RE: [saml-dev] protecting WebSphere with a SAML SP

["Lucas, Mike" <Mike.Lucas@gwl.ca>]

Title: Message

Hi Tom,

 

Sorry for the late response. I've successfully used SAML v2 to perform SSO to WebSphere Portal v5.1. However we were able to make use of WebSEAL (a reverse proxy server that is part of Tivoli Access Manager), as that was already integrated into the Portal environment. WebSEAL supports delgating authentication to an external source (e.g. a java servlet) so that made it really easy.

We only supported Web Browser SSO protocol over HTTP POST binding though, and only as a Service Provider. We didn't implement any other part of SAML.

 

If you don't have a reverse proxy server in the picture, I don't think TAI is the way to go. Instead you might want to look at implementing a custom JAAS login module that (for example) validates the SAML response. This might get you started:

http://publib.boulder.ibm.com/infocenter/wasinfo/v5r1//index.jsp?topic=/com.ibm.websphere.exp.doc/info/exp/ae/rsec_custsvrsidejaas.html

 

Keep in mind WebSphere Portal is just an application running on WebSphere Application Server, and piggybacking on its authentication. So if you're just doing SSO then you don't really need to worry about Portal itself. However I'm not sure if they want you to do anything portlet-specific with SAML, like having portlets use SAML to sign on to other resource for example.

 

Cheers

Mike Lucas

IBM Global Services

 

-----Original Message-----
From: bbbrandt@mmm.com [mailto:bbbrandt@mmm.com]
Sent: Friday, August 22, 2008 4:25 PM
To: Tom Scavo
Cc: SAML Developers
Subject: Re: [saml-dev] protecting WebSphere with a SAML SP

One way is to do token translation (from SAML to a token format websphere already supports) prior to the web requests getting to websphere app server (and the websphere portal server app).

As of websphere 6.1 (the last time I checked) IBM did not have native support for SAML assertions in their app servers.    There are newer versions of websphere that may, but I've not heard positive confirmation of that.   IBM does support  3rd party authentication tokens however, with their TAI (Trust Association Interceptor).   You can utilize this interceptor to take a 3rd party token (CA Siteminder cookier, IBM Tivoli cookie, Kerberos ticket, etc.) to get SSO credentialed to a format IBM understands (LTPA cookie --- lightweight third party authentication).   Once that format is achieved all the normal user sessioning works just fine, and even works across other IBM products (such as Domino  servers).

So... if you come into a token translating service with a SAML token  (SOAP gateway, SAML federation server, etc.) and come out of that with a token type websphere already understands (LTPA or any third party cookie it supports through its TAI interface), you can get SSO into websphere.   I won't go into specific soap firewalls or products but they do exist.    Now... if IBM supports SAML tokens directly (which they might now do) that would be the easiest way for sure.

Bob Brandt, 3M

From:	"Tom Scavo" <trscavo@gmail.com>
To:	"SAML Developers" <saml-dev@lists.oasis-open.org>
Date:	08/22/2008 12:29 PM
Subject:	[saml-dev] protecting WebSphere with a SAML SP

---

We've been asked to SAML-enable the WebSphere portal framework.  I
know nothing about the latter, so I'd be interested in hearing from
anyone who has successfully done that.  If so, what SAML
implementation did you use, and which version of WebSphere was
involved?

Many thanks in advance,

Tom Scavo
NCSA

---------------------------------------------------------------------
To unsubscribe, e-mail: saml-dev-unsubscribe@lists.oasis-open.org
For additional commands, e-mail: saml-dev-help@lists.oasis-open.org