203 Lotus blogs updated hourly. Who will post next? Home | Blogs | Search | About 
 
Latest 7 Posts
Domino 10 – to be continued!
Mon, Nov 6th 2017 15
IBM Connections 6 – Following and Followers blank
Wed, Oct 25th 2017 5
Exchange integration into WebSphere Portal (SSO – Kerberos)
Tue, Sep 26th 2017 9
User provisioning for IBM Connections Cloud – You have the choice
Mon, Aug 28th 2017 7
SAML & IBM Connections 5.5 – not a dream team
Fri, Aug 18th 2017 9
IBM Docs – Migration from DB2 –> ORACLE
Fri, Jul 7th 2017 6
IBM Connections – trouble adding additional nodes
Wed, May 31st 2017 8
Top 10
Configuration of secret key storage in WebSphere Application Server
Thu, Mar 12th 2015 19
DB2 Instance autostart does not work on SLES 12 / RHEL 7
Tue, Jul 12th 2016 15
Domino 10 – to be continued!
Mon, Nov 6th 2017 15
IBM Connections Docs – file preview not possible for some CCM pdf files
Thu, Nov 17th 2016 14
WebSphere custom TAI – Doing SSO the right way
Tue, Sep 6th 2016 13
IBM Connections 5 CR2 – Atom feed changes
Mon, Jun 22nd 2015 11
HTTP Outbound authentication via SAML
Tue, Oct 6th 2015 11
Security Bulletin: Vulnerabilities in Apache Struts affects IBM WebSphere Application Server (CVE-2016-1181 and CVE-2016-1182) (2016.06.28)
Tue, Sep 13th 2016 11
SAML – Enterprise SSO in the WebSphere world
Mon, Jul 20th 2015 10
IBM Connections vulnerability – fixes for CVE-2014-3004 / CSVV in detail
Tue, Mar 3rd 2015 9


SAML – Enterprise SSO in the WebSphere world
Twitter Google+ Facebook LinkedIn Addthis Email Gmail Flipboard Reddit Tumblr WhatsApp StumbleUpon Yammer Evernote Delicious
Julius Schwarzweller    

SAML – Enterprise SSO in the WebSphere world

Hi all, this time I want to introduce a very „hot topic“ – SAML SSO. I want to give a brief overview what this is and what role it plays in our WebSphere world.

So let`s get started

What is SAML

SAML (or Security Assertion Markup Language) is a standard for exchanging authentication- and authorization data between different security domains. While SAML only describes the data exchanging protocol, the term is also used as a generic term for built on top SSO scenarios. SAML can be used regardless of manufacturer so that it is possible to integrate systems of a various number of software manufacturers. Especially this makes SAML really like a Swiss army knife when it comes to Cloud / hybrid Cloud integrations. SAML 2.0 is the actual standard (since 2005). Version 1.1 is still available and used.

SAML is a very safe procedure. It is easy to handle.

Customers who think about moving parts of their infrastructure into a cloud should think about using SAML because it is not mandatory to store registry data (LDAPs) outside the company`s network (depends on the software that is used)

 

How does SAML work

For the general concept, please have a look here

There are two different approaches how SAML SSO is initiated:

Service Provider initiated SAML

The user accesses a service provides (any SAML activated application). The service provider redirects the user to an IdP (Identity provider – e.g. ADFS server, ISAM for Web) where the authentication takes place. IdP redirects the user back to the service provider (User is logged in)

The authentication flow (SP Initiated SAML):

SAML6

  1. User accesses SP
  2. SP returns „401“ and redirects browser to IdP
  3. Browser accesses IdP URL.
  4. IdP returns SAML token with assertion to the user
    1. Browser is redirected to SP
    2. Browser sends query to SP with embedded SAML Token
    3. SP checks SAML token validity based on the trust relationship with IdP
    4. SP grants access to the resources

Identity Provider initiated SAML

In this case the user first logins on the IdP in order to be able to use the protected resource. There is no redirect from the SP to IdP.

The authentication flow (IdP Initiated SAML):

SAML6

  1. Authentication of user against IdP
  2. IdP returns SAML token with assertion to the user
    1. Browser is redirected to SP
    2. Browser sends query to SP with embedded SAML Token
    3. SP checks SAML token validity based on the trust relationship with IdP
    4. SP grants access to the protected resource

In many cases, SP initiated SAML is used.

