Monday, 19 April 2010

SAML assertions across WebSphere Application Server security domains

"...
Security Assertion Markup Language (SAML) is fast becoming the technology of choice to create Single Sign-On (SSO) solutions across enterprise boundaries. This article describes how to use the SAML support in IBM® WebSphere® Application Server V7.0 Fix Pack 7 to assert SAML tokens across enterprise boundaries in different security domains, and also to make access control decisions directly using the foreign security domain user identity and custom SAML group attribute, all based on the trust relationship. Trust relationship validation is enforced via policy set binding configuration at three points to ensure authenticity and to guard against security threats. This article shows how this technology can be easier to manage and more scalable compared to the alternative identity mapping approach.
..."

6 comments:

belgort said...

Dave is there any docs on how to setup SAML for Domino?

Dave Hay said...

Bruce, it's my understanding that Domino does not support SAML directly e.g. that there is no equivalent of the WebSphere Trust Association Interceptor (TAI) available. This means that Domino cannot handle the SAML token in the way in which it can handle an LTPA token.

Therefore, it's my assumption that a SAML "gateway" would need to sit "in front" of Domino to handle the trust mechanism, using Domino as the LDAP source.

It might be possible to place a WebSphere Application Server v7 box "in front" of Domino as, in later releases, WAS has a built TAI for SAML.

Alternatively, using a solution such as a Shibboleth Identity Provider (IdP), which could also use Domino as a LDAP source, might work.

Not sure if this helps much ...

Unknown said...

Hi, I got the impression this would be supported in 8.5.2 but now when Im sitting trying to enable it.... I dont think it is... I find zero info on this subject...

Dave Hay said...

@Rickard - I've not seen anything to indicate that SAML support is in any current/future release of Domino. However, I could be wrong :-)

AB said...

Hi Dave,

Trying to setup SAML assretion accross multiple Security Domains in Websphere. I was trying to access this url, which seem to be moved or removed.

http://www.ibm.com/developerworks/websphere/techjournal/1004_chao/1004_chao.html

Do you have any plain text or info that was referred in the IBM journal.

Thank you
AB

Dave Hay said...

Hi AB

Thanks for the comment. The article may well have been removed because it was written ~2010 about a now obsolete version of WAS, v7, and things have changed over the years with 8.0, 8.5 and 9.0.

I did set up SAML assertion last year, and blogged about it here -> https://portal2portal.blogspot.com/2018/10/single-sign-on-tinkering-with-microsoft.html

That was using the native SAML capabilities of WAS 8.5, which are far and above what was in WAS 7 back in the day.

Grokking grep

A colleague was tinkering with grep  and, thanks to him, I discovered a bit more about the trusty little utility. I had not really explored ...