SAML example

1. Install the SAML Assertion Consumer Service (ACS) application

   From the WAS admin console go to...

   Applications | New Application | New Enterprise Application | Remote file system

   ...and select...

   C:\IBM\WebSphere\AppServer\installableApps\WebSphereSamlSP.ear

   
   

2. Configure SAML TAI

   1. From the WAS admin console select...
      Security | Global security | Web and SIP security | Trust association | General Properties | Enable trust association (uncheck)

   2. Select...
      Interceptors | New

      ...and for Interceptor class name, set...

      com.ibm.ws.security.web.saml.ACSTrustAssociationInterceptor

   3. Under Custom properties, fill in the following custom property information:
      sso_1.sp.acsUrl = https://<hostname>:<sslport>/samlsps/wps/
      sso_1.sp.filter = request-url%=/wps/myportal
      sso_1.sp.idMap = localRealm

   4. Click OK.

   5. Go to...
      Security | Global security | Custom properties

   6. Look for...
      com.ibm.websphere.security.DeferTAItoSSO

      ...and replace...

      com.ibm.ws.security.spnego.TrustAssociationInterceptorImpl

      ...with...

      com.ibm.ws.security.web.saml.ACSTrustAssociationInterceptor

   7. Restart WebSphere Application Server.

   
   

3. Add the identity provider (IDP) as a partner

   1. From the IdP, export Metadata in XML format

      Start the wsadmin command-line utility

      /opt/IBM/WebSphere/AppServer/bin/wsadmin.sh -lang jython

   2. At the wsadmin prompt, enter the following command:
      AdminTask.importSAMLIdpMetadata(‘-idpMetadataFileName /path/to/IdPMetaDataFile.xml -idpId 1 -ssoId 1 -signingCertAlias <idpAlias>’)

      IdpAlias is any alias name that you specify for the imported certificate.

      Save and exit...

      AdminConfig.save()
      quit

   3. Restart the WebSphere Application Server.

   
   

4. Add IdP realms as Trusted Realm

   For each Identity provider used with your WebSphere Application Server service provider, we must grant inbound trust to all the realms used by the identity provider.

   Log on to the WebSphere Application Server administrative console and click... Security | Global security | | user account repository | Configure | Trusted authentication realms – inbound | Add External Realm

   Fill in the external realm name.

   Click OK and Save changes to the master configuration.

   
   

5. Export Data for IdP

   Each identity provider used with your WebSphere Application Server service provider needs to be configured to add the service provider as an SSO partner. The procedure for adding the service provider partner to an identity provider depends on the specific identity provider. Refer to the documentation of the identity provider for instructions on how to add a service provider partner for SSO.

   If an identity provider can use a metadata file to add the service provider as a federation partner, we can use the wsadmin command-line utility to export the service provider metadata:

   /opt/IBM/WebSphere/AppServer/bin/wsadmin.sh -lang jython
   AdminTask.exportSAMLSpMetadata(‘-spMetadataFileName <SpMetaDataFile> -ssoId 1’)

   ...where IdpMetaDataFile is the full path name of the SP metadata file generated by the script and that should be used by the IdP.

   
   

6. Configure the WAS security context

   Log on to the WebSphere Application Server administrative console and go to...

   Security | Global security | Web and SIP security | Trust association | com.ibm.ws.security.web.saml.ACSTrustAssociationInterceptor

   Add required Custom properties to have following data in place (some of them should be already there)

   Name	Value
   sso_1.sp.acsUrl	https://<hostname>:<sslport>/samlsps/wps/
   sso_1.sp.idMap	localRealm
   sso_1.idp_1.certAlias	<idpAlias>
   sso_1.idp_1.EntityID	https://<idphostname>/<idp required path>
   sso_1.idp_1.SingleSignOnUrl	https://<idphostname>/saml/idp/profile/redirectorpost/sso
   sso_1.sp.login.error.page	Same then sso_1.idp_1.entityID
   sso_1.sp.filter	request-url%=/wps/myportal

   
   

7. Check login attribute

   The IdP will pass in the SAMLrequest the userID to be authenticated. This ID has to be one of the userID values available for standard Portal login.

   Log on to the WebSphere Application Server administrative console and click...

   Security | Global security | user account repository | Configure

   Click on the LDAP where users are stored.

   Check and eventually add attributes (semicolon separation) used for login in Federated repository properties for login field. In our case, because IdP passes the email address as userID we set following values:

   Federated repository properties for login = uid;mail

   Click OK and Save

   
   

8. Enable TAI

   After this step the only way to be authenticated to Portal is though IdP and it will work only for users that have a matching email in the Portal User Registry.

   Log on to the WebSphere Application Server administrative console and select...

   Security | Global security | Web and SIP security | Trust association | General Properties | Enable trust association | OK | Save

   Restart Application Server

Parent topic:

Roadmaps for integration

See also

1. Step by step guide to implement SAML 2.0 for Portal 8.5
2. Configure transient users
3. Enable the system to use the SAML web single sign-on (SSO) feature
4. Understanding the SAML trust association interceptor for the WebSphere Application Server