Tuesday, 19 May 2020

Enabling and Configuring your Maximo system to use the SAML web single sign-on (SSO) | IBM Maximo

Install the SAML ACS application.
Choose one of the following approaches:

Using the administrative console, install the app_server_root/installableApps/WebSphereSamlSP.ear file to your application server or cluster.

Install the SAML ACS application by using the python script.
    
Navigate to the app_server_root/bin directory.
    
Run the installSamlACS.py script.

wsadmin -f installSamlACS.py install <nodeName> <serverName>
 or
wsadmin -f installSamlACS.py install <clusterName>

Copy where node Name is the node name of the target application server, server Name is the server name of the target application server, and cluster Name is the name of the application server cluster.

Enable SAML

You can enable SAML by using either the wsadmin command utility or the administrative console.

 Enable SAML using the wsadmin command utility.

Start the WebSphere Application Server.

Start the wsadmin command utility from the app_server_root/bin directory by entering the command:
wsadmin -lang jython.

At the wsadmin prompt, enter the following command: AdminTask.addSAMLTAISSO('-enable true -acsUrl https://<hostname>:<sslport>/samlsps/<any URI pattern string>')

where host name is the host name of the system where WebSphere Application is installed and SSL port is the web server SSL port number (WC_defaulthost_secure).

 Save the configuration by entering the following command: AdminConfig.save().

Exit the wsadmin command utility by entering the following command: quit.
    
Restart the WebSphere Application Server.

 Enable SAML using the administrative console.
    
Log on to the WebSphere Application Server administrative console.
    
Click SecurityGlobal security.
    
Expand Web and SIP security and click Trust association.
    
Under the General Properties heading, select the Enable trust association check box and click Interceptors.
   
Click New and enter com.ibm.ws.security.web.saml.ACSTrustAssociationInterceptor in the Interceptor class name field.

Under Custom properties, fill in the following custom property information:

Name: sso_1.sp.acsUrl and
Value: https://<hostname>:<sslport>/samlsps/<any URI pattern string>
where host name is the host name of the system where WebSphere Application is installed and sslport is the web server SSL port number (WC_defaulthost_secure).

Note: 
If you need to have multiple, similar entry points for your SAML workflows, you can specify a wildcard value instead of a specific URI pattern string at the end of the URL specified as the value of this property.
Specifying a wildcard as part of the value of this property eliminates the need to separately configure each of the similar entry points.
Following are some examples of valid ways to include a wildcard as part of the value for this property:
https://<server>/<context_root>/ep1/path1/p*
https://<server>/<context_root>/ep1/path1/*
https://<server>/<context_root>/ep1/*


Warning: 


If you are using metadata to configure your SSO, wildcards cannot be used in the acsUrl definition.

Click New and enter the following custom property information:
Name: sso_1.sp.idMap and Value: idAssertion.
Click OK.

Go back to SecurityGlobal security and click Custom properties.

Click New and define the following custom property information under General properties:
Name: com.ibm.websphere.security.DeferTAItoSSO and
Value: com.ibm.ws.security.web.saml.ACSTrustAssociationInterceptor.

Warning:

The property com.ibm.websphere.security.DeferTAItoSSO,
was previously used in the default configuration of all installed servers.
Now it is only used as part of the SAML configuration. Therefore, even if this property already exists in your system configuration,
you must change its value to com.ibm.ws.security.web.saml.ACSTrustAssociationInterceptor.

Multiple values, separated with commas, cannot be specified for this property. It must be set to a single SAML

Click New and define the following custom property information under General properties:
Name: com.ibm.websphere.security.InvokeTAIbeforeSSO and
Value: com.ibm.ws.security.web.saml.ACSTrustAssociationInterceptor.
Click OK.


Restart WebSphere Application Server.

The SAML is now enabled for WebSphere Application Server.


For Reference Please visit: IBM Knowledge center 

https://www.ibm.com/support/knowledgecenter/SS7K4U_9.0.5/com.ibm.websphere.zseries.doc/ae/twbs_enablesamlsso.html 








No comments:

Post a Comment