SAML single sign-on scenarios, features, and limitations

Security Assertion Markup Language (SAML) is an OASIS open standard for representing and exchanging user identity, authentication, and attribute information. SAML is fast becoming the technology of choice to provide cross-vendor single sign-on (SSO) interoperability.

The WebSphere Application Server SAML service provider (SP) supports SAML 2.0 Identity Provider (IdP) initiated single sign-on (SSO). WebSphere IdP initiated SSO service is implemented as a Trust Association Interceptor, and can be described as follows:
  1. User accesses a front end web application that can reside on the IdP, SP, or elsewhere.
  2. Front end web application redirects user to IdP and user authenticates to IdP.
  3. IdP redirects user to Assertion Consumer Service (ACS) in SP by sending SAML response over HTTP POST inside a hidden form.
  4. SP processes SAML response and creates WebSphere security context.
  5. SP adds LTPA cookie to HTTP response and redirects request to web resource or business application.
  6. WebSphere Application Server intercepts request, and maps LTPA cookie to security context and authorizes user access to the requested web resource.
  7. WebSphere Application Server sends HTTP response back to user.

The following images shows the SAML SSO flow:

SAML SSO flow

The SAML SSO features include the following:
The following feature highlights and best practices apply to the SAML SSO features:

WebSphere Application Server supports IdP initiated SAML web SSO only.

The following specifications or scenarios are out of scope:
Concept topic    

Terms and conditions for information centers | Feedback

Last updated: April 17, 2014 04:48 PM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=phil&product=was-base-iseries&topic=cwbs_samlssosummary
File name: cwbs_samlssosummary.html