IBM Support

SAML: How to configure SAML for WebSphere Application Server traditional

How To


Summary

How to configure SAML web SSO for WebSphere Application Server traditional

Objective

This example uses the WebSphere administrative console to configure the SAML web SSO TAI to protect your application. The snoop application is used in the example.

The example is performed in 3 phases:

  1. Protect the snoop application with the SAML TAI without requiring a certificate from the identity provider (IdP).
  2. Add the IdP's signer certificate to the trust store and modify the SAML TAI configuration to trust the IdP.
  3. Modify the SAML TAI configuration to protect your application.

The configuration is split into three phases so that it is easier to debug problems that you might encounter. Troubleshooting steps are provided to help if you have problems at runtime.

Environment

This task uses WebSphere Application Server traditional, the snoop application, and your own identity provider.  Take note of the following assumptions and the steps that you need to take before you begin.
    

Assumptions

  • The host and SSL port of the local system in this task is example.com:9443
    • You can find the SSL port to use as the value for WC_defaulthost_secure in the file (profileRoot)/config/cells/(cellName)/nodes/(nodeName)/serverindex.xml
    • (profileRoot) is usually (WAS_HOME)/profiles/(profileName), but it might be in another path.
    • When you perform this task, replace example.com:9443 with the host and port of your own host and SSL port.
  • You have SAML Identity Provider (IdP) and you are, or can contact, your IdP administrator.
    • The IdP administrator exports a metadata file or signing certificate from the IdP and you obtain the file from your IdP administrator.
  • Your IdP hostname is idp.example.com with an IdP-initiated login page of https://idp.example.com/samlLogin/idpInitiated?target=snoop that is associated with ACS URL https://example.com:9443/samlsps/acs
    • When you perform this task, replace the values with the ones that are valid for your IdP.  The ACS URL belongs to your WebSphere server and you replace the host and port.
  • You are performing bookmark style SSO login as described on SAML single sign-on scenarios, features, and limitations
    • In this scenario, the request is sent to WebSphere first.  The user is then redirected to the IdP for login.  From the IdP's point of view, it is an IdP-initiated login.  After the user logs in, the IdP redirects to the ACS URL that is in it's configuration for the login URL.
  • The WebSphere DefaultApplication is installed.
    • This application provides the snoop endpoint.
  • WebSphere security is enabled.
  • The WebSphere global security domain is used.
  • The WebSphere administrative console is used to configure the SAML TAI.
  • Your logs directory is (was_home)/WebSphere/AppServer/profiles/(profileName)/logs/(serverName)
  • Your trace file is (was_home)/WebSphere/AppServer/profiles/(profileName)/logs/(serverName)/trace.log

