Beruflich Dokumente
Kultur Dokumente
Title: Configuring IBM Case Manager/ Content Navigator for SAML Single Sign-on
Subtitle: Deploying P8 Application using FileNet Deployment Manager
Keywords: SAML, Case Manager, Content Navigator, Single Sign-on, SSO, WebSphere, ACS,
TAI
Prefix:
Given: Manoj
Middle: K.
Family: Khilnani
Suffix:
Company: IBM
Abstract: SAML (Security Assertion XML Language) is an open standard format for
exchanging authentication and authorization data between different providers. In the
enterprise world, the customers require single sign-on across all the applications
irrespective of the implementation details. SAML being open source and XML based
fits this requirement. The IBM Case Manager and Content Navigator are applications
that run on WebSphere Application Server. This allows the Case manager to leverage
any Single Sign-on capabilites provided by WebSphere. WebSphere Application Server
acts as a Service Provider in the SAML Sign-on environment. It depends on Identity
Provider to authenticate the user and send the SAML XML assertion for consumption.
This article describes the steps to achieve a successful SAML based Case manager
application configuration.
Page 1 of 14
1. Introduction ............................................................................................................. 3
2. Planning.................................................................................................................. 4
2.1 Pre-Requisities ................................................................................................................................ 4
2.2 Send ICN Service Provider Information to the Identity Provider ..................................................... 4
2.3 Collect Identity Provider Metadata file ............................................................................................ 4
3. Installing SAML ACS Application ............................................................................ 5
3.1 Verify the Security ........................................................................................................................... 5
3.2 Install SAML ACS application into ICN Server ............................................................................... 5
3.3 Map WebSphereSamlSP Application ............................................................................................. 5
4. Configure SAML TAI ............................................................................................... 6
4.1 Enable SAML TAI SSO ................................................................................................................... 6
4.2 Validate SAML TAI SSO Initial Setup ............................................................................................. 6
4.3 Configure WAS as SP partner: ....................................................................................................... 7
4.3.1 Add identity provider using metadata of the IdP ........................................................................ 7
4.4 Add IdP realms to the list of inbound trusted realms ...................................................................... 8
4.5 Configure SAML TAI SSO Additional Parameters .......................................................................... 8
4.6 Export WAS SP Metadata file: ...................................................................................................... 10
5. Redeploy ICN ....................................................................................................... 11
6. UnRestricted JCE Policy Files .............................................................................. 12
7. Tracing.................................................................................................................. 13
8. References ........................................................................................................... 14
Page 2 of 14
1. Introduction
This document describes the procedure for SAML TAI configuration of IBM Case Manager which runs on
WebSphere 8.5.
SAML Web SSO feature requires SAML Assertion Consumer Service (ACS) application and enabling SAML
TAI. The WebSphere can only act as a SAML Service Provider (SP) and not an Identity Provide (IdP).
WebSphere only supports IdP-initiated SSO and bookmark-style SP-initiated SSO. The below diagram shows
the WebSphere as bookmark-style SP-initiated SSO
Page 3 of 14
2. Planning
2.1 Pre-Requisities
Page 4 of 14
3. Installing SAML ACS Application
Cluster installation
wsadmin -f C:\IBM\WebSphere\AppServer\bin\installSamlACS.py install <ClusterName> -
username <wasadmin> -password <wasadmin password>
Page 5 of 14
4. Configure SAML TAI
wsadmin> AdminConfig.save()
wsadmin> quit
Page 6 of 14
b. sso_1.sp.idMap: localRealm
idAssertion - the user specified in the SAML assertion is not checked in the local registry
localRealm - the user specified in the SAML assertion is verified in the local registry
localRealmThenAssertion - the user specified in the SAML assertion is first checked in the local registry,
if it does not exist, WAS proceed with idAssertion.
Page 7 of 14
Verify: The signer cert (SAMLSignerCert) is added to the NodeDefaultTrustStore.
For each Identity provider that is used with your WebSphere Application Server service provider, you must
grant inbound trust to all the realms that are used by the identity provider.
Note: This will allow the end user to access any desktop URL and after SAML authentication will be
redirected back to that initial desktop URL
c. sso_1.sp.trustStore
Page 8 of 14
This property specifies the truststore for validating the SAML signature. It specifies the name of a
managed keystore.
Example: NodeDefaultTrustStore
d. sso_1.sp.keyStore
This property specifies the keystore that contains the private key for decrypting the encrypted SAML
assertion.
Example: NodeDefaultKeyStore
e. sso_1.sp.keyName
This property specifies the key name for decrypting the SAML assertion.
This is the cert that will be presented to Idp
Example: default
f. sso_1.sp.keyPassword
Keystore password: Default for NodeKeyStore is WebAS. This property specifies the key password
for decrypting the SAML assertion.
Example: changeit
g. sso_1.sp.keyAlias
This property specifies the key alias for decrypting the SAML assertion.
This is the cert that will be presented to Idp
Example: default
h. sso_1.sp.login.error.page
This property specifies the error page, IdP login page, or custom mapping class to which an
unauthenticated client request is redirected.
