About this task
The addSAMLTAISSO
command adds the Security Assertion Markup Language
(SAML) trust association interceptor (TAI) in the security configuration of the WebSphere
Application Server.
Procedure
-
Start the WebSphere Application Server.
-
Start the
wsadmin
command utility from the
app_server_root/bin directory by entering the command: wsadmin -lang
jython
.
-
At the
wsadmin
prompt, enter the following command:
AdminTask.addSAMLTAISSO('-enable true -acsUrl https://<hostname>:<sslport>/samlsps/<any URI pattern String>')
where
hostname
is the host name of the system on which WebSphere Application Server is
installed, and
sslport
is the Web server SSL port number
(
WC_defaulthost_secure
).
You can use the following parameters with this command:
Table 1. addSAMLTAISSO parameters
Parameter |
Description |
-acsUrl |
This parameter is required. It specifies the assertion consumer service (ACS)
URL. |
-enable |
This parameter specifies whether to enable or disable trust association. You
can specify either true or false. |
-ssoId |
This parameter is optional and is specified as an integer. It is the
identifier for the group of custom properties that are defined for the SSO service provider partner.
If this parameter is not specified, the next available identifier is used. |
-securityDomainName |
This parameter specifies the name of the security domain of interest and is
specified as a String. If a value for this parameter is not specified, the command uses the global
security configuration. |
-trustStoreName |
This parameter specifies the truststore name if not using the system default
truststore. |
-keyStoreName |
This parameter specifies the keystore name if not using the system default
keystore. |
-keyName |
This parameter specifies the key name used to decrypt the encrypted SAML
assertion. |
-keyAlias |
This parameter specifies the key alias used to decrypt the encrypted SAML
assertion. |
-keyPassword |
This parameter specifies the key password used to decrypt the encrypted SAML
assertion. |
-idMap |
This parameter specifies how the SAML token is mapped to the subject. You can
specify one of the following values:
- idAssertion - the user specified in the SAML assertion is not checked in the local registry
- localRealm - the SAML token user is verified in the local user registry
- localRealmThenAssertion - if the user is not found in the local registry, IDAssertion is
used
|
-errorPage custom |
This parameter specifies the URL of the error page, IdP login page or custom mapping class to
which an unauthenticated client request is redirected. This parameter is optional. The value for
this parameter is used as the value for the sso_<id>.sp.loginErrorPage SAML Web SSO TAI custom
property. |
There are additional SAML web SSO TAI custom properties that are not supported by the
addSAMLTAISSO
command, but you can add these custom properties using the
wsadmin
command
configureInterceptor
. For a complete list of the
supported SAML TAI properties, see the
SAML web SSO TAI custom properties
topic.
Results
The SAML web SSO TAI is now added for this WebSphere Application Server.
Example
The following example adds the SAML TAI to the global security
configuration:AdminTask.addSAMLTAISSO('-enable true -acsUrl https://test1.abc.com:9443/samlsps/acs')
The
following example adds the SAML TAI SSO service provider partner to the security domain
myDomain1
:
AdminTask.addSAMLTAISSO('-securityDomainName myDomain1 -enable true -acsUrl https://test2.xyz.com:9444/samlsps/acs2')