Enabling the SAML Web browser SSO

To enable the SAML Web browser SSO, complete the following tasks.

  • Install the SAML Assertion Consumer Service (ACS).
  • Enable SAML Trust Association Interceptor (TAI).

Install the SAML ACS

Using the WebSphere® Application Server administrative console, install the ACS application (WebSphereSamlSP.ear) located in the $WAS_HOME/installableApps/ folder.

  1. Log in to WebSphere Application Server console and click New Application.
  2. Click New Enterprise Application.
  3. Select WebSphereSamlSP.ear file from the local machine and click Next.
  4. Select Server1 as the server on the Map modules to servers page.
    Note: If the Server1 is not running, start the server by using the following command.
    $WAS_HOME/<profile-home>/bin/startServer.sh server1
  5. Select Fast Path, click Next, and Finish.

Enable SAML TAI

  1. Log in to WebSphere Application Server console.
  2. Click Security > Global security.
  3. Expand Web and SIP security and click Trust association.
  4. Under the General Properties, select the Enable trust association checkbox and click Interceptors.
  5. Under Custom properties, complete the custom property information.
  6. Click New and enter the following custom property information.
    Name: sso_1.sp.idMap
    Value: idAssertion
  7. Click OK.
  8. Click New and enter com.ibm.ws.security.web.saml.ACSTrustAssociationInterceptor in the Interceptor class name field.
  9. Go back to Security > Global security and click Custom properties.
  10. Click New and define the following custom property information under General properties.
    Name: com.ibm.websphere.security.DeferTAItoSSO
    Value: com.ibm.ws.security.web.saml.ACSTrustAssociationInterceptor
  11. Click New and define the following custom property information under General properties.
    Name: com.ibm.websphere.security.InvokeTAIbeforeSSO
    Value: com.ibm.ws.security.web.saml.ACSTrustAssociationInterceptor
  12. Click OK.
  13. Restart the WebSphere Application Server.
Note: The com.ibm.websphere.security.Defroster property, was previously used in the default configuration of all installed servers. Now it is only used as part of the SAML configuration. Therefore, even if this property exists in your system configuration, you must change its value to com.ibm.ws.security.web.saml.ACSTrustAssociationInterceptor. Multiple values, separated with commas, cannot be specified for this property. It must be set to a single SAML TAI.

What to do next

Configuring SSO partners.