Thursday, April 2, 2015

Websphere TAI SAML web single sign-on Configuration

Environment:

      WebSphere Application Server  8.5.0.2

Enabling your system to use the SAML web single sign-on (SSO) feature

 

·         Install the SAML ACS application using the administrative console
   
    install the app_server_root/installableApps/WebSphereSamlSP.ear file to your application server or cluster.

·         Enable SAML TAI using the administrative console
    
a.     Click Security / SecurityGlobal security.
b.     Expand Web and SIP security and click Trust association.
c.      Under the General Properties heading, select the Enable trust association check box and click Interceptors.
d.     Click New and enter com.ibm.ws.security.web.saml.ACSTrustAssociationInterceptor in the Interceptor class name field.
e.     Under Custom properties, fill in the following custom property information: Name: sso_1.sp.acsUrl and Value: https://<hostname>:<sslport>/samlsps/<any URI pattern string> where hostname is the host name of the system where WebSphere Application is installed and sslport is the Web server SSL port number (WC_defaulthost_secure).
f.       Click New and enter the following custom property information: Name: sso_1.sp.idMap and Value:idAssertion. Name: sso_1.sp.trustAnySigner and Value: true. Name: sso_1.sp. wantAssertionsSigned and Value: false. Name: sso_1.sp. useRelayStateForTarget and Value: true. Name: sso_1.sp.targetUrl and Value: your target url.
g.      Click OK.
h.      Go back to SecurityGlobal security and click Custom properties.
i.       Click New and define the following custom property information under General properties: Name:com.ibm.websphere.security.DeferTAItoSSO and Value:com.ibm.ws.security.web.saml.ACSTrustAssociationInterceptor.
Avoid trouble Avoid trouble: The property com.ibm.websphere.security.DeferTAItoSSO, was previously used in the default configuration of all installed servers. Now it is only used as part of the SAML configuration. Therefore, even if this property already exists in your system configuration, you must change its value tocom.ibm.ws.security.web.saml.ACSTrustAssociationInterceptor. Multiple values, separated with commas, cannot be specified for this property. It must be set to a single SAML TAI.
j.        Click New and define the following custom property information under General properties: Name:com.ibm.websphere.security.InvokeTAIbeforeSSO and Value:com.ibm.ws.security.web.saml.ACSTrustAssociationInterceptor.
k.      Click OK.
l.        Restart WebSphere Application Server.

The SAML TAI is now enabled for WebSphere Application Server.

Configuring single sign-on (SSO) partners

 

·         Add an identity provider to the WebSphere Application Server SAML service provider for single sign-on. 

         
          To use the WebSphere Application Server SAML service provider for single sign-on with an identity provider, you need to add the identity provider as a partner. Add an identity provider using metadata of the identity provider.

a.      Start the wsadmin command-line utility from the app_server_root/bin directory by entering the command: wsadmin -lang jython.
b.      At the wsadmin prompt, enter the following command: AdminTask.importSAMLIdpMetadata('-idpMetadataFileName <IdPMetaDataFile> -idpId 1 -ssoId 1 -signingCertAlias <idpAlias>') where IdpMetaDataFile is the full path name of the IdP metadata file, and IdpAliasis any alias name that you specify for the imported certificate.
c.      Save the configuration by entering the following command: AdminConfig.save().
d.      Exit the wsadmin command utility by entering the following command: quit.
e.      Restart the WebSphere Application Server.

·         Add IdP realms to the list of inbound trusted realms. For each Identity provider that is used with your WebSphere Application Server service provider, you must grant inbound trust to all the realms that are used by the identity provider.

a.      Click Global security.
b.      Under user account repository, click Configure.
c.      Click Trusted authentication realms - inbound.
d.      Click Add External Realm.
e.      Fill in the external realm name.
f.       Click OK and Save changes to the master configuration.

·         Add the WebSphere Application Server SAML service provider to the identity providers for SSO.

Each identity provider that is used with your WebSphere Application Server service provider needs to be configured to add the service provider as an SSO partner. The procedure for adding the service provider partner to an identity provider depends on the specific identity provider. Refer to the documentation of the identity provider for instructions on how to add a service provider partner for SSO.
You can either export the WebSphere Application Server service provider metadata, and import it to the identity provider, or manually configure the identity provider to add the service provider.
To add the service provider as a federation partner to an identity provider, you must provide the URL of the Assertion Consumer Service (ACS) of the service provider, which is the -acsUrl parameter used when enabling the SAML trust association interceptor (TAI).
If an identity provider can use a metadata file to add the service provider as a federation partner, you can use the following wsadmin command-line utility command to export the service provider metadata:

wsadmin -lang jython
AdminTask.exportSAMLSpMetadata('-spMetadataFileName /tmp/spdata.xml -ssoId 1')

This command creates the /tmp/spdata.xml metadata file.
If the SAML token is encrypted, you must provide the public key certificate that you want the identity provider to use for encrypting the SAML token, and the certificate must exist in the WebSphere Application Server default KeyStore before performing an export.

Testing

Install the testing application testLoginEAR.ear file to your application server or cluster for testing SAML single sign-on

Make sure that Web.xml includes

            <security-constraint>
                        <web-resource-collection>
                                    <web-resource-name>cart</web-resource-name>
                                    <url-pattern>/cart/*</url-pattern>
                        </web-resource-collection>
                        <auth-constraint>                                                                                 
                                    <role-name>saml</role-name>
                        </auth-constraint>
            </security-constraint>
           
            <security-role>
                        <role-name>saml</role-name>
            </security-role>

Make sure that ibm-application-bnd.xml includes

            <security-role name="saml">
                        <special-subject type="ALL_AUTHENTICATED_IN_TRUSTED_REALMS" />
            </security-role>

Unprotected url:
Host:port/ testLogin/index.html

Protected url:
Host:port/ testLogin/cart/cart.html

References:

http://www-01.ibm.com/support/knowledgecenter/SSAW57_8.5.5/com.ibm.websphere.nd.doc/ae/cwbs_samlssoconcepts.html?cp=SSAW57_8.5.5%2F1-8-2-33-2-21

http://www-01.ibm.com/support/knowledgecenter/SSAW57_8.5.5/com.ibm.websphere.nd.doc/ae/rwbs_samltaiproperties.html?cp=SSAW57_8.5.5
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)