Configuring SAML Web SSO
You can configure SAML Web SSO for the managed Liberty servers in your cell by using one of two
methods. You can migrate the existing WebSphere Application Server SAML
Web SSO ACSTrustAssociationInterceptor TAI configuration, or you can create a new
SAML Web SSO configuration that is specific to the managed Liberty servers in your cell.
Considerations if you want to migrate the existing WebSphere Application Server SAML Web SSO
ACSTrustAssociationInterceptor TAI configuration:- This method can be used for relatively simple SAML SSO configurations.
- You cannot perform SP-Initiated SAML SSO by using this method.
- Refer to the SAML Web SSO known issues and limitations page to find the restrictions for using this method.
- Follow the instructions on Enabling your system to use the SAML web single sign-on (SSO) feature to use this method.
- When you use this method, you must ensure that the filter that intercepts the URLs on WebSphere Application Server do not also intercept URLs on the managed Liberty servers. Migrated configurations utilize
bookmark-style SAML IdP-initiated SSO. After the user logs in to the IdP, the IdP redirects the user
back to the server with the
SAMLResponseto a pre-configured URL. If the filter for a configuration entry can intercept URLs for both server types, theSAMLResponsemight be redirected to the wrong server type.
Considerations if you want to create a new SAML Web SSO configuration that is specific to the
managed Liberty servers in your cell:
- This method provides all the SAML Web SSO features that are available in Liberty.
- If this method is configured, the SAML Web SSO
ACSTrustAssociationInterceptorTAI is not migrated to the managed Liberty servers.
Before you begin
This task assumes the following:
- You are familiar with the SAML Web SSO feature.
- Your key and trust stores are the default key stores or configured as WebSphere managed key stores through
or the
corresponding
wsadmintask. - Your keys and certificates are loaded into your key and trust stores. See the following documents:
- If you use a front-end router, you must make sure that you have session affinity enabled for
your managed Liberty servers because SAML SSO on a
managed Liberty server requires session affinity.
- The URL to route is
https://(host):(port)/ibm/saml20. This URL is emitted in the WebSphere WebServer Plug-in configuration file (plugin-cfg.xml).
- The URL to route is
About this task
This task shows how to create a new SAML Web SSO configuration that is specific to the managed
Liberty servers in your cell. This task uses the
administrative console. You can also use wsadmin to perform the same function.