PingOne® for Enterprise is a fast, simple and easy identity-as-a-service (IDaaS) single sign-on (SSO) offering that enables
enterprises to give their users federated access to applications with a single click from a secure, cloud-based dock,
accessible from any browser or mobile device. PingOne for Enterprise reduces user password sprawl and improves user
experience, all while improving business agility and driving administrative efficiency. Access PingOne Data Sheet
https://www.pathmaker-group.com/wp-content/uploads/2023/02/SimeioPMG_square.png00Howard Mahoneyhttps://www.pathmaker-group.com/wp-content/uploads/2023/02/SimeioPMG_square.pngHoward Mahoney2019-09-09 10:12:342019-09-09 10:37:15PingOne® For Enterprise
Provide Federated single sign-on (SSO) capabilities for IBM Security Identity Manager without the use of IBM Security Access Manager. IBM’s documentation for ISIM explicitly defines how to configure SSO with the use of ISAM’s WebSEAL Authentication. After further investigation and prototyping, SSO capabilities using a third party IdP (Okta) have been successfully implemented into a live environment.
How to Configure
To configure single sign-on with the WebSphere SAML SP, Trust Association Interceptor and third part IdP, complete the following steps:
1. Deploy WebSphere SAML SP
WebSphere supports SAML web SSO and serves as the service provider for ISIM. WebSphere will consume the SAML Assertion from our IdP and establish a security context for the user into ISIM.
2. Configure WebSphere Trust Association Interceptor
Enable Trust Association for the Assertion Consumer Service deployed with WebSphere. The TAI will validate the request from a third-party IdP and will then perform an identity lookup to verify the user exists in ISIM.
3. Configure ISIM for SSO
To reiterate, the Knowledge Center documentation for ISIM states you are required to use IBM Security Access Manager to accomplish SSO, but this is not the case. There are a few properties that must be configured to prepare ISIM for SSO. Once these properties are enabled, the ISIM console and ISIM self-service login pages will be expecting SSO as the method of authentication.
4. Configure ISIM Security Domain
The deployment of the ISIM application creates its own security domain, named ISIMSecurityDomain. For ISIM to invoke the TAI there are three TAI properties which must be set within the ISIM security domain. These properties tell the security domain to leverage the TAI which contains the triggers, login URLs, and other ID mapping properties to complete SSO.
**NOTE** Application security is enabled by default for ISIM. For any application using TAI, application security must be enabled.
5. Enable Trust Association Interceptor
Once the Assertion Consumer Service, Trust Association Interceptor, and various properties are configured the next step is to enable the TAI for Global Security.
Assumptions
There are a few key assumptions to completing the configuration of the WebSphere SAML SP and SSO.
Knowledge of deploying WebSphere middleware applications
Certificate management
Preconfigured and functioning IdP
Understanding of Security Context for WebSphere applications
General understanding of SAML
Joshua Moore
PathMaker Group Consultant
https://www.pathmaker-group.com/wp-content/uploads/2023/02/SimeioPMG_square.png00Howard Mahoneyhttps://www.pathmaker-group.com/wp-content/uploads/2023/02/SimeioPMG_square.pngHoward Mahoney2018-02-15 08:51:192018-04-05 13:57:49WebSphere SAML SP for ISIM SSO
