WebSphere SAML SP for ISIM SSO
Use Case
Provide Federated single sign-on (SSO) capabilities for IBM Security Identity Manager without the use of IBM Security Access Manager. IBM’s documentation for ISIM explicitly defines how to configure SSO with the use of ISAM’s WebSEAL Authentication. After further investigation and prototyping, SSO capabilities using a third party IdP (Okta) have been successfully implemented into a live environment.
How to Configure
To configure single sign-on with the WebSphere SAML SP, Trust Association Interceptor and third part IdP, complete the following steps:
1. Deploy WebSphere SAML SP
WebSphere supports SAML web SSO and serves as the service provider for ISIM. WebSphere will consume the SAML Assertion from our IdP and establish a security context for the user into ISIM.
2. Configure WebSphere Trust Association Interceptor
Enable Trust Association for the Assertion Consumer Service deployed with WebSphere. The TAI will validate the request from a third-party IdP and will then perform an identity lookup to verify the user exists in ISIM.
3. Configure ISIM for SSO
To reiterate, the Knowledge Center documentation for ISIM states you are required to use IBM Security Access Manager to accomplish SSO, but this is not the case. There are a few properties that must be configured to prepare ISIM for SSO. Once these properties are enabled, the ISIM console and ISIM self-service login pages will be expecting SSO as the method of authentication.
4. Configure ISIM Security Domain
The deployment of the ISIM application creates its own security domain, named ISIMSecurityDomain. For ISIM to invoke the TAI there are three TAI properties which must be set within the ISIM security domain. These properties tell the security domain to leverage the TAI which contains the triggers, login URLs, and other ID mapping properties to complete SSO.
**NOTE** Application security is enabled by default for ISIM. For any application using TAI, application security must be enabled.
5. Enable Trust Association Interceptor
Once the Assertion Consumer Service, Trust Association Interceptor, and various properties are configured the next step is to enable the TAI for Global Security.
Assumptions
There are a few key assumptions to completing the configuration of the WebSphere SAML SP and SSO.
- Knowledge of deploying WebSphere middleware applications
- Certificate management
- Preconfigured and functioning IdP
- Understanding of Security Context for WebSphere applications
- General understanding of SAML