Before you begin

Steps

  1. Start the WebSphere administrative console as an administrator and log in as an administrator.
  2. Install the SAML TAI ear file, WebSphereSamlSP.ear, from the installableApps directory:
    1. Navigate to Applications > Application Types > WebSphere enterprise applications.
    2. If an application with the name WebSphereSAMLSP is already installed, skip to the next numbered step:
      • image-20230111103017-1
    3. Click Install
    4. Under Local file system, click Browse
    5. Navigate to (was_home)/installableApps directory.
    6. Choose WebSphereSamlSp.ear
    7. Click Open
    8. Click Next on each subsequent panel, then click Finish.
    9. Wait for the application to install, then click Save.
    10. WebSphereSAMLSP is installed and the Application Status is stopped:
      • image-20230111104055-1
  3. Find your realm name (If you are using 8.5.5.23 or 9.0.5.13 or later, this step is not required)
    1. Navigate to Security > Global security
    2. Your realm name is in the Realm name field under User account repository.
      • The default value is defaultWIMFileBasedRealm
      • Save this value for later.
      • Example:
        • image-20230111141714-1
  4. Enable trust association:
    1. Click Web and SIP security > Trust association
      • image-20230111111858-4
    2. If Enable trust association is not checked, check it, then click Apply
      • image-20230111105234-2
  5. Add the SAML TAI to the list of interceptors:
    1. Click Interceptors
      • Full path: Security > Global security > Web and SIP security > Trust association > Interceptors
    2. If the SAML TAI is already in the list, skip to the next numbered step:
      • image-20230111105538-3
    3. Click New
    4. Enter com.ibm.ws.security.web.saml.ACSTrustAssociationInterceptor in the Interceptor class name field.
    5. Click OK
  6. Configure the SAML TAI:
    1. Click com.ibm.ws.security.web.saml.ACSTrustAssociationInterceptor
      • From this point on, this task is going to assume that the SAML TAI was not previously configured.  If it was, custom properties might be configured for the TAI that include sso_(id) prefixes.  Example:
        • image-20230331130137-1
      • This task uses the prefix sso_1 .  Substitute with a prefix that is not in use when you run the task.
      • This task uses sso_(id).acsUrl=https://example.com:9443/samlsps/acs and a filter that intercepts the snoop application. 
        • image-20230112085310-9 If you have any config entry that conflicts with these settings, then you must disable them for you to get successful results from this task.
    2. Add custom properties to the SAML TAI:
      • image-20230112085310-9 All custom properties names and values are case sensitive.
      • Click New, then add the following custom properties, replacing all example.com URLs with your own:
        • Property
          		 Value Comments
          sso_1.acsUrl https://example.com:9443/samlsps/acs
          The URL to which the IdP sends requests.
          sso_1.sp.filter request-url%=/snoop
          This filter tells the SAML TAI to intercept all requests with a URL that contains the string /snoop.
          sso_1.sp.login.error.page https://idp.example.com/samlLogin/idpInitiated?target=snoop
          The IdP-Initiated login URL for your application on your IdP.
          sso_1.sp.acsErrorPage https://www.example.com
          An error page to which to redirect when the SAML token fails validation or authentication.
          sso_1.sp.useRealm defaultWIMFileBasedRealm
          This value is set to the value that you saved from step 4 earlier in this task.
          If you are using 8.5.5.23 or 9.0.5.13 or later, you can set the value to WAS_DEFAULT.
          sso_1.sp.redirectToIdPonServerSide false
          When redirectToIdPonServerSide is set to false, JavaScript is used when the login request is sent to the IdP.  This property setting prevents fragments in the request URL from being lost.
          sso_1.sp.trustAnySigner true
          For the first test, you trust any signer.  After you get through a successful test, we'll go back and add the IdP's signer certificate and trust it.
        • Results:
          • image-20230331130701-2
    3. Add the required global security custom properties:
      1. Navigate to Security > Global security > Custom properties
      2. Add or change the value for the com.ibm.websphere.security.DeferTAItoSSO property:
        1. If the com.ibm.websphere.security.DeferTAItoSSO property is in the list of properties, click on the property name.  Otherwise, click New.
          • image-20230112081844-2
        2. Enter the following values:
          • Name: com.ibm.websphere.security.DeferTAItoSSO
          • Value: com.ibm.ws.security.web.saml.ACSTrustAssociationInterceptor
        3. Click OK
      3. Add or change the value for the com.ibm.websphere.security.InvokeTAIbeforeSSO property:
        1. If the com.ibm.websphere.security.InvokeTAIbeforeSSO property is in the list of properties, and the com.ibm.ws.security.web.saml.ACSTrustAssociationInterceptor class name is in the list of values, skip to the next lettered step.
          • image-20230112083529-5
        2. If the com.ibm.websphere.security.InvokeTAIbeforeSSO property is in the list of properties, click on the property name.  Otherwise, click New.
          • image-20230112083044-3
        3. Enter the Name com.ibm.websphere.security.InvokeTAIbeforeSSO
          • If there is already a value in the Value filed, go to the end of the value and add a comma, then add the value com.ibm.ws.security.web.saml.ACSTrustAssociationInterceptor
          • Otherwise, set the value to com.ibm.ws.security.web.saml.ACSTrustAssociationInterceptor.
        4. Click OK
  7. Save the configuration and logout of the administrative console:
    1. Click Save
    2. Logout of the administrative console.
  8. Restart your server:
    1. Stop your server.
    2. Clear your logs directory.
    3. Start your server.
  9. Export your SAML SP configuration into a metadata file and give it to your IdP administrator.
    1. Start wsadmin
    2. Run the following admin task:
      AdminTask.exportSAMLSpMetadata('-spMetadataFileName /tmp/spdata.xml -ssoId 1')
      Where /tmp is a temporary directory on your workstation.
    3. Give the spdata.xml file to your IdP administrator to import to your IdP.
    4. Wait for confirmation of the import.
  10. In a new browser window, navigate to https://example.com:9443/snoop
    • image-20230112085310-9 It is important that the host and port of the URL in the browser's address bar match the host and port of the configured acsUrl
      Otherwise, the SAML TAI does not have access to its required cookies when the IdP redirects back to the WebSphere server after the user logs in.
    • The user is redirected to the IdP to log in.
    • After the user logs in, the snoop application is displayed in the browser.
      • image-20230112094225-1
  11. If any of the results in the previous step did not happen, proceed to the Troubleshoot tab at the top of this document.

Next step

Now that you have protected the snoop application by trusting any signer, you'll want to add the IdP's signer certificate so that you trust SAML Responses only from your IdP.
Proceed to the Add IdP signer certificate tab above.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB67","label":"IT Automation \u0026 App Modernization"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"ARM Category":[{"code":"a8m0z000000Cbp2AAC","label":"WebSphere Application Server traditional-All Platforms-\u003ESecurity-\u003ESSO-\u003ETAI"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
25 September 2024

UID

ibm16854721

Page Feedback