Before you begin
Before you can use this command, you must configure the Security
Assertion Markup Language (SAML) trust association interceptor (TAI)
with at least one single sign-on (SSO) partner using the addSAMLTAISSO command.
If you create your own trust store, then it must be specified in the sso_<ID>.sp.trustStore entry.
If you do not specify the sp.trustStore property,
the default truststore is used. All the certificates of the identity
provider (IdP) and service provider are saved in the same truststore.
About this task
You can use the
wsadmin command-line utility
to import the SAML IdP partner to the SAML TAI in the security configuration
for WebSphere Application Server. This command will import the following
IdP partner data:
- Entity ID
- Signing Certificate
- SingleSignOnService HTTP-POST binding
Avoid trouble: If any of the above properties are missing,
the command logs a warning message.
gotcha
Procedure
- Start the WebSphere Application Server.
- Start the wsadmin command utility from
the app_server_root/bin directory by entering
the command: wsadmin -lang jython.
- At the wsadmin prompt, enter the following
command:
AdminTask.importSAMLIdpMetadata('-idpMetadataFileName /tmp/idpdata.xml
-idpId 1 -ssoId 1 -signingCertAlias idpcert')
You
can use the following parameters with this command:
Table 1. importSAMLIdpMetaData
parameters. importSAMLIdpMetaData
parameters
Parameter |
Description |
-ssoId |
This parameter is optional if you have only
one SSO service provider partner. If you have more than one SSO service
provider partner, this parameter is required. It is the identifier
for the group of custom properties that are associated with the SSO
service provider partner. This parameter is specified as an integer. |
-idpId |
This parameter is optional. It is the IdP identifier
for the group of custom properties that are to be defined with this
command. If the parameter is not specified, an unused identifier is
assigned. This parameter is specified as an integer. |
-signingCertAlias |
This parameter is optional if you do not have
a signing certificate. If you have a signing certificate, this parameter
is required. This parameter specifies the alias that you want the
certificate to be named in the current keystore. This parameter is
specified as a Boolean. |
-idpMetadataFileName |
This parameter is required. Specify the fully-qualified
file name for the SAML IdP partner metadata. This parameter is specified
as a String. |
-securityDomainName |
This parameter specifies the name of the security
domain of interest. If a value for this parameter is not specified,
the command uses the global security configuration. This parameter
is specified as a String. |
Results
The IdP partner properties are now added to the SAML TAI for
this WebSphere Application Server.
Example
The following example imports the SAML IdP partner 1 metadata
to the global security SAML TAI SSO service provider partner 1 with
a signing certificate alias name
idp1CertAlias:
AdminTask.importSAMLIdpMetadata('-idpMetadataFileName /tmp/myIdPmetadata.xml
-ssoId 1 -idpId 1 -signingCertAlias idp1CertAlias')
The
following example imports the SAML IdP partner 1 metadata to the security
domain
myDomain1 SAML TAI SSO service provider partner
1 with a signing certificate alias name
idp1CertAlias:
AdminTask.iportSAMLIdpMetadata('-idpMetadataFileName /tmp/myIdPmetadata.xml
-ssoId 1 -idpId 1 -signingCertAlias idp1CertAlias -securityDomainName myDomain1')