By default, the WebSphere® Application Server
SAML Trust Association Interceptor (TAI) supports IdP-initiated SSO. When custom code is in place,
the SAML TAI can be configured to support SP-initiated SSO.
About this task
This task provides an example class and the steps to configure SP-initiated SSO.
Procedure
- Develop a SAML authentication request provider that implements the
com.ibm.wsspi.security.web.saml.AuthnRequestProvider interface.
The method
getAuthnRequest(HttpServletRequest req, String errorMsg, String acsUrl,
ArrayList<String> ssoUrls) must return a map that includes four entries with the
following keys:
- AuthnRequestProvider.SSO_URL
- The SAML identity provider's Single-Sign-On URL.
- AuthnRequestProvider.RELAY_STATE
- The relayState as defined by the SAML Web Browser single-sign-on profile.
- AuthnRequestProvider.REQUEST_ID
- The value for this key must match the ID attribute's value in the AuthnRequest
message.
- AuthnRequestProvider.AUTHN_REQUEST
- A Base64 encoded AuthnRequest message as defined in the spec. Your code is
responsible for generating the AuthnRequest message.
public HashMap <String, String> getAuthnRequest(HttpServletRequest req, String errorMsg,
String acsUrl, ArrayList<String> ssoUrls)
throws NotImplementedException {
//create map with following keys
HashMap <String, String> map = new HashMap <String, String>();
String ssoUrl = "https://example.com/saml20/Login";
map.put(AuthnRequestProvider.SSO_URL, ssoUrl);
String relayState = generateRandom();
map.put(AuthnRequestProvider.RELAY_STATE, relayState);
String requestId = generateRandom();
map.put(AuthnRequestProvider.REQUEST_ID, requestId);
//create AuthnRequest
String authnMessage = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>"
+"<samlp:AuthnRequest xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" "
+"ID=\""+requestID+"\" Version=\"2.0\" "
+ "IssueInstant=\"" +getUTC()+ "\" ForceAuthn=\"false\" IsPassive=\"false\""
+ "ProtocolBinding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" "
+ "AssertionConsumerServiceURL=\"" +acs+"\" "
+ "Destination=\"" +destination +"\"> "
+ "<saml:Issuer xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\">"
+ issuer
+"</saml:Issuer> <samlp:NameIDPolicy"
+"Format=\"urn:oasis:names:tc:SAML:2.0:nameid-format:transient\""
+"SPNameQualifier=\"mysp\""
+"AllowCreate=\"true\" /> <samlp:RequestedAuthnContext Comparison=\"exact\"> "
+"<saml:AuthnContextClassRef xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\">"
+"urn:oasis:names:tc:SAML:2.0:ac:classes:</samlp:RequestedAuthnContext> </samlp:AuthnRequest>";
map.put(AuthnRequestProvider.AUTHN_REQUEST, authnMessage);
return map;
}
- Put a jar file that contains your custom class in the
(WAS_HOME)/lib/ext directory.
- Configure the SAML web SSO TAI to use your AuthnRequest message.
- Log on to the WebSphere Application Server
administrative console.
- Click .
- Expand Web and SIP security and click Trust
association.
- Click Interceptors.
- Click com.ibm.ws.security.web.saml.ACSTrustAssociationInterceptor
- For Custom properties, click new, then complete
the following custom property information, where id is what you assigned to the SSO
Service Provider (SP) for which you want this property to apply:
- Name: sso_<id>.sp.login.error.page
- Value: The class name of your custom AuthnRequestProvider implementation.