You can configure a SAML Web Inbound Trust Association Interceptor (TAI) to authenticate
and validate a SAML token sent in the request header of a Web request.
Pourquoi et quand exécuter cette tâche
Configure a Trust Association Interceptor (TAI) for the WebSphere Application Server for processing a SAML token sent in the request header of a Web
request. The SAML token must be Base-64 or UTF-8 encoded, and can be compressed in GZIP format. The
SAML Token header in the HTTP request can be one of the following formats:
Authorization=[<headerName>=<SAML_HERE>]
Authorization=[<headerName>="<SAML_HERE>"]
Authorization=[<headerName> <SAML_HERE>]
<headerName>=[<SAML_HERE>]
Procédure
- From the WebSphere administrative console, select > > > .
- Select Interceptors.
- Select New to add a new interceptor.
- Enter the interceptor class name:
com.ibm.ws.security.web.inbound.saml.WebInboundSamlTAI.
- Add custom properties for your environment, see SAML Web Inbound TAI Custom
Properties for a list of the properties.
- Apply and Save the configuration updates.
Remarque : Saving without applying your changes will discard the custom properties.
- Go back to > and select Custom properties.
- Select New and define the following custom property information for
General properties:
Name: com.ibm.websphere.security.InvokeTAIbeforeSSO
Value: com.ibm.ws.security.web.inbound.saml.WebInboundSamlTAI
Remarque : If this property is already defined, then add
com.ibm.ws.security.web.inbound.saml.WebInboundSamlTAI to the existing value, which
is separated by a comma to create a list.
- Import the SAML issuer's signer certificate to the truststore of the WebSphere Application Server.
- In the administrative console, click . Utilisez CellDefaultTrustStore à la place de
NodeDefaultTrustStore pour un gestionnaire de déploiement.
- Cliquez sur
Add.
- Complétez les informations du certificat, puis cliquez sur Appliquer.
- Add the SAML issuer name (or the value of the realmName or the attribute
value of the configured realmIdentifier) to the list of inbound trusted realms. For
each SAML issuer that is used with your WebSphere
Application Server service provider, you must grant inbound trust to all the realms that are used by
the SAML issuer. You can grant inbound trust to the SAML issuer using the administrative
console.
- Cliquez sur Sécurité globale.
- For the user account repository, click Configure.
- Cliquez sur Domaine d'authentification sécurisé - entrant.
- Cliquez sur Ajouter un domaine externe.
- Renseignez le nom de domaine externe.
- Click OK and Save changes to the master configuration.
- Redémarrez WebSphere Application Server.
Résultats
These steps establish the minimum configuration that is required to configure a Trust
Association Interceptor for a WebSphere Application
Server that can process SAML tokens sent in the request header of an inbound web
request.