OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [saml-dev] protecting WebSphere with a SAML SP

Title: Message
Hi Tom,
Sorry for the late response. I've successfully used SAML v2 to perform SSO to WebSphere Portal v5.1. However we were able to make use of WebSEAL (a reverse proxy server that is part of Tivoli Access Manager), as that was already integrated into the Portal environment. WebSEAL supports delgating authentication to an external source (e.g. a java servlet) so that made it really easy.
We only supported Web Browser SSO protocol over HTTP POST binding though, and only as a Service Provider. We didn't implement any other part of SAML.
If you don't have a reverse proxy server in the picture, I don't think TAI is the way to go. Instead you might want to look at implementing a custom JAAS login module that (for example) validates the SAML response. This might get you started:
Keep in mind WebSphere Portal is just an application running on WebSphere Application Server, and piggybacking on its authentication. So if you're just doing SSO then you don't really need to worry about Portal itself. However I'm not sure if they want you to do anything portlet-specific with SAML, like having portlets use SAML to sign on to other resource for example.
Mike Lucas
IBM Global Services
-----Original Message-----
From: bbbrandt@mmm.com [mailto:bbbrandt@mmm.com]
Sent: Friday, August 22, 2008 4:25 PM
To: Tom Scavo
Cc: SAML Developers
Subject: Re: [saml-dev] protecting WebSphere with a SAML SP

One way is to do token translation (from SAML to a token format websphere already supports) prior to the web requests getting to websphere app server (and the websphere portal server app).

As of websphere 6.1 (the last time I checked) IBM did not have native support for SAML assertions in their app servers.    There are newer versions of websphere that may, but I've not heard positive confirmation of that.   IBM does support  3rd party authentication tokens however, with their TAI (Trust Association Interceptor).   You can utilize this interceptor to take a 3rd party token (CA Siteminder cookier, IBM Tivoli cookie, Kerberos ticket, etc.) to get SSO credentialed to a format IBM understands (LTPA cookie --- lightweight third party authentication).   Once that format is achieved all the normal user sessioning works just fine, and even works across other IBM products (such as Domino  servers).

So... if you come into a token translating service with a SAML token  (SOAP gateway, SAML federation server, etc.) and come out of that with a token type websphere already understands (LTPA or any third party cookie it supports through its TAI interface), you can get SSO into websphere.   I won't go into specific soap firewalls or products but they do exist.    Now... if IBM supports SAML tokens directly (which they might now do) that would be the easiest way for sure.

Bob Brandt, 3M

From: "Tom Scavo" <trscavo@gmail.com>
To: "SAML Developers" <saml-dev@lists.oasis-open.org>
Date: 08/22/2008 12:29 PM
Subject: [saml-dev] protecting WebSphere with a SAML SP

We've been asked to SAML-enable the WebSphere portal framework.  I
know nothing about the latter, so I'd be interested in hearing from
anyone who has successfully done that.  If so, what SAML
implementation did you use, and which version of WebSphere was

Many thanks in advance,

Tom Scavo

To unsubscribe, e-mail: saml-dev-unsubscribe@lists.oasis-open.org
For additional commands, e-mail: saml-dev-help@lists.oasis-open.org

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]