IBM Support

Configuring federated single sign-on with IBM Content Navigator containers using SAML 2.0

White Papers


Abstract

This document contains instructions for configuring federated single sign-on (SSO) with IBM Content Navigator containers using SAML 2.0. The instructions apply to IBM Content Navigator 3.0.8 and later versions when used with a FileNet P8 repository.

Note:
The steps described in this document are for guidance only. The steps might be different in your environment and might require further modification depending on your requirements. Consult with your site administrator for environmental modifications.

Content

Before you begin

Before you start this procedure,

Deploy and configure Content Navigator with SAML SSO

  1. Prepare the federation metadata file for the IdP server and create the SAML configuration file SAMLDefaultSP.xml for IBM Content Navigator, as follows:
    1. Export the federation metadata file idpMetadata.xml from your IdP server.
    2. Copy the federation metadata file idpMetadata.xml to the shared overrides folder of ICN.
    3. Create the SAML SSO configuration file SAMLDefaultSP.xml for ICN. The name of this file can be changed to whatever you want. Following is a sample SAMLDefaultSP.xml file:

      <server description="new server">
      <!-- Configuration for default SAMLSP -->
          <featureManager>
              <feature>samlWeb-2.0</feature>
          </featureManager>
          <samlWebSso20 id="defaultSP"
              mapToUserRegistry="User"
              disableLtpaCookie="false"
              allowCustomCacheKey="false"
              authFilterRef="myAuthFilter"
             idpMetadata="/opt/ibm/wlp/usr/servers/defaultServer/configDropins/overrides/idpMetadata.xml">
          </samlWebSso20>
          <authFilter id="myAuthFilter">
             <requestUrl id="ICNRequestUrl" urlPattern="/navigator" matchType="contains" />
          </authFilter>
      </server>

      The parameters provided in the sample are the minimum set required for configuring IBM Content Navigator with SAML SSO. There are a number of optional parameters that might also be applicable to your environment.

      Refer to the following WebSphere Liberty documentation for a description of all available parameters: https://www.ibm.com/docs/en/was-liberty/base?topic=configuration-samlwebsso20

      Additional information on configuring WebSphere Liberty for SAML is available here:
      https://www.ibm.com/support/knowledgecenter/SSAW57_liberty/com.ibm.websphere.wlp.nd.multiplatform.doc

      Note:

      ICN application doesn’t allow requests for static resources without authentication.  Using customize codes for static resources, such as js or css, might result in ICN access issues. To resolve this issue, configure the WebSphere Liberty authFilter for the static resource. Following is a sample of how to update the value of authFilter in the WebSphere Liberty SAMLDefaultSP.xml file:

      <server description="new server">
          <!-- Configuration for default SAMLSP -->
          <featureManager>
              <feature>samlWeb-2.0</feature>
          </featureManager>
          <samlWebSso20 id="defaultSP"
              mapToUserRegistry="User"
              disableLtpaCookie="false"
              allowCustomCacheKey="false"
              authFilterRef="myAuthFilter"
              idpMetadata="/opt/ibm/wlp/usr/servers/defaultServer/configDropins/overrides/idpMetadata.xml">
          </samlWebSso20>
          <authFilter id="myAuthFilter">
             <requestUrl id="ignoreStaticElements" urlPattern="js|css|jpg|png" matchType="notContain"/>
      </server>

  2. Change the security of the idpMetadata.xml and SAMLDefaultSP.xml files on the Red Hat OpenShift Container Platform.

    If your IBM Content Navigator shared overrides folder path is /icncfgstore/icn/configDropins/overrides, use the following two commands to update the file security settings:

    chgrp -R 0 /icncfgstore/icn/configDropins/overrides
    chmod -R g=u /icncfgstore/icn/configDropins/overrides

    If you use a container platform other than Red Hat OpenShift Container Platform, use the appropriate commands to make the two files accessible from the IBM Content Navigator container instance.

  3. Use the Operator to deploy the IBM Content Navigator SSO container. For the detailed deployment information, refer to the following documentation. The steps vary depending on the version of FileNet P8 being used with IBM Content Navigator: https://www.ibm.com/docs/en/filenet-p8-platform/5.5.x?topic=operator-deploying

    Note:

    Before deploying IBM Content Navigator using the Operator, ensure the following value is added to the JVM parameter JVM_CUSTOMIZE_OPTIONS in the IBM Content Navigator and Content Platform Engine deployment YAML file:

    -DFileNet.WSI.AutoDetectLTPAToken=true

  4. Once the IBM Content Navigator container is deployed, configure the IdP server for your IBM Content Navigator instance.
    1. Export your IBM Content Navigator service provider metadata as follows:

      Use a browser to download the metadata for the service provider (SP) by using this URL:
      https://<icn_access_url>/ibm/saml20/defaultSP/samlmetadata; for example,  https://navigator-saml.9.30.198.136.nip.io/ibm/saml20/defaultSP/samlmetadata.

    2. Create a federation partner on your IdP server that uses the metadata file exported in the prior step. Make sure the signature algorithm type for the IBM Content Navigator container is RSA-SHA256.

      For detailed steps on creating a federation partner, refer to your IdP server documentation. For IBM Security Access Manager refer to https://www.ibm.com/support/knowledgecenter/SSPREK_9.0.7/com.ibm.isam.doc/config/task/creating_wsfed_partner.html.

    3. Set up your IdP server to trust your IBM Content Navigator server. For IBM Security Access Manager, import the IBM Content Navigator SSL cert file and rootca cert file into the IBM Security Access Manager trust keystore.

Troubleshooting

To troubleshoot the SAML SSO configuration, add the following logging into the server.xml file by creating an xmlfile and copying it to the Overrides folder.

    <server>
      <!-- WAS tracing  -->
      <logging traceSpecification="com.ibm.ws.webcontainer*=all:com.ibm.wsspi.webcontainer*=all:HTTPChannel=all:GenericBNF=all:HTTPDispatcher=all:org.apache.xml.security.*=all:com.ibm.ws.security.*=all:com.ibm.ws.webcontainer.*=all:com.ibm.ws.http.*=all:com.ibm.ws.ssl.*=all:com.ibm.ws.channel.ssl.*=all:com.ibm.ws.transport.http.*=all:com.ibm.websphere.channelfw.ChannelUtils=all:org.opensaml.*=all" traceFileName="trace.log" maxFileSize="20" maxFiles="10" traceFormat="BASIC" />
    </server>

[{"Type":"MASTER","Line of Business":{"code":"LOB18","label":"Miscellaneous LOB"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSEUEX","label":"IBM Content Navigator"},"ARM Category":[{"code":"a8m0z0000001gtzAAA","label":"ICN->Core->SSO"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"3.0.8;and future releases"}]

Product Synonym

Content Navigator

Document Information

Modified date:
05 April 2022

UID

ibm16219234

Page Feedback