WebSphere does not support „pure SP initiated SAML“ in the current version. WebSphere Application Server is not able to create the mandatory SAMLRequest (mandatory per Standard definition). But there is a TAI (Trust Association Interceptor) available (acs application) that performs the first step of SP initiated SAML (redirect of SP to IdP). The acs application detects that the user is not authenticated and performs an IdP redirect (based on the information that was configured while setting up SAML).

 

WebSphere and SAML

Generally, support it given for WebSphere Portal and IBM Connections (main products I work with). Additionally, many more products such as Domino support SAML. Support for SAML means first of all that the underlying WebSphere Applications server contains the mandatory components to acts as a SAML Service provider.

 

There are some special considerations when talking about SAML support in WebSphere Portal & IBM Connections.

IBM Connections

  • Cognos does not support SAML. In this case you need to setup a separate Cell for Cognos and realize SSO via LTPAToken.
  • MobileApp support for SAML is not available
  • SAML-Support for HTTP Outbound Connections Service (old name was AJAX Proxy) authentication via SAML is rather unclear in IBM Connections. There are some information how to integrate parts of Smartcloud (that uses SAML) but that`s it.
  • SAML-Support for CCM does not seem to be working

WebSphere Portal

  • Support for HTTP Outbound Connection Service (old name was AJAX Proxy) authentication via SAML was added since WebSphere Portal 8.5 CF03. So quite new and officially supported for ISAM for Web / ADFS server.

 

How to configure WebSphere for SAML usage

In this example I want to show you how to configure WebSphere software for SAML usage. In this case an ADFS server was used as IdP

Assumption:

I assume that you`ve already setup the ADFS server and configured it correctly.

Install the ACS application

1. Access ISC –>  https://SERVERNAME.DOMAIN.COM:9043/ibm/console

2. Goto – Applications – Install New Middleware Application

SAML1

3. Choose the AppServers installableApps directory and mark the application “WebSphereSamlSP.ear” – this is the ACS application that will perform the redirect for you as an unauthenticated user to the IdP

SAML2

4. Map the application to one of the servers (InfraCluster for example) and map it to the webserver

SAML3

5. Regenerate the WebSphere Plugin, Sync the nodes, restart the webserver and start the “WebSphere SamlSPWeb” application

Configure WebSphere TAI

1. Change to Security – Global Security – Web and SIP Security – Trust association

SAML4

2.

SAML8

Click “New” and enter the Interceptor Class name:

com.ibm.ws.security.web.saml.ACSTrustAssociationInterceptor

3. In the next step you need to define custom properties for this Interceptor

SAML10

The following explainations are taken from IBMs Knowledge Center

sso_1.sp.acsUrl

It specifies the URL of the ACS or business application

sso_1.sp.idMap

This property specifies how the SAML token is mapped to the subject

The following values are valid:

  • idAssertion (Default) – the user specified in the SAML assertion is not checked in the local registry
  • localRealm – the SAML token user is verified in the local user registry
  • localRealmThenAssertion – if the user is found in the local registry, IDAssertion is used

ssp_1.sp.trustStore

This property specifies the truststore for validating the SAML signature. It specifies the name of a managed keystore. Actually into which keystore you will import the ADFS Server certificate.

sso_1.sp.targetUrl

targetUrl where the IdP should redirect to after the SAMLResponse has been validated

sso_1.idp_1.entityID

This property is used to verify AudienceRestriction in the SAML assertion

sso_1.sp.useRelayStateForTarget

This property specifies whether the RelayState value received in the client request should be used as the URL of the target application or not. If this property is set to false, the sso_<id>.sp.targetUrl property is used as the URL of the target application.

sso_1.sp.enforceTaiCookie

This property is used to indicate if the SAML TAI should check if an LTPA cookie is mapped to a subject created for the SSO partner.

sso_1.sp.useRealm

This property specifies a realm name and is used to override the default realm. This property also overrides the realmName property.

sso_1.sp.login.error.page

This property specifies the error page, IdP login page, or custom mapping class to which an unauthenticated client request is redirected to.

sso_1.idp_1.singleSignOnUrl

This custom property specifies the URL of the SSO service of the IdP

sso_1.idp_1.certAlias

Name of the Certificate alias of the ADFS certificate stored in the truststore

sso_1.sp.filter

Filter values, for which applications / targets SAML should be active or not

4. Goto “Global Security – custom properties” and change the values:

com.ibm.websphere.security.DeferTAItoSSO

and

com.ibm.websphere.security.InvokeTAIbeforeSSO

to:

SAML11

5. Restart the appserver

6. Export the SAML configuration using wsadmin

 

wsadmin.sh -lang jython
AdminTask.exportSAMLSpMetadata('-spMetadataFileName /ibm/spdata.xml -ssoId 1')
quit

7. Copy the file spdata.xml to the ADFS server
8. Open the ADFS 2.0 management snap-in
9. Open “Trust relationships – Relying Party Trust” and click “Add Relying Party Trust”

SAML12

10 . Provide the spdata.xml file you`ve generated using the wsadmin command

SAML13

11. Enter the IBM Connections Server hostname

SAML14

12. You want to permit each user to get access to the Service Provider using SAML

SAML15

13. You need to edit the “Claim Rules Dialog” where you generate a mapping between your AD and your participating Service Provider

SAML16

14. The calim rule you want to use: “Send LDAP Attributes as Claims”

SAML17

15. here you click “Add rule” to insert a new claim rule

SAML18

16. you map the sAMAccountName to Name Id

SAML19

–> Here you can read more about claim rules

Export the SAML token signing certificate and import it into the WAS truststore

1. On the ADFS server start the AD FS 2.0 Management and go to “AD FS 2.0 → Service → Certificates”. Select the Token-signing certificate and click “View certificate”:

SAML20

2. Export the certificate in the DER encoded binary format

SAML21 SAML22 SAML23 SAML24

Import the token signing certificate into the WebSphere Application Server truststore

1. Goto “Global Security – SSL certificate and key management – Key stores and certificates – CellDefaultTrustStore – signer certificates” and click add – choose the ADFS certificate

SAML25

Choose the correct values you specified for:

sso_1.sp.trustStore (here I use CellDefaultTrustStore)

sso_1.idp_1.certAlias (here is used saml_ADFS.SERVER.COM)

Add the ADFS Server to the trusted authentication realms 

SAML26

Add

http://adfs.server.com/adfs/services/trust

https://adfs.server.com/adfs/services/trust

and further alias if there are any

–> Restart the IBM Connections server and you are ready to test the implementation

Testing

Access –> https://connections.server.com

you will be redirected to the ADFS server (Idp Initiated Login Page)

Choose your IBM Connections Server

SAML27

Enter your credentials and voilà you are signed in IBM Connections 😉

Summary

I think there are some more or less complex configuration steps to do. But if you once did those, you will understand the procedure. If you do not have an ADFS server, you can also use other IdPs that support SAML 2.0. Some steps might be different there.

So go for it and test SAML. I hope you will like it easy much as I do 😉



---------------------
http://techblog.gis-ag.info/2015/07/20/saml-enterprise-sso-in-the-websphere-world/
Jul 20, 2015
11 hits



Recent Blog Posts
15
Domino 10 – to be continued!
Mon, Nov 6th 2017 8:48a   GIS Techblog
Welcome to the first post about IBM Domino on our GIS AG Techblog! Here at GIS AG, we have a dedicated IBM Domino team made up of certified specialists for everything from development, to administration, support and beyond. On this blog we will be sharing the latest news and technical information about IBM Domino. If you have any questions or comments, please, feel free to write an Email to: frederik.potyka@gis-ag.com Visit our About Us page! Domino  10 – This year Notes and Domino 9.0
5
IBM Connections 6 – Following and Followers blank
Wed, Oct 25th 2017 8:42a   GIS Techblog
IBM Connections 6 – Following and Followers blank Hi, during the last weeks we had to deal with a strange problem in an IBM Connections 6 environment. The system was migrated from IC 5.5 to IC 6 and live for about 4 weeks when suddenly the following problem occurred: Neither users that I follow nor followers were shown in the UI. Despite installing the latest Fixes no bigger changes have been performed on the system. I was able to follow a user: Looks good: Then opening “Following
9
Exchange integration into WebSphere Portal (SSO – Kerberos)
Tue, Sep 26th 2017 12:03p   GIS Techblog
Exchange integration into WebSphere Portal (SSO – Kerberos) During the last years working with Portal I had several challenges with WebSphere Portals HTTP Outbound Proxy (aka. Ajax Proxy) in terms of authenticating backend calls to various other systems. What we`ve done so far in terms of SSO / backend authentication: – Authenticating using LTPAToken – Authenticating using SAML – Authenticating using SPNEGO / Kerberos (this was a new one for me) The challenge this time
7
User provisioning for IBM Connections Cloud – You have the choice
Mon, Aug 28th 2017 1:42p   GIS Techblog
User provisioning for IBM Connections Cloud – You have the choice Customers who use IBM Cloud for Connections, Sametime or other applications face the problem to manage their cloud accounts. For some single users you can use the Web frontend to add or change user accounts or to assign subscriptions and licenses to users. But in real world scenarios it is not possible to manage thousands of users manually or to keep them synchronized with an on-prem user repository or LDAP. This can be handled
9
SAML & IBM Connections 5.5 – not a dream team
Fri, Aug 18th 2017 7:45a   GIS Techblog
Hi all, last week we had to fight with an activation of SAML on a IC 5.5 CR3 environment. The setup was: IBM Connections 5.5 CR3 as test instance ADFS Server 3.0 (I know… it is only tested with ADFS 2.0 – but works with 3.0 too) We followed the instructions from the IBM Connections Knowledge Center. Smooth setup everything standard procedure. When testing this setup, the redirect to the IdP was initiated. After logging into the IdP the browser was redirected to IBM Connections ACS
6
IBM Docs – Migration from DB2 –> ORACLE
Fri, Jul 7th 2017 9:52a   GIS Techblog
IBM Docs – Migration from DB2 –> ORACLE Hi, within our last big project, we had the challenge to transfer the IBM Docs database from DB2 to ORACLE. Within this database comments and other document related data is stored. Officially there is no script available to perform this move using DBT (remove constraints / transfer / reapply constraints). We looked into the database and figured out how to perform this task using DBT – so we are not dependent on any other products. We m
8
IBM Connections – trouble adding additional nodes
Wed, May 31st 2017 2:52p   GIS Techblog
IBM Connections – trouble adding additional nodes Hi all, we are currently involved in a project where we installed a 1 node IBM Connections 6 Cluster and later added a second node to the cell. So far so good… Everything that needs to be done after adding the second node is described here … Everything? Yes, mainly… but not in the mandatory details as I think! Missing custom properties and other settings might result in non-functional nodes. Especially not setting httpSess
4
SNOUG 2017 Presentation – SikaConnect goes External
Thu, Mar 23rd 2017 1:06p   GIS Techblog
SNOUG 2017 Presentation – SikaConnect goes External Hi all, yesterday I was at SNouG in Zurich. I had a great time there – good speakers and a overall perfectly organized event (would we expect sth. else from Switzerland? ) Raymond Weber from SIKA Informationssysteme AG and I did a session about the SIKA Extranet Feature:
2
Whiteboard in IBM Sametime Meeting 9.0.1 removed
Fri, Mar 17th 2017 10:43a   GIS Techblog
Whiteboard in IBM Sametime Meeting 9.0.1 removed IBM implemented in Sametime Meeting 9.0.1 a whiteboard function as technical preview. Ben described in his articel how to enable this feature: https://collaborationben.com/2016/05/20/whiteboard-in-sametime-9-0-1/ With the current cumulative Fix 901-ST-General-FP-SMOL-AK4G43  for the Meeting Server IBM has removed this function. The response on my PMR was: “I can confirm The Meetings Whiteboard feature release is being put on hold indefinitely.
5
Wikis content not accessible…
Thu, Jan 26th 2017 10:54a   GIS Techblog
Wikis content not accessible… Hi, it`s been quite a long time; many projects at the moment so that blogging needs to wait Last week we had a very interesting problem at one customer’s environment. When accessing a Wiki, the page was displayed blank – no content was available. Browsing to older versions of this wikis worked. The error in the log: Parsing error… Wikis content (the body) gets store in the filesystem as xml files. If you access a Wiki there is a XML parser




Created and Maintained by Yancy Lent - About - Planet Lotus Blog - Advertising - Mobile Edition