Configuring SSO partners

To configure SSO partners, complete the following tasks.

Configure SAML attribute mappings on the single sign-on partner.
Add an identity provider by using metadata of the identity provider (IdP).
Add Identity Provider realms to the list of inbound trusted realms.
Add the Issuer in the RMI-IIOP security.
Export the Service Provider metadata file from wsadmin command-line utility.

Configure SAML attribute mappings on the single sign-on partner

The SAML subject identifies the authenticated user. Product Master SAML SSO requires that the single sign-on partner should configure NameID as the SAML assertion subject.

The single sign-on partner should also define attribute mappings for Group memberships.

Setting NameID and Group mappings in the SAML assertion are mandatory for Product Master login. Other optional mapping can be defined for user attributes. For example, First Name, Last Name, Title, Email Address, Telephone, Fax, and Address.

If you want to enable Vendor users to login with SAML SSO, Organization mapping is mandatory to be set in the SAML assertion. Ensure that the Organization attribute value matches the Vendor organization present in the Product Master Vendor Organization Hierarchy.

Add an identity provider by using metadata of the identity provider

Start the wsadmin command-line utility from the app_server_root/bin folder by using the following command.
```
>./wsadmin.sh -lang jython
```

At the wsadmin prompt, enter the following command.

AdminTask.importSAMLIdpMetadata('-idpMetadataFileName <IdPMetaDataFile> -idpId 1 -ssoId 1 -signingCertAlias <idpAlias>')

Where IdpMetaDataFile is the full path name of the IdP metadata file, and IdpAlias is any alias name that you specify for the imported certificate. Use the <IdPMetaDataFile> exported from Identity Provider.

Example

AdminTask.importSAMLIdpMetadata('-idpMetadataFileName /opt/metadata/federationmetadata.xml -idpId 1 -ssoId 1 -signingCertAlias adfs_cert')

Save the configuration by using the following command.
```
AdminConfig.save()
```
Exit the wsadmin command utility by using the following command.
```
quit
```

Add identity provider realms to the list of inbound trusted realms

Log in to the WebSphere® Application Server administrative console.
Click Global security.
Under User account repository, click Configure.
Click Trusted authentication realms - inbound.
Click Add External Realm.
Complete the external realm name.
As an example, add the following to the inbound trusted realms.
https://adfsserver.ipm.local/adfs/ls

http://adfsserver.ipm.local/adfs/services/trust
Click Apply.
Click OK and Save changes to the master configuration.

Add the Issuer in the RMI-IIOP security

Log in to the WebSphere Application Server administrative console.
Click Global security.
Under RMI/IIOP Security, click CSIv2 outbound communications.
Click Trusted authentication realms – outbound.
Click Add External Realm.
Enter IdP entityID URL.
Example

http://adfsserver.ipm.local/adfs/services/trust

You get the entityID URL in the federation metadata XML file.
Restart the WebSphere Application Server.

Export the Service Provider metadata file from wsadmin command-line utility

Start the wsadmin command-line utility from the app_server_root/bin folder by using the following command.
```
>./wsadmin.sh -lang jython
```
At the wsadmin prompt, enter the following command to export the Service Provide metadata.
```
AdminTask.exportSAMLSpMetadata('-spMetadataFileName /tmp/spdata.xml -ssoId 1')
```
This command creates the /tmp/spdata.xml metadata file.
The service provider metadata file can be consumed by the SSO partners.
Note: In case of cluster deployment, extract service provider metadata from only one node of the cluster.

What to do next

Enabling SAML Service Provider Initiated web SSO.