Certain metadata settings such as the ADFS cookies, the Identity Provider URL, and the
Partner URL are required to define a single sign-on (SSO) connection through Active
Directory Federation Services (ADFS).
About this task
The following metadata values are required to define an ADFS Identity Provider, where
IdpName is the unique name of the Identity Provider:- IdpName.IDP_PROTOCOL
- The protocol part of the Identity Provider login URL. Replace the value
my_idp_prot with the value of the protocol part of
the Identity Provider login URL, either http or
https.
- IdpName.IDP_HOST
- The host name part of the Identity Provider login URL. Replace the value
my_idp_host with the Identity Provider login URL host
name.
- IdpName.IDP_PORT
- The port number of the Identity Provider login URL. Replace the value
my_idp_port with the value of the Identity provider
login URL port.
- IdpName.IDP_URI
- The URL path of the Identity Provider login URL. Replace the value
my_idp_uri with the path of the Identity Provider
login URL.
- IdpName.IDP_AUTH_COOKIE.1
- Authentication token that is created by the federation partner. The default
value is SamlSession.
- IdpName.IDP_AUTH_TOKEN_SOURCE
- Determines where the AJAX proxy obtains the IDP authentication tokens. The
IDP authentication tokens are the cookies that are required to authenticate
the connection with the Identity Provider. By default, the AJAX procy
creates an LTPA token from the user subject and uses this LTPA token to
authenticate the connection with the Identity Provider. Because the ADFS
Identity Provider does not support an LTPA-based authentication, set the
value of this parameter to cookies. This
setting lets the AJAX proxy use the authentication tokens that are defined
in the metadata settings IdpName.IDP_AUTH_TOKEN_COOKIE.n.
- IdpName.IDP_AUTH_TOKEN_COOKIE.n
- The authentication tokens that are required for authenticating against the
Identity Provider. In the example that follows, the cookies MSISAuth, MSISAuth1, and MSISAuthenticated are
defined.
- IdpName.PARAM_NAME.1 and
IdpName.PARAM_VALUE.1
- This setting defines the partner URL. Replace the value
idp_name_partner_url with the URL of the partner that
runs the Service Provider service.
The following XML example creates the Identity Provider
settings for an Active Directory Federation Services connection at the Outbound
Connection Service Configuration and uses the following values: - The Identity Provider name is adfs01.
- The Identity Provider login URL is https://idp.example.com/sps/myfederation/saml20/login.
- The Partner URL is https://sp.example.com/sps/myfederation/saml20/v2_0.
- The ADFS authentication cookies are MSISAuth, MSISAuth1, and MSISAuthenticated.
Change these values according to your configuration. Procedure
- Create an XML document like the following example.
<?xml version="1.0" encoding="UTF-8"?>
<proxy-rules xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="http://www.ibm.com/xmlns/prod/sw/http/outbound/proxy-config/2.0">
<variables>
<!-- replace values with the IdP login URL and the partner URL -->
<endpoint name="adfs01.idp_prot">https</endpoint>
<endpoint name="adfs01.idp_host">idp.example.com</endpoint>
<endpoint name="adfs01.idp_port">443</endpoint>
<endpoint name="adfs01.idp_uri">/adfs/ls/IdpInitiatedSignOn.asp</endpoint>
<endpoint name="adfs01.partner_url">https://sp.example.com/sps/myfederation/saml20/v2_0</endpoint>
</variables>
<meta-data>
<name>adfs01.IDP_PROTOCOL</name>
<value>my_idp_prot</value>
</meta-data>
<meta-data>
<name>adfs01.IDP_HOST</name>
<value>my_idp_host</value>
</meta-data>
<meta-data>
<name>adfs01.IDP_PORT</name>
<value>my_idp_port</value>
</meta-data>
<meta-data>
<name>adfs01.IDP_URI</name>
<value>my_idp_uri</value>
</meta-data>
<meta-data>
<name>adfs01.PARAM_NAME.1</name>
<value>LoginToRp</value>
</meta-data>
<meta-data>
<name>adfs01.PARAM_VALUE.1</name>
<value>idp_name_partner_url</value>
</meta-data>
<meta-data>
<name>adfs01.IDP_AUTH_TOKEN_SOURCE</name>
<value>cookies</value>
</meta-data>
<meta-data>
<name>adfs01.IDP_AUTH_TOKEN_COOKIE.1</name>
<value>MSISAuth</value>
</meta-data>
<meta-data>
<name>adfs01.IDP_AUTH_TOKEN_COOKIE.2</name>
<value>MSISAuth1</value>
</meta-data>
<meta-data>
<name>adfs01.IDP_AUTH_TOKEN_COOKIE.3</name>
<value>MSISAuthenticated</value>
</metadata>
<meta-data>
<name>adfs01.IDP_AUTH_COOKIE.1</name>
<value>SamlSession</value>
</meta-data>
</proxy-rules>
- After you save the XML file, run the ConfigEngine task
update-outbound-http-connection-config to
apply the Identity Provider settings at the global configuration profile.
- AIX®, HP-UX, Linux, Solaris: ./ConfigEngine.sh update-outbound-http-connection-config
-DConfigFileName=XML_file
-DOutboundProfileType=global
- IBM® i: ConfigEngine.sh update-outbound-http-connection-config
-DConfigFileName=XML_file
-DOutboundProfileType=global
- Windows: ConfigEngine.bat update-outbound-http-connection-config
-DConfigFileName=XML_file
-DOutboundProfileType=global
where XML_file is the file path to the
XML file.