[Fix Pack 7 or later]


Setting up the SAML configuration

To use the SAML default policy sets, sample SAML general bindings, and JAAS login configuration settings for SAML that are included with WebSphere® Application Server Version 7.0.0.7 and later, you must set up the SAML configuration, which is stored in a profile.

About this task

To use the SAML features that are installed with WebSphere Application Server Version 7.0.0.7 and later, you must create a new profile, or update existing profiles. If you create a new profile after installation of Version 7.0.0.7, the new profile contains all the required SAML configuration information. Existing Version 7.0 profiles are not automatically updated with SAML configuration information, and therefore, do not contain the Version 7.0.0.7 SAML policy sets, sample general bindings, and JAAS login configuration settings. You can update existing profiles manually using the following steps. For a network deployment, update the deployment manager profile. For a base installation of WebSphere Application Server that is not a network deployment, update the single server profile. These profiles are the only profiles that you need to update.
Note: If you update existing application server profiles to use the SAML feature, you must install WebSphere Application Server Version 7.0.0.7 on all nodes first.
The profile update procedure can be performed in either stopped server mode, or in running server mode.
Stopped server mode
In this mode, the deployment manager is stopped in the network deployment, and the single server is stopped in the base installation. Copy the profile files and run the following command to update the deployment manager profile, or base server profile.
wsadmin -conntype NONE
Restart the deployment manager or single server.
Running server mode
In this mode, the deployment manager is running in the network deployment, and the single server is running in the base installation. You do not have to stop and restart the server process. Copy the profile files and run the wsadmin command in connected mode. In addition, run the refreshRepositoryEpoch command using wsadmin.AdminConfig so that the repository can pick up the copied files.

Procedure

  1. Copy the directories containing the additional SAML policy sets from the profile templates directory, app_server_root/profileTemplates/default/documents/config/templates/PolicySets, to the profile configuration directory, profile_root/config/templates/PolicySets. Each additional SAML policy set is contained in a separate directory. The directory names are:
    • SAML11 Bearer WSHTTPS default
    • SAML20 Bearer WSHTTPS default
    • SAML11 Bearer WSSecurity default
    • SAML20 Bearer WSSecurity default
    • SAML11 HoK Public WSSecurity default
    • SAML20 HoK Public WSSecurity default
    • SAML11 HoK Symmetric WSSecurity default
    • SAML20 HoK Symmetric WSSecurity default
    • Username WSHTTPS default
    To confirm that the SAML policy sets are available for use, follow these steps in the administrative console:
    1. Click Services > Policy Sets > Application policy sets .
    2. Click Import > From Default Repository.
    3. The list of policy sets available for import includes the list of policies you copied into the profile configuration directory.
    4. Select the SAML default policy sets, and click OK to import them. After importing, the default policy sets are available for use.
  2. Unpackage and copy the sample SAML general bindings to the profile bindings directory. Follow the appropriate procedure depending on whether you are working with a network deployment profile, or a profile for the base installation of WebSphere Application Server that is not a network deployment.
    • For a network deployment:
      1. Extract the directories and files from the package file, app_server_root/profileTemplates/management/configArchives/Dmgr.car, into a temporary directory.
      2. Copy the following general binding directories from the temporary directory <temp_dir>/cells/managementCell/bindings/, to the profile configuration directory for the cell, profile_root/config/cells/<cellName>/bindings. Each general binding is contained in a separate directory. Only copy the general binding directories in the list. If you copy additional binding directories, the copied directories will overwrite the existing general bindings in your profile.
        • Saml Bearer Client sample
        • Saml Bearer Provider sample
        • Saml HoK Symmetric Client sample
        • Saml HoK Symmetric Provider sample
    • For a base deployment that is not a network deployment:
      1. Extract the directories and files from the package file, app_server_root/profileTemplates/default/configArchives/AppSrvWos.car, into a temporary directory.
      2. Copy the following general binding directories from the temporary directory <temp_dir>/cells/defaultCell/bindings/, to the profile configuration directory for the cell, profile_root/config/cells/<cellName>/bindings. Each general binding is contained in a separate directory. Only copy the general binding directories in the list. If you copy additional binding directories, the copied directories will overwrite the existing general bindings in your profile.
        • Saml Bearer Client sample
        • Saml Bearer Provider sample
        • Saml HoK Symmetric Client sample
        • Saml HoK Symmetric Provider sample
    To use WS-Policy and dynamic policy configuration with a client that is configured to use SAML, that client must be configured to use general bindings. A service provider that is configured to use SAML can also use WS-Policy to share its policy configuration with a WebSphere Application Server client or a service registry. For more information, see the topic Learning about WS-Policy.
  3. To confirm that the SAML sample bindings are available for use, follow these steps in the administrative console:
    1. Click Services > Policy sets > General provider policy set bindings.
    2. Verify that the list of sample provider bindings includes these SAML bindings:
      • Saml Bearer Provider sample
      • Saml HoK Symmetric Provider sample
  4. Run the app_server_root/bin/addSamlLoginConfigs.py command to add a JAAS system login configuration for SAML to the cell scope security configuration document. Run the following command to add the wss.generate.saml and wss.consume.saml system JAAS login configurations.
    [Linux] [AIX HP-UX Solaris]
    wsadmin.sh -conntype NONE -lang jython -f app_server_root/bin/addSamlLoginConfigs.py  
    [Windows]
    wsadmin.bat -conntype NONE -lang jython -f app_server_root\bin\addSamlLoginConfigs.py

