security.web.saml.ACSTrustAssociationInterceptor

    2. Under Custom properties, set:

        Name sso_1.sp.acsUrl
        Value https://WAS_HOST:WC_defaulthost_secure/samlsps/URI_pattern

      To have multiple, similar entry points for our SAML workflows, we can specify a wildcard value instead of a specific URI pattern string at the end of the URL specified as the value of this property. Specifying a wildcard as part of the value of this property eliminates the need to separately configure each of the similar entry points. For example:

        https://<server>/samlsps/path1/p*
        https://<server>/samlsps/path1/*
        https://<server>/samlsps/*

      If we are using metadata to configure the SSO, wildcards cannot be used in the acsUrl definition.

    3. Click New and set:

    4. Click OK.

    5. Go to...

        Security > Global security > Custom properties > New

      and define the following custom property information under General properties:

        Name com.ibm.websphere.security.DeferTAItoSSO
        Value com.ibm.ws.security.web.saml.ACSTrustAssociationInterceptor

      The property com.ibm.websphere.security.DeferTAItoSSO, was previously used in the default configuration of all installed servers. Now it is only used as part of the SAML configuration. Therefore, even if this property already exists in the system configuration, change its value to com.ibm.ws.security.web.saml.ACSTrustAssociationInterceptor. Multiple values, separated with commas, cannot be specified for this property. It must be set to a single SAML TAI.

    6. Click New and define the following custom property information under General properties:

    7. Click OK.

    8. Restart WAS.

The SAML TAI is now enabled for WAS.


What to do next

After enabling the SAML Web SSO feature, configure WAS as a service provider (SP) partner to participate in the IdP-initiated single sign-on scenarios with other identity providers.


Related:

  • SAML web single sign-on
  • SAML web single sign-on (SSO) TAI custom properties