Configuring SAML Web Inbound TAI

You can configure a SAML Web Inbound Trust Association Interceptor (TAI) to authenticate and validate a SAML token sent in the request header of a Web request.

Avant de commencer

Review the custom properties that you must configure for a SAML Web inbound Trust Association Interceptor, see SAML Web Inbound TAI Custom Properties.

Pourquoi et quand exécuter cette tâche

Configure a Trust Association Interceptor (TAI) for the WebSphere Application Server for processing a SAML token sent in the request header of a Web request. The SAML token must be Base-64 or UTF-8 encoded, and can be compressed in GZIP format. The SAML Token header in the HTTP request can be one of the following formats:
  • Authorization=[<headerName>=<SAML_HERE>]
  • Authorization=[<headerName>="<SAML_HERE>"]
  • Authorization=[<headerName> <SAML_HERE>]
  • <headerName>=[<SAML_HERE>]

Procédure

  1. From the WebSphere administrative console, select Security > Global security > Web and SIP security > Trust association.
  2. Select Interceptors.
  3. Select New to add a new interceptor.
  4. Enter the interceptor class name: com.ibm.ws.security.web.inbound.saml.WebInboundSamlTAI.
  5. Add custom properties for your environment, see SAML Web Inbound TAI Custom Properties for a list of the properties.
  6. Apply and Save the configuration updates.
    Remarque : Saving without applying your changes will discard the custom properties.
  7. Go back to Security > Global security and select Custom properties.
  8. Select New and define the following custom property information for General properties:
    Name: com.ibm.websphere.security.InvokeTAIbeforeSSO
    Value: com.ibm.ws.security.web.inbound.saml.WebInboundSamlTAI
    Remarque : If this property is already defined, then add com.ibm.ws.security.web.inbound.saml.WebInboundSamlTAI to the existing value, which is separated by a comma to create a list.
  9. Import the SAML issuer's signer certificate to the truststore of the WebSphere Application Server.
    1. In the administrative console, click Security SSL certificate and key management Key stores and certificatesNodeDefaultTrustStoreSigner certificates. Utilisez CellDefaultTrustStore à la place de NodeDefaultTrustStore pour un gestionnaire de déploiement.
    2. Cliquez sur Add.
    3. Complétez les informations du certificat, puis cliquez sur Appliquer.
  10. Add the SAML issuer name (or the value of the realmName or the attribute value of the configured realmIdentifier) to the list of inbound trusted realms. For each SAML issuer that is used with your WebSphere Application Server service provider, you must grant inbound trust to all the realms that are used by the SAML issuer. You can grant inbound trust to the SAML issuer using the administrative console.
    1. Cliquez sur Sécurité globale.
    2. For the user account repository, click Configure.
    3. Cliquez sur Domaine d'authentification sécurisé - entrant.
    4. Cliquez sur Ajouter un domaine externe.
    5. Renseignez le nom de domaine externe.
    6. Click OK and Save changes to the master configuration.
  11. Redémarrez WebSphere Application Server.

Résultats

These steps establish the minimum configuration that is required to configure a Trust Association Interceptor for a WebSphere Application Server that can process SAML tokens sent in the request header of an inbound web request.

Icône indiquant le type de rubrique Rubrique de tâche



Icône d'horodatage Dernière mise à jour: last_date
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=cord&product=was-nd-mp&topic=twbs_config_saml_web_inbound_tai
Nom du fichier : twbs_config_saml_web_inbound_tai.html