Configuring the IBM Product Master
Before configuring SAML SSO, complete the following tasks.
Fix Pack 3
- Configuring SSO properties.
- Enable administrative security for the WebSphere Application Server.
- Enable administrative security for the Product Master.
- Configure security role mapping.
- Enable SSO flags for the Product Master.
Configuring SSO properties
You need to enable SSO properties. To enable SSO properties, proceed as follows.
- Enable SSO authentication in the Login.wpcs file. To enable SSO
authentication, you must set the wpcOnlyAuthentication flag in the
Login.wpcs file to false in case LDAP authentication is required. The
Login.wpcs file identifies the authentication mechanism.
- Click .
- Select Login script from the drop-down list.
- Click Edit for the Login.wpcs script.
- Find and set the wpcOnlyAuthentication flag to false.
- Populate SAML attributes in the SSO Configuration lookup table from Admin UI.
- Import the mdm-env.zip file located at $TOP/mdmui/env-export/mdm-env, if not already done.
- Go to .
- Select SSO Configuration lookup table and add a role.
- Populate all the attributes as follows.
Attribute Name Description of attribute Id The primary key of the lookup table entry is auto generated. SSO Type SAMLv2.0 Create Role After you log in to the IBM Product Master, - True: User roles are created, if the roles do not exist.
- False: User roles are not created and the Administrator needs to manually create roles.
First Name Attribute The user attribute, which represents the given name in the SAML assertion, for example, http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
.Last Name Attribute The user attribute, which represents the surname in the SAML assertion, for example, http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname Mail ID Attribute The user attribute, which represents the mail ID in the SAML assertion, for example, http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
.Telephone Number Attribute The user attribute, which represents the telephone number in the SAML assertion, for example, http://schemas.xmlsoap.org/ws/2005/05/identity/claims/telephone
.Fax Number Attribute The user attribute, which represents the fax number in the SAML assertion, for example, http://schemas.xmlsoap.org/ws/2005/05/identity/claims/fax
.Postal Address Attribute The user attribute, which represents the postal address in the SAML assertion, for example, http://schemas.xmlsoap.org/ws/2005/05/identity/claims/address
.Title Attribute The user attribute, which represents the title in the SAML assertion, for example, http://schemas.xmlsoap.org/ws/2005/05/identity/claims/title
.Roles Attribute The member-of attribute, which represents the group in the SAML assertion, for example, http://schemas.xmlsoap.org/claims/Group
Organization Attribute The user attribute, which represents the organization in the SAML assertion. For example, http://schemas.xmlsoap.org/claims/organization
This attribute is required only for the Vendor Persona users. The vendor user is created under the Vendor Organization Hierarchy based on the value of the organization attribute. Possible values are: Vendor1OU, ParentOU/Vendor1OU, and so on.
Enable administrative security for the WebSphere® Application Server
To enable administrative security for the WebSphere Application Server, proceed as follows.
- Log in to WebSphere Application Server Console.
- Select Security and then click Global Security.
- Click Security Configuration Wizard.
- Select Enable application security and Enable administrative security, and then click Next.
- Select Federated repositories, and then click Next.
- Enter the administrative credentials, and then click Next.
- Click .
- Restart WebSphere Application Server.
Enable administrative security for the Product Master
To enable administrative security for the Product Master, proceed as follows.
- Edit the $TOP/bin/conf/env_settings.ini file.
- Set the value of the admin security property to
true.[appserver.websphere70]
admin_security=true - Specify the credentials for the WebSphere
Application Server.
[appserver]
username=
password=
- Set the value of the admin security property to
- Restart the Product Master services.
Configure security role mapping
To configure security role mapping, proceed as follows.
- Log in to the WebSphere Application Server administrative console.
- Go to . The Enterprise Applications page opens.
- In the Enterprise Applications page, click <war_file_name> link. The Security role to user/group mapping page opens.
- In the Security role to user/group mapping page, specify following
according to the file type, and click OK.
summary for complex table
WAR file Steps - ccd.war
- mdm_ui.war
- Select AllAuth role.
- Click Map Special Subjects.
- Select All Authenticated in Trusted Realms.
- Select LoginUser role.
- Click Map Special Subjects.
- Select Everyone.
mdm_rest.war - Select AllAuth role.
- Click Map Special Subjects.
- Select All Authenticated in Trusted Realms.
- Select LoginUser role.
- Click Map Special Subjects.
- Select All Authenticated in Trusted Realms.
- Restart the WebSphere Application Server administrative console and the Appserver on which the Product Master is deployed.
Enable SSO flags for the Product Master
Ensure that all the SSO users maintain a unique username and password in a default company.To enable SSO flags for the Product Master, proceed as follows.
- In the $TOP/etc/default/common.properties file,
- Set the value of the enable_sso property to true.
- Set the value of the sso_company property to
<company_name>.
Example
# SSO authentication enabled enable_sso=true sso_company=<company_name>
- In the $TOP/mdmui/dynamic/mdmui/config.json file, set the value of the
enableSSO property to true.
enableSSO=true - Run the updateRtProperties.sh file by using the following
command.
cd $TOP/mdmui/bin and execute updateRtProperties.sh - Restart the services by using the following commands.
cd $TOP/bin/go ./stop_local.sh ./start_local.sh