Example:
https://<IDP_Host>/<URL>?PartnerSpId=https://<loadbalancer_icnserver>
/samlsps/WASSSO&RelayState=https://<loadbalancer_icnserver>/navigator/?dekstop=icm
i. sso_1.sp.filter= request-url%=navigator
This property will redirect user to the login error page only when the URL contains navigator.
------------Below are optional ----------------
j. sso_1.sp.uniqueId
Example: uid
By default the NameID field in the SAML Response is set as the userid in the JAAS Subject. If this
needs to be changed, update the uniqueId and principlName
k. sso_1.sp.principalName
Example: uid
Page 9 of 14
4.6 Export WAS SP Metadata file:
Each identity provider that is used with your WebSphere Application Server service provider needs to be
configured to add the service provider as an SSO partner. The procedure for adding the service provider
partner to an identity provider depends on the specific identity provider. You can either export the WebSphere
Application Server service provider metadata, and import it to the identity provider, or manually configure the
identity provider to add the service provider.
If the SAML token is encrypted, you must provide the public key certificate that you want the identity
provider to use for encrypting the SAML token, and the certificate must exist in the WebSphere
Application Server default KeyStore before performing an export.
Page 10 of 14
5. Redeploy ICN
ICN application needs to be reconfigured for Content Navigator authentication to either Application server
authentication or Application server Form-based authentication.
• Open the BM Content Navigator Configuration and Deployment Tool
• Configure the IBM Content Navigator Web Application task
o Select Application server authentication for the IBM Content Navigator authentication
option. This option configures IBM Content Navigator for federated SSO by using SAML.
Page 11 of 14
6. UnRestricted JCE Policy Files
By default, the Java Cryptography Extension (JCE) is shipped with restricted or limited strength
ciphers. To use 192-bit and 256-bit Advanced Encryption Standard (AES) encryption algorithms,
you must apply unlimited jurisdiction policy files.
If the Identity Provider uses strong encryption of AES 192 or 256, download the unrestricted JCE policy files
for WebSphere JRE from https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=jcesdk
Note: Verify the WebSphere java version and download the correct policy files.
Refer
http://www-01.ibm.com/support/docview.wss?uid=swg21245273
http://www.ibm.com/developerworks/java/jdk/security/index.html
https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=jcesdk
Download the Unrestricted SDK JCE Policy files for older versions of the SDK
• Replace the below files in /opt/IBM/WebSphere/AppServer/java/jre/lib/security with permissions 755
o local_policy.jar
o US_export_policy.jar
If the above is not performed then we might encounter the below error
[4/8/14 10:32:24:661 GMT-07:00] 00000094 EncryptedData E CWWSS5601E: The following exception
occured while decrypting the message: java.lang.RuntimeException: java.security.InvalidKeyException:
Illegal key size
at
com.ibm.ws.wssecurity.xml.xss4j.enc.EncryptionEngineImpl$AESCBC.removeIv(EncryptionEngineImpl.java:
1463)
Page 12 of 14
7. Tracing
Note:
*=info:com.ibm.ws.security.*=all:com.ibm.websphere.security.*=all:com.ibm.websphere.wim.*=all
:com.ibm.wsspi.wim.*=all:com.ibm.ws.wim.*=all:com.ibm.wsspi.wssecurity.*=all:com.ibm.ws.wssecurity.*=all
• Use HTTPS Web Debugging to verify the SAML request/response flow. (e.g. Fiddler tool)
Page 13 of 14
8. References
• Configuring Single sign-on for ICN
• Enabling your system to use the SAML web single sign-on (SSO) feature
http://pic.dhe.ibm.com/infocenter/wasinfo/v8r5/index.jsp?topic=%2Fcom.ibm.websphere.nd.multiplatform.doc
%2Fae%2Ftwbs_enablesamlsso.html
• Configuring single sign-on (SSO) partners
http://pic.dhe.ibm.com/infocenter/wasinfo/v8r5/topic/com.ibm.websphere.nd.multiplatform.doc/ae/twbs_config
uresamlssopartners.html
• Adding SAML web single sign-on (SSO) trust association interceptor (TAI) using the wsadmin
command-line utility
http://pic.dhe.ibm.com/infocenter/wasinfo/v8r5/topic/com.ibm.websphere.nd.multiplatform.doc/ae/twbs_addsa
mltaisso.html
• Understanding the WebSphere Application Server SAML Trust Association Interceptor
http://www.ibm.com/developerworks/websphere/techjournal/1307_lansche/1307_lansche.html
• SAML web single sign-on (SSO) trust association interceptor (TAI) custom properties
http://pic.dhe.ibm.com/infocenter/wasinfo/v8r5/topic/com.ibm.websphere.nd.multiplatform.doc/ae/rwbs_samlt
aiproperties.html
http://pic.dhe.ibm.com/infocenter/wasinfo/v8r5/index.jsp?topic=%2Fcom.ibm.websphere.nd.doc%2Fae%2Fc
wbs_samlssosummary.html
https://www.oasis-open.org/committees/download.php/27819/
Page 14 of 14