Configuring CICS for SAML

CICS supports the use of Security Assertion Markup Language (SAML) for describing and exchanging security information.

Before you begin

CICS® supports the SAML Core1.1 and SAML Core2.0 standards. It does not support the protocols that are described in those standards.

You can configure provider and requester pipelines to use SAML tokens, but you must first deploy the CICS Security Token Service (STS).You must identify the regions where you want to deploy the CICS Security Token Service (STS). Install the STS in regions without any application code. If you have application code in the region where you will be validating your SAML token, define the STS remotely. You might also choose to define the region remotely if you prefer to separate regions that run Java™ code from other regions. Another reason for having a separate region for the STS is that you could define that region with its own keyring, which contains only those certificates that are required for signature validation and signing SAML tokens.

About this task

CICS provides a linkable interface called DFHSAML. The interface allows CICS web services pipelines and applications to validate and extract information from SAML assertions. CICS support for SAML requires a JVM server that is installed and configured on your system.

Java 11Java 17 Running a SAML JVM server with Java 11 or Java 17 is not supported.

Procedure

  1. Create a JVM server profile for the JVM server.

    You can copy the appropriate supplied profile, DFHJVMST, from the installation directory to the directory that is specified by the JVMPROFILEDIR system initialization parameter.

  2. Install CSD group DFHSAML in the chosen configuration:
    1. Install DFHSAML in the region that is chosen to run the STS.
    2. If you want to use SAML remotely, define a remote program definition for DFHSAML pointing to the region that runs the STS.
    Note: If you are using your own JVM server definition, copy DFHSAML, customize this group, and install the customized group instead of the DFHSAML group. The new group must point to your own JVM server definition. All programs that call the security token extensions support must create DFHSAML JVMSERVER containers with the name of their JVM server.

Results

CICS is configured for SAML.

What to do next

You can validate your configuration, as described in Validating your configuration of CICS for SAML.