Before you begin
This task assumes that you are familiar with the SAML SSO
feature.
About this task
Before you can use the SAML Web SSO feature, you must install
the SAML Assertion Consumer Service (ACS) and enable SAML TAI. If
you are planning to use your business application as the SAML ACS
application, you do not need to install the SAML ACS application in
the first step. You should instead specify the URL of the business
application for the acsUrl value.
Procedure
- Install the SAML ACS application. Choose one
of the following approaches:
- Using the administrative console, install the app_server_root/installableApps/WebSphereSamlSP.ear file
to your application server or cluster.
- Install the SAML ACS application by using the python script.
- Navigate to the app_server_root/bin directory.
- Run the installSamlACS.py script.
wsadmin -f installSamlACS.py install <nodeName> <serverName>
orwsadmin -f installSamlACS.py install <clusterName>
where nodeName is
the node name of the target application server, serverName is
the server name of the target application server, and clusterName is
the name of the application server cluster.
- Enable SAML TAI. You can enable SAML TAI by
using either the wsadmin command utility or the administrative
console.
- Enable SAML TAI using the wsadmin command
utility.
- Start the WebSphere Application Server.
- Start the wsadmin command utility from
the app_server_root/bin directory by entering
the command: wsadmin -lang jython.
- At the wsadmin prompt, enter the following command: AdminTask.addSAMLTAISSO('-enable
true -acsUrl https://<hostname>:<sslport>/samlsps/<any URI
pattern string>') where hostname is the
host name of the system where WebSphere Application is installed and sslport is
the Web server SSL port number (WC_defaulthost_secure).
- Save the configuration by entering the following command: AdminConfig.save().
- Exit the wsadmin command utility by
entering the following command: quit.
- Restart the WebSphere Application Server.
- Enable SAML TAI using the administrative console.
- Log on to the WebSphere Application Server administrative
console.
- Click .
- Expand and click .
- Under the heading, select the check box and click .
- Click and enter com.ibm.ws.security.web.saml.ACSTrustAssociationInterceptor in
the field.
- Under , fill in the following custom property information:
Name: sso_1.sp.acsUrl and Value: https://<hostname>:<sslport>/samlsps/<any
URI pattern string> where hostname is the
host name of the system where WebSphere Application is installed and sslport is
the Web server SSL port number (WC_defaulthost_secure).
Note: If you need to have multiple, similar entry
points for your SAML workflows, you can specify a wildcard value instead
of a specific URI pattern string at the end of the URL specified as
the value of this property. Specifying a wildcard as part of the value
of this property eliminates the need to separately configure each
of the similar entry points.
Following are some examples of valid
ways to include a wildcard as part of the value for this property:
https://<server>/<context_root>/ep1/path1/p*
https://<server>/<context_root>/ep1/path1/*
https://<server>/<context_root>/ep1/*
- Click and enter the following custom property information:
Name: sso_1.sp.idMap and Value: idAssertion.
- Click .
- Go back to and click
- Click and define the following custom property information
under : Name: com.ibm.websphere.security.DeferTAItoSSO and
Value: com.ibm.ws.security.web.saml.ACSTrustAssociationInterceptor.
Avoid trouble: The property com.ibm.websphere.security.DeferTAItoSSO,
was previously used in the default configuration of all installed
servers. Now it is only used as part of the SAML configuration. Therefore,
even if this property already exists in your system configuration,
you must change its value to
com.ibm.ws.security.web.saml.ACSTrustAssociationInterceptor.
Multiple values, separated with commas, cannot be specified for this
property. It must be set to a single SAML TAI.
gotcha
- Click and define the following custom property information
under : Name: com.ibm.websphere.security.InvokeTAIbeforeSSO and
Value: com.ibm.ws.security.web.saml.ACSTrustAssociationInterceptor.
- Click .
- Restart WebSphere Application Server.
Results
The SAML TAI is now enabled for WebSphere Application Server.
What to do next
After enabling the SAML Web SSO feature, you must configure
WebSphere Application Server as a service provider (SP) partner to
participate in the IdP-initiated single sign-on scenarios with other
identity providers.