About this task
The addSAMLTAISSO
command adds the Security
Assertion Markup Language (SAML) trust association interceptor (TAI)
in the security configuration of the WebSphere Application Server.
Procedure
- Start the WebSphere Application Server.
- Start the
wsadmin
command utility from
the app_server_root/bin directory by entering
the command: wsadmin -lang jython
.
- At the
wsadmin
prompt, enter the following
command: AdminTask.addSAMLTAISSO('-enable true -acsUrl https://<hostname>:<sslport>/samlsps/<any URI pattern String>')
where
hostname
is
the host name of the system on which WebSphere Application Server
is installed, and
sslport
is the Web server SSL port
number (
WC_defaulthost_secure
).
You can use the
following parameters with this command:
Table 1. addSAMLTAISSO
parameters
Parameter |
Description |
-acsUrl |
This parameter is required. It specifies the
assertion consumer service (ACS) URL. |
-enable |
This parameter specifies whether to enable or
disable trust association. You can specify either true or false. |
-ssoId |
This parameter is optional and is specified
as an integer. It is the identifier for the group of custom properties
that are defined for the SSO service provider partner. If this parameter
is not specified, the next available identifier is used. |
-securityDomainName |
This parameter specifies the name of the security
domain of interest and is specified as a String. If a value for this
parameter is not specified, the command uses the global security configuration. |
-trustStoreName |
This parameter specifies the truststore name
if not using the system default truststore. |
-keyStoreName |
This parameter specifies the keystore name if
not using the system default keystore. |
-keyName |
This parameter specifies the key name used to
decrypt the encrypted SAML assertion. |
-keyAlias |
This parameter specifies the key alias used
to decrypt the encrypted SAML assertion. |
-keyPassword |
This parameter specifies the key password used
to decrypt the encrypted SAML assertion. |
-idMap |
This parameter specifies how the SAML token
is mapped to the subject. You can specify one of the following values:
- idAssertion - the user specified in the SAML assertion is not
checked in the local registry
- localRealm - the SAML token user is verified in the local user
registry
- localRealmThenAssertion - if the user is not found in the local
registry, IDAssertion is used
|
-errorPage |
This parameter specifies the URL of the error page, IdP login page or custom mapping class to
which an unauthenticated client request is redirected. This parameter is optional. The value for
this parameter is used as the value for the sso_<id>.sp.loginErrorPage SAML Web SSO TAI custom
property. |
There are additional SAML web SSO TAI custom properties that
are not supported by the
addSAMLTAISSO
command, but
you can add these custom properties using the
wsadmin
command
configureInterceptor
.
For a complete list of the supported SAML TAI properties, see the
SAML
web SSO TAI custom properties topic.
Results
The SAML web SSO TAI is now added for this WebSphere Application
Server.
Example
The following example adds the SAML TAI to the global security
configuration:AdminTask.addSAMLTAISSO('-enable true -acsUrl https://test1.abc.com:9443/samlsps/acs')
The
following example adds the SAML TAI SSO service provider partner to
the security domain
myDomain1
:
AdminTask.addSAMLTAISSO('-securityDomainName myDomain1 -enable true -acsUrl https://test2.xyz.com:9444/samlsps/acs2')