IBM Websphere Plugin

Apache CXF Fediz ships a plugin to secure an IBM Websphere 7/8 Application Server using WS-Federation.

This page describes how to enable Federation for a IBM Websphere Application Server (WAS) instance hosting Relying Party (RP) applications. This configuration is not for a Websphere instance hosting the Fediz IDP and IDP STS WARs but for applications that use SAML assertions for authentication. After this configuration is done, the Websphere-RP instance will validate the incoming SignInResponse created by the IDP server.

Prior to doing this configuration, make sure you've first deployed the Fediz IDP and STS on the separate Servlet Container instance as discussed here, and can view the STS WSDL at the URL given on that page. That page also provides some tips for running multiple Tomcat instances on your machine.

...

1. Open the Administative Console with Administrator privileges and navigate to Security / Global security
2. Ensure Application security is enabled
   
3. Navigate to Security / Global security / Web and SIP security and select Trust association
   
4. Check the Enable trust association check box
5. Select Interceptors
   
6. Click on New and specify the Interceptor class name as org.apache.cxf.fediz.was.tai.FedizInterceptor
   

The file defined in groups.mapping.file must have the following structure:

<?xml version="1.0" encoding="UTF-8"?>
<mapping>
  <samlToJ2EE>
    <claim>User</claim>
    <groups>
      <j2eeGroup>Authenticated</j2eeGroup>
      <j2eeGroup>Users</j2eeGroup>
    </groups>
  </samlToJ2EE>
  <samlToJ2EE>
    <claim>Manager</claim>
      <groups>
        <j2eeGroup>Manager</j2eeGroup>
        <j2eeGroup>Authenticated</j2eeGroup>
      </groups>
  </samlToJ2EE>
  <samlToJ2EE>
    <claim>Admin</claim>
      <groups>
        <j2eeGroup>Admin</j2eeGroup>
        <j2eeGroup>Authenticated</j2eeGroup>
      </groups>
  </samlToJ2EE>
</mapping>

...