You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

IBM Websphere Plugin

This page describes how to enable Federation for a IBM Websphere Application Server (WAS) instance hosting Relying Party (RP) applications. This configuration is not for a Websphere instance hosting the Fediz IDP and IDP STS WARs but for applications that use SAML assertions for authentication. After this configuration is done, the Websphere-RP instance will validate the incoming SignInResponse created by the IDP server.

Prior to doing this configuration, make sure you've first deployed the Fediz IDP and STS on the separate Servlet Container instance as discussed here, and can view the STS WSDL at the URL given on that page. That page also provides some tips for running multiple Tomcat instances on your machine.

Websphere Security

A Trust Authentication Interceptor (TAI) is a pluggable security component that is installed and configured at the IBM WebSphere Application Cell level.
As such, any managed server on the Cell will have this component installed in and activated once defined in the WAS Security configuration.
A TAI implements the WAS specific interface com.ibm.wsspi.security.tai.TrustAssociationInterceptor
The WAS specific API for security layer customization is explained in details at the following:

http://pic.dhe.ibm.com/infocenter/wasinfo/v7r0/index.jsp?topic=%2Fcom.ibm.websphere.base.doc%2Finfo%2Faes%2Fae%2Frsec_taisubcreate.html

The Fediz Plugin for Websphere provides a TAI implementation which leverages the Fediz Core.

WAS security runtime supports a notion of a security session using a specific security token called LTPA Token which is implemented as a HTTP cookie. The cookie lifetime is specified at the WAS administrative Cell level, which implies that it is not possible to configure this value per request based on the requirements for an application.
The TAI is no more involved after login once the LTPA Token is set which means a Web Application level component must intercept each request to check the security token (ex. SAML) lifetime and redirect the browser back to the IDP for re-authentication.

Installation

You have to build the Fediz plugin on your own as it depends on IBM Websphere libraries. If you have built the plugin on your own you'll find the required libraries in plugins/websphere/target/...zip-with-dependencies.zip

  1. Create sub-directory fediz in ${catalina.home}/lib
  2. Update calatina.properties in ${catalina.home}/conf
    add the previously created directory to the common loader:
    common.loader=${catalina.base}/lib,${catalina.base}/lib/*.jar,${catalina.home}/lib,${catalina.home}/lib/*.jar,${catalina.home}/lib/fediz/*.jar
  3. Deploy the libraries to the directory created in (1)

Federation Metadata document

The Tomcat Fediz plugin supports publishing the WS-Federation Metadata document which is described here.

  • No labels