    The command also adds a SAMLCallerLoginModule to the wss.caller JAAS system login configuration.

    To confirm that the JAAS login configuration for SAML has been added, follow these steps in the administrative console:
    1. Click Global security > Java Authentication and Authorization Service > System logins.
    2. Verify that the list of login configurations includes wss.consume.saml and wss.generate.saml.
  5. Copy the JAAS configuration files wsjaas.conf and wsjaas_client.conf from app_server_root/profileTemplates/default/documents/properties to the profile properties directory, profile_root/properties. You can also modify existing wsjaas configuration files. After copying or modifying the files, the following SAML configuration entries are in the files:
    system.wss.generate.saml {
        com.ibm.ws.wssecurity.wssapi.token.impl.SAMLGenerateLoginModule required;
        com.ibm.ws.wssecurity.wssapi.token.impl.DKTGenerateLoginModule required;
    };
    
    system.wss.consume.saml {
        com.ibm.ws.wssecurity.wssapi.token.impl.SAMLConsumeLoginModule required;
        com.ibm.ws.wssecurity.wssapi.token.impl.DKTConsumeLoginModule required;
    };
  6. Copy the SAMLIssuerConfig.properties file to the profile directory.
    • For a network deployment:
      1. Copy the properties file from app_server_root/profileTemplates/cell/dmgr/documents/config/cells/AdvancedDeploymentCell/sts To app_server_root/profiles/<profile_name>/config/cells/<node_name>/sts.
      2. Also copy the properties file to app_server_root/profiles/<profile_name>/config/cells/<cell_name>/nodes/<node_name>/servers/<server_name>.
    • For a base deployment that is not a network deployment, copy the properties file from app_server_root/profileTemplates/cell/default/documents/config/cells/AdvancedDeploymentCell/sts to app_server_root/profiles/<profile_name>/config/cells/<node_name>/sts.
  7. Restart the server.



In this information ...


IBM Redbooks, demos, education, and more

(Index)

Use IBM Suggests to retrieve related content from ibm.com and beyond, identified for your convenience.

This feature requires Internet access.

Task topic    

Terms of Use | Feedback

Last updated: Oct 21, 2010 10:04:34 PM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=compass&product=was-nd-mp&topic=twbs_setupsamlconfig
File name: twbs_setupsamlconfig.html