A brief bit of context ….
A colleague was asking some questions about WAS and ADFS and SAML, so I wanted to create a basic test environment to get my head around some of the new ( to me ) concepts.
I already had a Windows Server 2012 VM and another Red Hat Enterprise Linux (RHEL) VM.
The latter was already configured / installed with: -
- IBM WebSphere Application Server (WAS) Network Deployment (ND) 8.5.5.14
- IBM Business Automation Workflow (BAW) 18.0.0.1
so I was mostly good to go in the WAS/application world.
On the Windows 2012 VM, I installed / configured: -
- Active Directory Domain Services (AD)
- Active Directory Federation Services (ADFS)
- Internet Information Server
So I had a wee bit of effort to setup AD and ADFS, and also to configure IIS.
For the record, IIS isn't required for the SAML setup etc. BUT it's a useful way to generate a self-signed certificate, which can be exported, with public AND private key, as a PFX file, ready to be be imported into ADFS.
As ever, this is an ongoing work-in-progress.
Having got the AD and ADFS stuff mainly setup, I then ran through the following: -
Test ADFS Login
https://windows2012.uk.ibm.com/adfs/ls/idpinitiatedSignOn.aspx
This allowed me to verify that I could authenticate to ADFS using Windows credentials.
Start Deployment Manager
/opt/ibm/WebSphere/AppServer/profiles/Dmgr01/bin/startManager.sh
Start Node Agent
/opt/ibm/WebSphere/AppServer/profiles/AppSrv01/bin/startNode.sh
Add AD Signer to WAS
To allow WAS and AD to communicate via LDAPS ( LDAP over an SSL/TLS connection )
/opt/ibm/WebSphere/AppServer/profiles/Dmgr01/bin/wsadmin.sh -lang jython -username wasadmin -password passw0rd -f /mnt/Scripts/addADSignerToWAS.jy
Federate AD into WAS
/opt/ibm/WebSphere/AppServer/profiles/Dmgr01/bin/wsadmin.sh -lang jython -username wasadmin -password passw0rd -f /mnt/Scripts/federateAD.jy
Stop Deployment Manager
/opt/ibm/WebSphere/AppServer/profiles/Dmgr01/bin/stopManager.sh -username wasadmin -password passw0rd
Stop Node Agent
/opt/ibm/WebSphere/AppServer/profiles/AppSrv01/bin/stopNode.sh -username wasadmin -password passw0rd
Start Deployment Manager
/opt/ibm/WebSphere/AppServer/profiles/Dmgr01/bin/startManager.sh
Start Node Agent
/opt/ibm/WebSphere/AppServer/profiles/AppSrv01/bin/startNode.sh
Retrieve MetaData
This pulls the ADFS info from the AD box
wget --no-check-certificate https://windows2012.uk.ibm.com/FederationMetadata/2007-06/FederationMetadata.xml
Install ACS Sample App into SupCluster
This app is used to perform the SAML token decryption / extraction
Note that I'm installing this into the BAW (BPM) SupCluster, which does NOT run the main BAW workload - Process Server, SCA BPEL etc.
/opt/ibm/WebSphere/AppServer/profiles/Dmgr01/bin/wsadmin.sh -lang jython -username wasadmin -password passw0rd -f /opt/ibm/WebSphere/AppServer/bin/installSamlACS.py install SupCluster
Start WSAdmin Client
/opt/ibm/WebSphere/AppServer/profiles/Dmgr01/bin/wsadmin.sh -lang jython -username wasadmin -password passw0rd
Add SAML TAI
This creates the SAML TAI configuration - we'll populate this further shortly
AdminTask.addSAMLTAISSO('-enable true -acsUrl https://workflow.uk.ibm.com:9445/samlsps/acs')
Save and Sync
AdminConfig.save()
AdminNodeManagement.syncActiveNodes()
Export SP Metadata from WAS
We need this metadata to complete the ADFS configuration
AdminTask.exportSAMLSpMetadata('-spMetadataFileName /home/wasadmin/WASSAMLMetadata.xml -ssoId 1')
Import IdP Metadata into WAS
This is what we previously pulled from the ADFS box
AdminTask.importSAMLIdpMetadata('-idpMetadataFileName /home/wasadmin/FederationMetadata.xml -idpId 1 -ssoId 1 -signingCertAlias idp1')
Save and Sync
AdminConfig.save()
AdminNodeManagement.syncActiveNodes()
Quit
exit
Set TAI Properties
I'm doing this manually, but will script it later
Name: sso_1.sp.acsUrl
Value: https://workflow.uk.ibm.com:9445/samlsps/acs
Name: sso_1.sp.idMap
Value: idAssertion
Name: sso_1.idp_1.EntityID
Value: http://windows2012.uk.ibm.com/adfs/services/trust
