WebSphere SAML SP for ISIM SSO

Use Case

Provide Federated single sign-on (SSO) capabilities for IBM Security Identity Manager without the use of IBM Security Access Manager. IBM’s documentation for ISIM explicitly defines how to configure SSO with the use of ISAM’s WebSEAL Authentication. After further investigation and prototyping, SSO capabilities using a third party IdP (Okta) have been successfully implemented into a live environment.

 

How to Configure

To configure single sign-on with the WebSphere SAML SP, Trust Association Interceptor and third part IdP, complete the following steps:

1.      Deploy WebSphere SAML SP

WebSphere supports SAML web SSO and serves as the service provider for ISIM. WebSphere will consume the SAML Assertion from our IdP and establish a security context for the user into ISIM.

2.      Configure WebSphere Trust Association Interceptor

Enable Trust Association for the Assertion Consumer Service deployed with WebSphere. The TAI will validate the request from a third-party IdP and will then perform an identity lookup to verify the user exists in ISIM.

3.      Configure ISIM for SSO

To reiterate, the Knowledge Center documentation for ISIM states you are required to use IBM Security Access Manager to accomplish SSO, but this is not the case. There are a few properties that must be configured to prepare ISIM for SSO. Once these properties are enabled, the ISIM console and ISIM self-service login pages will be expecting SSO as the method of authentication.

4.      Configure ISIM Security Domain

The deployment of the ISIM application creates its own security domain, named ISIMSecurityDomain. For ISIM to invoke the TAI there are three TAI properties which must be set within the ISIM security domain. These properties tell the security domain to leverage the TAI which contains the triggers, login URLs, and other ID mapping properties to complete SSO.

**NOTE** Application security is enabled by default for ISIM. For any application using TAI, application security must be enabled.

5.      Enable Trust Association Interceptor

Once the Assertion Consumer Service, Trust Association Interceptor, and various properties are configured the next step is to enable the TAI for Global Security.

Assumptions

There are a few key assumptions to completing the configuration of the WebSphere SAML SP and SSO.

  • Knowledge of deploying WebSphere middleware applications
  • Certificate management
  • Preconfigured and functioning IdP
  • Understanding of Security Context for WebSphere applications
  • General understanding of SAML

 

 

 

 

Joshua Moore
PathMaker Group Consultant

Using WebSphere Process Server in your SOA Infrastructure

WebSphere Process Server (WPS) is the runtime engine for artifacts produced in a business-driven development process.   It allows orchestration of business assets into highly optimized and effective processes to meet business goals.  It is a single, integrated, runtime foundation for deploying service-oriented architecture or SOA based business processes.  Built on open standards, it deploys and executes processes that orchestrate services (people, information, systems, and trading partners) within your SOA or non-SOA infrastructure.  It helps increase efficiency and productivity by automating complicated processes that span people, partners, and systems.  It helps cut costs by enabling flexible business processes with reusable assets, thus reducing the need to hard-code changes across multiple applications.  It has the ability to track the state of process instances, handle human intervention, and deal with exceptions.

WPS is mounted on top of WebSphere Application Server (WAS) with its robust J2EE runtime and offers a new level of abstraction so the task of integrating applications and services becomes much easier. Read more