You can configure a SAML Web Inbound Trust Association Interceptor (TAI) to authenticate
and validate a SAML token sent in the request header of a Web request.
About this task
Configure a Trust Association Interceptor (TAI) for the WebSphere® for processing a SAML token sent in the request header of a Web
request. The SAML token must be Base-64 or UTF-8 encoded, and can be compressed in GZIP format. The
SAML Token header in the HTTP request can be one of the following formats:
-
Authorization=[<headerName>=<SAML_HERE>]
-
Authorization=[<headerName>="<SAML_HERE>"]
-
Authorization=[<headerName> <SAML_HERE>]
-
<headerName>=[<SAML_HERE>]
Procedure
-
From the WebSphere administrative console, select > > > .
-
Select Interceptors.
-
Select New to add a new interceptor.
-
Enter the interceptor class name:
com.ibm.ws.security.web.inbound.saml.WebInboundSamlTAI
.
-
Add custom properties for your environment, see SAML Web Inbound TAI Custom
Properties for a list of the properties.
-
Apply and Save the configuration updates.
Note: Saving without applying your changes will discard the custom properties.
-
Go back to > and select Custom properties.
-
Select New and define the following custom property information for
General properties:
Name: com.ibm.websphere.security.InvokeTAIbeforeSSO
Value: com.ibm.ws.security.web.inbound.saml.WebInboundSamlTAI
Note: If this property is already defined, then add
com.ibm.ws.security.web.inbound.saml.WebInboundSamlTAI
to the existing value, which
is separated by a comma to create a list.
-
Import the SAML issuer's signer certificate to the truststore of the WebSphere Application Server.
-
In the administrative console, click . Use
CellDefaultTrustStore
instead of
NodeDefaultTrustStore
for a deployment manager.
-
Click Add.
-
Complete the certificate information, then click Apply.
-
Add the SAML issuer name (or the value of the
realmName
or the attribute
value of the configured realmIdentifier
) to the list of inbound trusted realms. For
each SAML issuer that is used with your WebSphere
Application Server service provider, you must grant inbound trust to all the realms that are used by
the SAML issuer. You can grant inbound trust to the SAML issuer using the administrative
console.
-
Click Global Security.
-
For the user account repository, click Configure.
-
Click Trusted authentication realms - inbound.
-
Click Add External Realm.
-
Fill in the external realm name.
-
Click OK and Save changes to the master configuration.
-
Restart the WebSphere Application Server.
Results
These steps establish the minimum configuration that is required to configure a Trust
Association Interceptor for a WebSphere Application
Server that can process SAML tokens sent in the request header of an inbound web
request.