Configuring SAML Web Inbound TAI

You can configure a SAML Web Inbound Trust Association Interceptor (TAI) to authenticate and validate a SAML token sent in the request header of a Web request.

Before you begin

Review the custom properties that you must configure for a SAML Web inbound Trust Association Interceptor, see SAML Web Inbound TAI Custom Properties.

About this task

Configure a Trust Association Interceptor (TAI) for the WebSphere® for processing a SAML token sent in the request header of a Web request. The SAML token must be Base-64 or UTF-8 encoded, and can be compressed in GZIP format. The SAML Token header in the HTTP request can be one of the following formats: 
  • Authorization=[<headerName>=<SAML_HERE>]
  • Authorization=[<headerName>="<SAML_HERE>"]
  • Authorization=[<headerName> <SAML_HERE>]
  • <headerName>=[<SAML_HERE>]

Procedure

  1. From the WebSphere administrative console, select Security > Global security > Web and SIP security > Trust association.
  2. Select Interceptors.
  3. Select New to add a new interceptor.
  4. Enter the interceptor class name: com.ibm.ws.security.web.inbound.saml.WebInboundSamlTAI.
  5. Add custom properties for your environment, see SAML Web Inbound TAI Custom Properties for a list of the properties.
  6. Apply and Save the configuration updates.
    Note: Saving without applying your changes will discard the custom properties.
  7. Go back to Security > Global security and select Custom properties.
  8. Select New and define the following custom property information for General properties: 
    
Name: com.ibm.websphere.security.InvokeTAIbeforeSSO
Value: com.ibm.ws.security.web.inbound.saml.WebInboundSamlTAI
    Note: If this property is already defined, then add com.ibm.ws.security.web.inbound.saml.WebInboundSamlTAI to the existing value, which is separated by a comma to create a list.
  9. Import the SAML issuer's signer certificate to the truststore of the WebSphere Application Server.
    1. In the administrative console, click Security SSL certificate and key management Key stores and certificatesNodeDefaultTrustStoreSigner certificates. Use CellDefaultTrustStore instead of NodeDefaultTrustStore for a deployment manager.
    2. Click Add.
    3. Complete the certificate information, then click Apply.
  10. Add the SAML issuer name (or the value of the realmName or the attribute value of the configured realmIdentifier) to the list of inbound trusted realms. For each SAML issuer that is used with your WebSphere Application Server service provider, you must grant inbound trust to all the realms that are used by the SAML issuer. You can grant inbound trust to the SAML issuer using the administrative console.
    1. Click Global Security.
    2. For the user account repository, click Configure.
    3. Click Trusted authentication realms - inbound.
    4. Click Add External Realm.
    5. Fill in the external realm name.
    6. Click OK and Save changes to the master configuration.
  11. Restart the WebSphere Application Server.

Results

These steps establish the minimum configuration that is required to configure a Trust Association Interceptor for a WebSphere Application Server that can process SAML tokens sent in the request header of an inbound web request.