IBM Support

Dashboard Application Services Hub (DASH): Enable SAML authentication

Troubleshooting


Problem

1. Install the SAML ACS application
    cd /opt/IBM/WebSphere/AppServer/bin
    ./wsadmin.sh -f installSamlACS.py install JazzSMNode01 server1
2. Check both Enable administrative security and Enable application security.
   image-20240208104731-1
5. Set security properties
  • Navigate to Security > Global security. Then select Custom properties.
  • Set the property com.ibm.websphere.security.performTAIForUnprotectedURI = true
  • Set the property com.ibm.websphere.security.DeferTAItoSSO

to com.ibm.ws.security.web.saml.ACSTrustAssociationInterceptor

Note: If the property exists, replace the value. If it does not exist create it.

  • Navigate to Security > Global security. Then select Custom properties.
  • Check the list for com.ibm.websphere.security.InvokeTAIbeforeSSO
  • If com.ibm.websphere.security.InvokeTAIbeforeSSO does not exist, select  New and define the following custom property information:

Name: com.ibm.websphere.security.InvokeTAIbeforeSSO

Value: com.ibm.ws.security.web.saml.ACSTrustAssociationInterceptor

If com.ibm.websphere.security.InvokeTAIbeforeSSO exists:

Select com.ibm.websphere.security.InvokeTAIbeforeSSO

Add a comma to the end of the existing value.

Add com.ibm.ws.security.web.saml.ACSTrustAssociationInterceptor to the end of the existing value.

  • Select OK.
  • Apply and Save the changes.
6. Configure trusted realms
  • Navigate to Security > Global Security >RMI/IIOP security > CSIv2 inbound communications > Trusted authentication realms – inbound
  • Select Trust realms as indicated below.
  • Add the SSO realm to the list of trusted realms. This value must be the SSO issuer/entityID for the right environment.
  • Ensure you do not add blanks at the beginning or end of the realm.
  • Apply and Save the changes
  • Navigate to Security > Global security > RMI/IIOP security > CSIv2 outbound communications > Trusted authentication realms – outbound.
  • Select Trust realms as indicated below.
  • Add the SSO realm to the list of trusted realms. This value must be the SSO issuer/entityID for the right environment.
  • Ensure you do not add blanks at the beginning or end of the realm.
  • Apply and Save the changes.
7. Map special subjects
  • Navigate to Applications > Applications types > WebSphere enterprise applications. Then select the enterprise application you are protecting with SSO.

image-20240208110016-8

  • Select Security role to user/group mapping.

image-20240208105411-5

  • Check all roles.

image-20240208110152-9

  • From the Map Special Subjects drop down list, select All authenticated in Trusted Realms. Then select OK and Save the changes.

image-20240208110325-10

Note: If you don't find the option: Select Security Role to user/Group Mapping in your WAS, you will need to check your web.xml and add the security constraint and role there.  Then you will need to do a re-deploy, and you should see the option in your WAS now.

8. Enable trust association.
  • Navigate to Security > Global Security > Web and SIP Security > Trust Association.

image-20240208111012-11

  • Select Enable trust association. Then Apply and Save the changes.

image-20240208111012-12

   
  • Select Interceptors.

image-20240208111012-13

  • Select New.

image-20240208111012-14

  • Interceptor class name must be com.ibm.ws.security.web.saml.ACSTrustAssociationInterceptor
  • Create custom properties as follows :

Note: The property names are case sensitive.

Name

Value

Comment

sso_1.sp.acsUrl

https://<hostname>:16311/samlsps/netcool

This value depends on the SAML app context root, the default is samlsps. If you modify the SAML ACS application context root you must be careful when you set this value.

sso_1.sp.idMap

localRealm

This property specifies how the SAML token is mapped to the subject.
sso_1.idp_1.EntityID SSO issuer/entity url
sso_1.idp_1.SingleSignOnUrl SSO issuer/entity url
sso_1.sp.login.error.page SSO issuer/entity url
sso_1.sp.filter request-url^=ibm/console|snoop
  • Apply and Save the changes.
    • Note1: NOI Hybrid: sso_1.sp.filter = request-url^=oauth2/login.jsp|snoop
    • Note2: WEBGui static html files - sso_1.sp.filter = request-url=/ibm/console;request-url!=/ibm/console/webtop. Also if on cross-domain, ensure /ibm/console/webtop/mobile/<name of html file> set in CSRF property in DASH->Settings->Console Properties page and restart WebSphere profile server.
9. Board your SAML application into SSO issuer
10. Restart DASH profile server
11. Access url: https://hostname:16311/ibm/console , which should divert to identity provider page.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEKCU","label":"Jazz for Service Management"},"ARM Category":[{"code":"a8m500000008bsvAAA","label":"DASH"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Log InLog in to view more of this document

This document has the abstract of a technical article that is available to authorized users once you have logged on. Please use Log in button above to access the full document. After log in, if you do not have the right authorization for this document, there will be instructions on what to do next.

Document Information

Modified date:
14 May 2024

UID

ibm17150687

Page Feedback