Monday, 19 April 2010

SAML assertions across WebSphere Application Server security domains

"...
Security Assertion Markup Language (SAML) is fast becoming the technology of choice to create Single Sign-On (SSO) solutions across enterprise boundaries. This article describes how to use the SAML support in IBM® WebSphere® Application Server V7.0 Fix Pack 7 to assert SAML tokens across enterprise boundaries in different security domains, and also to make access control decisions directly using the foreign security domain user identity and custom SAML group attribute, all based on the trust relationship. Trust relationship validation is enforced via policy set binding configuration at three points to ensure authenticity and to guard against security threats. This article shows how this technology can be easier to manage and more scalable compared to the alternative identity mapping approach.
..."

4 comments:

belgort said...

Dave is there any docs on how to setup SAML for Domino?

Dave Hay said...

Bruce, it's my understanding that Domino does not support SAML directly e.g. that there is no equivalent of the WebSphere Trust Association Interceptor (TAI) available. This means that Domino cannot handle the SAML token in the way in which it can handle an LTPA token.

Therefore, it's my assumption that a SAML "gateway" would need to sit "in front" of Domino to handle the trust mechanism, using Domino as the LDAP source.

It might be possible to place a WebSphere Application Server v7 box "in front" of Domino as, in later releases, WAS has a built TAI for SAML.

Alternatively, using a solution such as a Shibboleth Identity Provider (IdP), which could also use Domino as a LDAP source, might work.

Not sure if this helps much ...

Rickard said...

Hi, I got the impression this would be supported in 8.5.2 but now when Im sitting trying to enable it.... I dont think it is... I find zero info on this subject...

Dave Hay said...

@Rickard - I've not seen anything to indicate that SAML support is in any current/future release of Domino. However, I could be wrong :-)