Follow

Enabling SAML SSO on Websphere 8.5 with a Shibboleth IDP

I’ll layout all the steps to configure the TAI for SP-redirected SSO with example values.  The first half of the configuration is pretty well documented by IBM.  I’ve included a slightly modified version of the first two components.  The documentation is weak on some of the specific values required, as well as any Shibboleth specific configuration (to be expected).  These steps can also be modified to work with a PING Identity IDP.

 

Values used in this write-up:

Bpm host=bpm.example.com

clusterName= ENV.SingleCluster

Enabling your system to use the SAML web single sign-on (SSO) feature

http://www.ibm.com/support/knowledgecenter/SSAW57_8.5.5/com.ibm.websphere.nd.doc/ae/twbs_enablesamlsso.html

 

Install the SAML ACS application by using the python script.

  • Navigate to the app_server_root/bin directory.
  • Run the installSamlACS.py script.

wsadmin -f installSamlACS.py install <clusterName>

 

Example value:

./wsadmin.sh -f installSamlACS.py install ENV.SingleCluster

 

  • Enable SAML TAI. You can enable SAML TAI by using either the wsadmin command utility or the administrative console.
  • Enable SAML TAI using the wsadmin command utility.
  • Start the wsadmin command utility from the app_server_root/bin directory by entering the command: wsadmin -lang jython.
  • At the wsadmin prompt, enter the following command: AdminTask.addSAMLTAISSO('-enable true -acsUrl https://<hostname>:<sslport>/samlsps/<any URI pattern string>') where hostname is the host name of the system where WebSphere Application is installed and sslport is the Web server SSL port number (WC_defaulthost_secure).

 

Example value:

AdminTask.addSAMLTAISSO('-enable true -acsUrl https://bpm.example.com/samlsps/ProcessPortal')

 

  • Save the configuration by entering the following command: AdminConfig.save().
  • Exit the wsadmin command utility by entering the following command: quit.
  • Restart the WebSphere Application Server.

 

 

Add the Defer and Invoke properties in global security

 

  • Go to Security - Global security and click Custom properties.
  • Click New and define the following custom property information under General properties: Name: com.ibm.websphere.security.DeferTAItoSSO and Value: com.ibm.ws.security.web.saml.ACSTrustAssociationInterceptor.
  • Click New and define the following custom property information under General properties: Name: com.ibm.websphere.security.InvokeTAIbeforeSSO and Value: com.ibm.ws.security.web.saml.ACSTrustAssociationInterceptor.
  • Click OK.
  • Restart WebSphere Application Server.

 

Configuring single sign-on (SSO) partners

Add an identity provider using metadata of the identity provider.

  • Start the wsadmin command-line utility from the app_server_root/bin directory by entering the command: wsadmin -lang jython.
  • At the wsadmin prompt, enter the following command: AdminTask.importSAMLIdpMetadata('-idpMetadataFileName <IdPMetaDataFile> -idpId 1 -ssoId 1 -signingCertAlias <idpAlias>') where IdpMetaDataFile is the full path name of the IdP metadata file, and IdpAlias is any alias name that you specify for the imported certificate.
  • Save the configuration by entering the following command: AdminConfig.save().
  • Exit the wsadmin command utility by entering the following command: quit.
  • Restart the WebSphere Application Server.

Example values:

./wsadmin.sh -lang jython

AdminTask.importSAMLIdpMetadata('-idpMetadataFileName /tmp/idp-metadata.xml -idpId 1 -ssoId 1 -signingCertAlias shibcert')

AdminConfig.save()

Quit

Add IdP realms to the list of inbound trusted realms. For each Identity provider that is used with your WebSphere Application Server service provider, you must grant inbound trust to all the realms that are used by the identity provider.

You can grant inbound trust to the identity providers using either the administrative console or the wsadmin command utility.

  • Add inbound trust using the administrative console.
  1. Click Global security.
  2. Under user account repository, click Configure.
  3. Click Trusted authentication realms - inbound.
  4. Click Add External Realm.
  5. Fill in the external realm name.
  6. Click OK and Save changes to the master configuration.

 

Map the SAML application module to I.H.S. if used:

 

Map.png

 

The following values need to be provided to the TAI properties before you export the SAML data from websphere:

 

Global security > Trust association > Interceptors > com.ibm.ws.security.web.saml.ACSTrustAssociationInterceptor

 

 

Name

Value

 

 

sso_1.sp.acsUrl

https://bpm.example.com:443/samlsps/ProcessPortal

 

 

sso_1.sp.idMap

localRealm

 

 

sso_1.idp_1.EntityID

https://idp.example.com/idp/shibboleth

 

 

sso_1.idp_1.SingleSignOnUrl

https://idp.example.com/idp/profile/SAML2/POST/SSO

 

 

sso_1.sp.filter

request-url^=/ProcessPortal|/ProcessPortal/jsp/index.jsp

 

 

sso_1.sp.targetUrl

https://bpm.example.com/ProcessPortal

 

 

sso_1.sp.useRelayStateForTarget

false

 

 

sso_1.sp.enforceTaiCookie

false

 

 

sso_1.sp.login.error.page

https://idp.example.com/idp/profile/SAML2/Unsolicited/SSO?providerId=https://bpm.example.com/samlsps/ProcessPortal

 

 

sso_1.sp.keyStore

NodeDefaultKeyStore  (CellDefaultKeyStore)

 

 

sso_1.sp.keyAlias

default

 

 

sso_1.sp.keyPassword

password

 

**The login.error page should not be added until the IDP initiated login is working.**

 

The last 3 values related to the KeyStore are needed for the SAML export to include the key for encryption between the IDP and the SP.  My suggestion would be to create a separate cert to be used for encryption. Next we’ll export the SAML metadata from websphere.  The filename for the metadata should be unique for each environment.

Example values:

./wsadmin.sh -lang jython

AdminTask.exportSAMLSpMetadata('-spMetadataFileName /tmp/spdata.xml -ssoId 1')

 

Note:

If the encryption of the assertions is causing infinite loops, the last three sp.key* values can be removed or left out of the custom properties.  The following export will include certificate information only if those 3 settings are defined. 

 

 

The exported metadata can now be added to Shibboleth.  The configuration for the websphere Relying Party will be configured for unsolicited IDP-initiated SSO.  BPM requires users to be mapped to the localRealm, so the only value required will be the users UID.

 

The public signer cert for the IDP login page should be added to the CellDefaultTrustStore:

 Cert.png

After another restart, it should be possible to access the ProcessPortal directly and sign on via a redirect to the idp.

Example values:

https://bpm.example.com/ProcessPortal

 

Logging SAML requests in websphere:

Here’s example logging settings for websphere to help troubleshoot

*=info: com.ibm.ws.security.*=detail: com.ibm.ws.security.web.saml.*=detail

 

Helpful links that should cover everything else:

Comprehensive explanation of the various components

It’s not a detailed walkthrough, but it does provide good information for different scenarios.

SAML web single sign-on (SSO) trust association interceptor (TAI) custom properties

This link explains all the TAI custom properties.  It also provides examples of ways to filter which requests invoke the TAI.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments