Managing self-issue SAML token configuration using wsadmin commands
The SAMLIssuerConfig.properties file
usage is deprecated in WebSphere® Application Server Version
8. You can use the listSAMLIssuerConfig
and updateSAMLIssuerConfig
wsadmin
command tasks to read and modify the SAMLIssuerConfig.properties cell
level and server level configuration files. Starting with WebSphere Application Server
Version 8, you should use the administrative console or the setSAMLIssuerConfigInBinding
command
task to specify a self-issued SAML token's configuration as custom
properties in the requester's outbound configuration in the general
bindings or in the application-specific bindings. Do not use server
level and cell level SAMLIssuerConfig.properties file.
Before you begin
The product provides an alternate way to specify a self-issued SAML token configuration in policy set bindings. Migrate self-issued SAML token configuration data from the SAMLIssuerConfig.properties file to the bindings. Specifying configuration data for creating self-issued SAML tokens in general bindings or application-specific bindings provides management flexibility to specify the configuration at a finer grained scope, in addition to the cell level and the server level. For example you can configure a specific SAML token issuer for a particular web service application, for an arbitrary group of applications, or for a web service application in a security domain.
About this task
Two command tasks are available to manage the SAMLIssuerConfig.properties file-based SAML issuer configuration. This file can be located at the cell level and the server level. These two tasks are:
listSAMLIssuerConfig
updateSAMLIssuerConfig
Procedure
Results
You have created command scripts to automate the process of updating the cell level or the server level SAMLIssuerConfig.properties files, or you have created self-issued SAML token configuration data as custom properties in the requester's outbound configuration in the general bindings or in the application-specific bindings.
Example
AdminTask.setSAMLIssuerConfigInBinding('[-bindingName SAMLTestAppClientBinding
-bindingLocation [ [application JaxWSServicesSamples] [attachmentId 1904] ]
-com.ibm.wsspi.wssecurity.saml.config.issuer.IssuerURI My_Issuer
-com.ibm.wsspi.wssecurity.saml.config.issuer.TimeToLiveMilliseconds 3600000
-com.ibm.wsspi.wssecurity.saml.config.issuer.KeyStoreRef "name=myKeyStore managementScope=(cell):Node01Cell:(node):Node01 "
-com.ibm.wsspi.wssecurity.saml.config.issuer.KeyAlias samlissuer
-com.ibm.wsspi.wssecurity.saml.config.issuer.KeyName "CN=SAMLIssuer, O=Acme,C=US"
-com.ibm.wsspi.wssecurity.saml.config.issuer.KeyPassword *****
-com.ibm.wsspi.wssecurity.saml.config.issuer.TrustStoreRef "name=myKeyStore managementScope=(cell):Node01Cell:(node):Node01 "]')
AdminTask.setSAMLIssuerConfigInBinding('[-bindingName "Saml Bearer Client sample"
-bindingScope domain -bindingLocation -domainName global
-com.ibm.wsspi.wssecurity.saml.config.issuer.IssuerURI My_Issuer
-com.ibm.wsspi.wssecurity.saml.config.issuer.TimeToLiveMilliseconds 3600000
-com.ibm.wsspi.wssecurity.saml.config.issuer.KeyStorePath "profile_root/etc/ws-security/saml/saml-issuer.jceks
-com.ibm.wsspi.wssecurity.saml.config.issuer.KeyStoreType jceks
-com.ibm.wsspi.wssecurity.saml.config.issuer.KeyStorePassword *****
-com.ibm.wsspi.wssecurity.saml.config.issuer.KeyAlias samlissuer
-com.ibm.wsspi.wssecurity.saml.config.issuer.KeyName "CN=SAMLIssuer, O=Acme, C=US"
-com.ibm.wsspi.wssecurity.saml.config.issuer.KeyPassword *****
-com.ibm.wsspi.wssecurity.saml.config.issuer.TrustStorePath "profile_root/profiles/<server_name>/etc/ws-security/saml/saml-issuer.jceks
-com.ibm.wsspi.wssecurity.saml.config.issuer.TrustStoreType jceks
-com.ibm.wsspi.wssecurity.saml.config.issuer.TrustStorePassword *****]')
When
specifying the application bindings, bindingLocation is
a required parameter and can be supplied as a properties object. The
property names are application
and attachmentId
.
When specifying the general bindings, bindingLocation,
which can be null or have empty properties, is required. Additionally, bindingScope is
required if the scope is not global. Use the bindingName parameter
to identify the binding location. For more information about bindingLocation, bindingScope,
and domainName, refer to the setBinding or getBinding command
tasks documentation.
To remove SAML issuer configuration custom properties from the bindings, use the administrative console or the setBinding command task.