Configuring CICS for SAML

To configure CICS® to use SAML, first configure the JVM server by customizing and installing the sample JVM server profile, then install the CSD group in the appropriate CICS regions.

Before you begin

You must identify the regions where you want to deploy the CICS Security Token Service (STS). Install the STS in regions without any application code. If you have application code in the region where you will be validating your SAML token, define the STS remotely. You might also choose to define the region remotely if you prefer to separate regions that run Java™ code from other regions. Another reason for having a separate region for the STS is that you could define that region with its own keyring, which contains only those certificates that are required for signature validation and signing SAML tokens.

About this task

CICS provides a linkable interface called DFHSAML. The interface allows CICS web services pipelines and applications to validate and extract information from SAML assertions. CICS support for SAML requires a JVM server that is installed and configured on your system.

Procedure

  1. Create a JVM server profile for the JVM server.

    You can copy the appropriate supplied profile, DFHJVMST, from the installation directory to the directory that is specified by the JVMPROFILEDIR system initialization parameter.

  2. Install CSD group DFHSAML in the chosen configuration:
    1. Install DFHSAML in the region that is chosen to run the STS.
    2. If you want to use SAML remotely, define a remote program definition for DFHSAML pointing to the region that runs the STS.
    Note: If you are using your own JVM server definition, copy DFHSAML, customize this group, and install the customized group instead of the DFHSAML group. The new group must point to your own JVM server definition. All programs that call the security token extensions support must create DFHSAML JVMSERVER containers with the name of their JVM server.

Results

CICS is configured for SAML.

What to do next

You can validate your configuration, as described in Validating your configuration of CICS for SAML.