Adding SAML web single sign-on (SSO) trust association interceptor (TAI) using the wsadmin command-line utility

About this task

The addSAMLTAISSO command adds the Security Assertion Markup Language (SAML) trust association interceptor (TAI) in the security configuration of the WebSphere Application Server.

Procedure

  1. Start the WebSphere Application Server.
  2. Start the wsadmin command utility from the app_server_root/bin directory by entering the command: wsadmin -lang jython.
  3. At the wsadmin prompt, enter the following command: 
    AdminTask.addSAMLTAISSO('-enable true -acsUrl https://<hostname>:<sslport>/samlsps/<any URI pattern String>')
    where hostname is the host name of the system on which WebSphere Application Server is installed, and sslport is the Web server SSL port number (WC_defaulthost_secure).
    You can use the following parameters with this command:
    Table 1. addSAMLTAISSO parameters
    Parameter Description
    -acsUrl This parameter is required. It specifies the assertion consumer service (ACS) URL.
    -enable This parameter specifies whether to enable or disable trust association. You can specify either true or false.
    -ssoId This parameter is optional and is specified as an integer. It is the identifier for the group of custom properties that are defined for the SSO service provider partner. If this parameter is not specified, the next available identifier is used.
    -securityDomainName This parameter specifies the name of the security domain of interest and is specified as a String. If a value for this parameter is not specified, the command uses the global security configuration.
    -trustStoreName This parameter specifies the truststore name if not using the system default truststore.
    -keyStoreName This parameter specifies the keystore name if not using the system default keystore.
    -keyName This parameter specifies the key name used to decrypt the encrypted SAML assertion.
    -keyAlias This parameter specifies the key alias used to decrypt the encrypted SAML assertion.
    -keyPassword This parameter specifies the key password used to decrypt the encrypted SAML assertion.
    -idMap This parameter specifies how the SAML token is mapped to the subject. You can specify one of the following values:
    • idAssertion - the user specified in the SAML assertion is not checked in the local registry
    • localRealm - the SAML token user is verified in the local user registry
    • localRealmThenAssertion - if the user is not found in the local registry, IDAssertion is used
    -errorPage This parameter specifies the URL of the error page, IdP login page or custom mapping class to which an unauthenticated client request is redirected. This parameter is optional. The value for this parameter is used as the value for the sso_<id>.sp.loginErrorPage SAML Web SSO TAI custom property.
    There are additional SAML web SSO TAI custom properties that are not supported by the addSAMLTAISSO command, but you can add these custom properties using the wsadmin command configureInterceptor. For a complete list of the supported SAML TAI properties, see the SAML web SSO TAI custom properties topic.

Results

The SAML web SSO TAI is now added for this WebSphere Application Server.

Example

The following example adds the SAML TAI to the global security configuration:
AdminTask.addSAMLTAISSO('-enable true -acsUrl https://test1.abc.com:9443/samlsps/acs')
The following example adds the SAML TAI SSO service provider partner to the security domain myDomain1:
AdminTask.addSAMLTAISSO('-securityDomainName myDomain1 -enable true -acsUrl https://test2.xyz.com:9444/samlsps/acs2')