Configuring IBM Tivoli Federated Identity Manager for SAML

Edit online

Configure IBM® Tivoli® Federated Identity Manager to work with IBM Spectrum LSF Application Center and SAML single sign-on.

Before you begin

Edit online

About this task

The following steps use IBM Tivoli Federated Identity Manager version 6.2.2.

Procedure

  1. Determine which point of contact to use.
    Any point of contact can be used as long as the prerequisites of that specific point of contact are satisfied.

    For example, IBM WebSphere®:

  2. Import a keystore.

    You need a keystore for signing responses.

    For example:

Configure IBM Tivoli Federated Identity Manager

Edit online

Procedure

  1. Create a Federation.

    The steps below focus on pages that require specific information. For other pages not listed here, use the default selections.

    1. Enter the federation name. Choose any unique value.

      For example:

    2. In Federation Protocol, select SAML 2.0.

      For example:

    3. In the Point of Contact Server screen, specify the point of contact server: https://[server_name]:[secure_application_server_port] .
    4. In the Profile Selection screen, leave the default: Basic Web Browser SSO, Single Logout.
    5. In the Signature Options screen, check the option: Require signature on incoming SAML message and assertion. For outgoing SAML message and assertions, you can choose any option but for security, select: All Outgoing SAML messages and assertions are signed.

      For example:

    6. In the Encryption Options screen, load your keystore if needed.
    7. In SAML Message Settings and SAML Assertion Settings, keep the default selections.
    8. In Identity Mapping Options, select any identity mapping XSL that works with SAML.

      You can find XSL mapping samples in the IBM Tivoli Federated Identity Manager installation directory under /examples/mapping_rules/ip_saml_20_email_nameid.xsl. For additional details, refer to: http://www-01.ibm.com/support/knowledgecenter/SS4J57_6.2.2.6/com.ibm.tivoli.fim.doc_6226/config/concept/xslformappingrules.html

  2. Export the Federation(identity provider metadata file).
    For example:
  3. Start IBM Spectrum LSF Application Center with the command pmcadmin start if it is not started.
  4. Import the identity provider XML file into IBM Spectrum LSF Application Center with the command pmcadmin saml enable -idp exported_idp_file.

    For example:

    pmcadmin saml enable -idp /usr/share/myfile
  5. Restart IBM Spectrum LSF Application Center with the commands pmcadmin stop then pmcadmin start.
  6. Import the IBM Spectrum LSF Application Center service provider metadata file into IBM Service Provider metadata file into IBM Tivoli Federated Identity Manager. Use the same selections as in Step 1.