Name: sso_1.idp_1.SingleSignOnUrl
Value: https://windows2012.uk.ibm.com/adfs/ls/
Name: sso_1.sp.login.error.page
Value: https://windows2012.uk.ibm.com/adfs/ls/idpinitiatedSignOn.aspx
Name: sso_1.sp.targetUrl
Value: https://workflow.uk.ibm.com:9445/bpc
Name: sso_1.sp.useRealm
Value: defaultWIMFileBasedRealm
Start Clusters
Access BPC: -
https://workflow.uk.ibm.com:9445/bpc
Should redirect to: -
https://windows2012.uk.ibm.com/adfs/ls/idpinitiatedSignOn.aspx
and be prompted to log on with AD acount e.g. UK\Administrator
Need to click on Sign-in button again; I don't yet know why this is the case :-(
Should then be redirected to BPC
Repeat for Process Portal: -
https://workflow.uk.ibm.com:9444/ProcessPortal
and Process Center: -
https://workflow.uk.ibm.com:9444/ProcessCenter
Sources
How to setup Microsoft Active Directory Federation Services [AD FS]
Front Side SAML SSO with microsoft product (ADFS -> WAS SAML TAI)
Enabling your system to use the SAML web single sign-on (SSO) feature
/opt/ibm/WebSphere/AppServer/profiles/Dmgr01/bin/wsadmin.sh -lang jython -username wasadmin -password passw0rd -f /opt/ibm/WebSphere/AppServer/bin/installSamlACS.py install SupCluster
Start WSAdmin Client
/opt/ibm/WebSphere/AppServer/profiles/Dmgr01/bin/wsadmin.sh -lang jython -username wasadmin -password passw0rd
Add SAML TAI
This creates the SAML TAI configuration - we'll populate this further shortly
AdminTask.addSAMLTAISSO('-enable true -acsUrl https://workflow.uk.ibm.com:9445/samlsps/acs')
Save and Sync
AdminConfig.save()
AdminNodeManagement.syncActiveNodes()
Export SP Metadata from WAS
We need this metadata to complete the ADFS configuration
AdminTask.exportSAMLSpMetadata('-spMetadataFileName /home/wasadmin/WASSAMLMetadata.xml -ssoId 1')
Import IdP Metadata into WAS
This is what we previously pulled from the ADFS box
AdminTask.importSAMLIdpMetadata('-idpMetadataFileName /home/wasadmin/FederationMetadata.xml -idpId 1 -ssoId 1 -signingCertAlias idp1')
Save and Sync
AdminConfig.save()
AdminNodeManagement.syncActiveNodes()
Quit
exit
Set TAI Properties
I'm doing this manually, but will script it later
Name: sso_1.sp.acsUrl
Value: https://workflow.uk.ibm.com:9445/samlsps/acs
Name: sso_1.sp.idMap
Value: idAssertion
Name: sso_1.idp_1.EntityID
Value: http://windows2012.uk.ibm.com/adfs/services/trust
Name: sso_1.idp_1.SingleSignOnUrl
Value: https://windows2012.uk.ibm.com/adfs/ls/
Name: sso_1.sp.login.error.page
Value: https://windows2012.uk.ibm.com/adfs/ls/idpinitiatedSignOn.aspx
Name: sso_1.sp.targetUrl
Value: https://workflow.uk.ibm.com:9445/bpc
Name: sso_1.sp.useRealm
Value: defaultWIMFileBasedRealm
Start Clusters
- MECluster
- SupCluster
- AppCluster
Access BPC: -
https://workflow.uk.ibm.com:9445/bpc
Should redirect to: -
https://windows2012.uk.ibm.com/adfs/ls/idpinitiatedSignOn.aspx
and be prompted to log on with AD acount e.g. UK\Administrator
Need to click on Sign-in button again; I don't yet know why this is the case :-(
Should then be redirected to BPC
Repeat for Process Portal: -
https://workflow.uk.ibm.com:9444/ProcessPortal
and Process Center: -
https://workflow.uk.ibm.com:9444/ProcessCenter
Sources
How to setup Microsoft Active Directory Federation Services [AD FS]
Front Side SAML SSO with microsoft product (ADFS -> WAS SAML TAI)
Enabling your system to use the SAML web single sign-on (SSO) feature
1 comment:
I received some very useful feedback from a colleague, Captain Bob, thusly: -
I don't know if you tested running some processes? From my understanding your configuration may not have worked as the SAML set up protects all URLs including the webservices ones, therefore you need to exclude some of them from protection using a TAI custom property filter like this:
Name: sso_1.sp.filter
Value: request-url!=/bpmjaxws;request-url!=/fncmis;request-url!=/RemoteALWeb;request-url!=/teamworks/webservices
Reference:
https://www.ibm.com/support/knowledgecenter/en/SSV2LR/com.ibm.wbpm.imuc.sbpm.doc/topics/tsec_thirdpartyauthentication.html
Thanks and regards, Bob
Post a Comment