Configuring SAML SSO for TRIRIGA on traditional WebSphere with TAI

There are several steps for configuring single sign-on (SSO) with traditional WebSphere® Application Server, Trust Association Interceptor (TAI), and Security Assertion Markup Language (SAML).

Note: IBM® TRIRIGA® does not support Security Assertion Markup Language (SAML) as a method of authentication for its non-browser clients. Unsupported non-browser clients include the following clients:
  • IBM TRIRIGA CAD Integrator/Publisher
  • IBM TRIRIGA Connector for BIM

Contents

I. Configuring SSO with TRIRIGA

Procedure

On the application server, set the following attributes in the TRIRIGAWEB.properties file. This file should be located in the Tririga/config folder. 
SSO=Y
SSO_BACKING_SERVER_PORT=-1
SSO_REMOTE_USER=N
SSO_USER_PRINCIPAL=Y
SSO_REQUEST_ATTRIBUTE_NAME=uid

II. Installing and Configuring SimpleSAMLphp

About this task

SimpleSAMLphp is a PHP-written application that deals with authentication. Its main focus is to provide support for SAML as a Service Provider (SP) or an Identity Provider (IdP). In this example, SimpleSAMLphp is the Identity Provider (IdP).

The following steps demonstrate how to install and configure SimpleSAMLphp.

Procedure

  1. Download and install the SimpleSAMLphp package from the SimpleSAMLphp website.
  2. To enable the IdP functionality, edit the config.php file. To enable the IdP to sign its SAML assertions, generate the private key and certificate.
  3. Configure the metadata for your local Identity Provider (IdP) and remote Service Provider (SP).
    In the following example from the saml20-idp-hosted.php file, replace hostname with the name of your server.
    <?php
$metadata['hostname'] = array(
   /*
    * The hostname for this IdP. This makes it possible to run multiple
    * IdPs from the same configuration. '__DEFAULT__' means that this one
    * should be used by default.
    */
   'host' => 'hostname.company.com',
   /*
    * The private key and certificate to use when signing responses.
    * These are stored in the cert-directory.
    */
   'privatekey' => 'example.org.pem',
   'certificate' => 'example.org.crt',
   /*
    * The authentication source which should be used to authenticate the
    * user. This must match one of the entries in config/authsources.php.
    */
   'auth' => 'example-userpass',
   'userid.attribute' => 'uid',
   'attributes.NameFormat' => 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',
   // 'authproc' => array(
   // Convert LDAP names to oids.
   // 100 => array('class' => 'core:AttributeMap', 'name2oid'),
   // ),
   );
    In the following example from the saml20-sp-remote.php file, replace <tririgaserver> with the name of your TRIRIGA server.
    <?php
$metadata['https://<tririgaserver>:9443/samlsps/trisaml'] = array(
   'AssertionConsumerService' => 'https://<tririgaserver>:9443/samlsps/trisaml',
   'simplesaml.nameidattribute' => 'uid',
   // The URN attribute NameFormat for OID attributes.
   'attributes.NameFormat' => 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',
   'attributeencodings' => array(
   'urn:oid:1.3.6.1.4.1.5923.1.1.1.10' => 'raw',
   ),
   );

III. Configuring SAML SSO with WebSphere Application Server

About this task

After you configure TRIRIGA and SimpleSAMLphp, you set up SAML SSO with WebSphere Application Server. In this example, SimpleSAMLphp is the Identity Provider (IdP) and WebSphere Application Server is the Service Provider (SP).

Before you can use the SAML SSO feature, you must install the SAML Assertion Consumer Service (ACS) application and enable SAML Trust Association Interceptor (TAI). You can install the SAML ACS application in two ways: Administrative Console or Python script. Likewise, you can enable SAML TAI properties in two ways: Administrative Console or wsadmin command utility.

The following procedure gives an example in the WebSphere Application Server Administrative Console.

Procedure

  1. Install the SAML ACS application WebSphereSamlSP.ear file. Enable the SAML TAI properties.
  2. Configure the target URL to point to the requestTest.jsp URL so that you can see the contents of the HTTP header that are being passed. For example, https://<tririgaserver>:9443/html/en/default/admin/requestTest.jsp
    1. To set the URL, select Security > Global Security.
    2. In the Authentication section, select Web and SIP Security > Trust Association.
    3. In the General Properties section, select the Enable Trust Association check box and click OK.
    4. In the Additional Properties section, select Interceptors and click New.
    5. For Interceptor Class Name, enter com.ibm.ws.security.web.saml.ACSTrustAssociationInterceptor
    6. Under Custom Properties, set the target URL for sso_1.sp.targetUrl. For example, https://<tririgaserver>:9443/html/en/default/admin/requestTest.jsp
  3. Configure the SAML realm as a trusted authentication realm.
    1. To set the realm, select Security > Global Security.
    2. In the Authentication section, select RMI/IIOP Security > CSIv2 Inbound Communications.
    3. In the Related Items section, select Trusted Authentication Realms - Inbound.
    4. Under Realms, select Add External Realm to add your <hostname> as a trusted realm.
  4. Configure the security role mapping to All Authenticated in Trusted Realms.
    Note: This mapping is not the default setting. It is not available until the realm is set in the previous step.
    1. To set the mapping, select Applications > Application Types > WebSphere Enterprise Applications > [SAML ACS Application (WebSphereSamlSP)].
    2. In the Detail Properties section, select Security Role to User/Group Mapping.
    3. Select Map Special Subjects > All Authenticated in Trusted Realms.
  5. Now, you can log in from the Identity Provider (IdP) with the URL. In this example, the URL is: 
    https://<hostname.company.com>/simplesamlphp/saml2/idp/SSOService.php
?spentityid=https://<tririgaserver>:9443/samlsps/trisaml

    The IdP will authenticate you. After you accept any certificate warnings, you should see the requestTest.jsp page.

  6. After you see the requestTest.jsp page, you can set the target URL for sso_1.sp.targetUrl to the proper TRIRIGA URL. For example, https://<tririgaserver>:9443/
    Note: Any changes like this, and any changes that are related to security, will require a restart of the application server to be implemented.
    Note: In this example, the sso_1.sp.useRealm and sso_1.sp.realmNameRange properties are not really necessary, because the name of the realm is being set as the name of the SAML issuer. The additional certificate-related properties are only necessary when you are using unsigned or self-generated SSL certificates.
  7. Once again, log in from the Identity Provider (IdP) with the URL. Once again, the URL is: 
    https://<hostname.company.com>/simplesamlphp/saml2/idp/SSOService.php
?spentityid=https://<tririgaserver>:9443/samlsps/trisaml

    Now, you should see the TRIRIGA home portal.

  8. Optional: You can enable the SAML TAI tracing by adding com.ibm.ws.security.web.saml.*=all
    1. To set the tracing, select Troubleshooting > Logs and Trace > server1 > Change Log Detail Levels.
    2. In the Change Log Detail Levels text box, enter com.ibm.ws.security.web.saml.*=all
    3. After tracing is enabled, the trace.log file will contain the tracing results.