IBM Support

Configuring Federated Single Sign On (SSO) for IBM InfoSphere Information Server using SAML 2.0 with Microsoft Active Directory Federation Services (ADFS) or IBM Tivoli Federated Identity Manager (TFIM) as the identity provider

Question & Answer


Question

How to configure Single Sign On (SSO) for IBM InfoSphere Information Server web applications using SAML 2.0 with Microsoft Active Directory Federation Services (ADFS) or IBM Tivoli Federated Identity Manager (TFIM) providers.

Answer

This document contains instructions for configuring federated single sign-on (SSO) for IBM InfoSphere Information Server web client applications by using SAML 2.0 and Identity Providers Microsoft Active Directory Federation Services (ADFS) or IBM Tivoli Federated Identity Manager (TFIM).

Once SAML 2.0 is configured with either Identity Providers, a user can use single sign-on (SSO) features with the following InfoSphere Information Server web client applications:

  • Data Quality Exception Console
  • Standardization Rules Designer
  • Information Analyzer
  • Operations Console
  • Administration Console
  • Information Governance Catalog
  • Information Governance Dashboard
  • DataClick
  • Metadata Asset Manager
  • Subscription Manager
Single Sign-On (SSO) in InfoSphere Information Server version 11.7.x:

In InfoSphere Information Server version 11.7.x, the following web applications do not recognize and adhere to the SAML 2.0 SSO login protocol. An explicit login to these applications is necessary even after an SSO login:
  • Information Governance Catalog New
  • Governance Monitor (New)
  • Enterprise Search (New)
 

The following user scenarios are supported by the SSO features of IBM InfoSphere Information Server:

Single Sign-On (SSO):

  1. A user invokes the secure web applications of InfoSphere Information Server via the IIS Secure Launchpad (https://[myIISServer.com]:[port]/ibm/iis/launchpad/secure)
  2. If the user does not have valid authentication, the request is redirected to the SAML Identity Provider (IdP) login page (provided by either ADFS or TFIM, as configured)
  3. The user logs into the IdP.
  4. Once authenticated, the IdP will redirect back to the IIS Secure Launchpad.
  5. The user can now select and launch any of the IIS web applications without further requests for authentication.
Single Log Out (SLO):
  1. Once the user has logged out from one of the IIS web applications, the active WAS LTPA token is invalidated and user is therefore logged out from any of the active IIS web applications running within instances of the same web browser type (Internet Explorer, FireFox, etc).
  2. Once logged out, the user is redirected to the SAML IdP login to renew the authentication. If user has multiple web browser tabs where active IIS web applications are running, the user is logged out from all the active web page instances, even if not visible. However, you may need to refresh (F5) those browser pages in the background in order to be redirected to the SAML IdP login page.
  3. Once a WAS LTPA token expires (via time-out), it cannot be used for any further interaction by any of the IIS web applications. The token expiration essentially acts as a logout for each of the active web applications. User is redirected to the IdP login page when this scenario occurs. Some applications may require a refresh of the browser page (F5) in order to be redirected to the IdP login page.
  4. If you want to logout of the IIS application in order to switch user ID, log out of the SAML IdP using the IdP logout screen, if provided.


Installation Requirements:
  • A SAML 2.0 configuration for InfoSphere Information Server is supported only on WebSphere ND. WebSphere Liberty (LWAS) is not supported and cannot be used for an SSO configuration with SAML 2.0.
  • The SSO features of IBM InfoSphere Information Server using SAML 2.0 are included in IS 11.5.0.1 and later releases.
    • If you are using InfoSphere Information Server 11.5.0.1, you also need to download from Fix Central and install:
      - ISF Patch JR57496 and
      - Governance 11.5 RU7 Patch (if Information Governance Catalog - IGC application is used)
    • If you are using InfoSphere Information Server 11.5.0.2 or a later version, no further patches are necessary
  • If using Microsoft Directory Federation Services (ADFS) as the Identity Provider, you will also need to upgrade the WAS ND version of the IIS installation to WAS 8.5.5.8 or later version.

Installation instructions:
  • Follow instructions in the attached User's Guide documents for configuring IBM InfoSphere Information Server and SAML 2.0 with Identity Providers (IdP):

Change History:
  • 08-Apr-2020: Fixes to the SAML TAI invalid example and syntax
  • 07-May-2018: Support revision: Some applications in IS version 11.7.x do not work with SAML SSO
  • 19-Mar-2018: Support revision: Additional chapter on Changing the landing URL page, and changing the Global Security setting in a WAS ND clustered environment
  • 24-Apr-2017: Support revision: Repository key com.ibm.iis.isf.security.SAMLSecureURL is required after installation of ISF Patch JR57496 and has to contain the short path to the web application
  • 12-Apr-2017: Support revision: SAML support using IS 11.5.0.1 and additional ISF Patch JR57496 and Governance 11.5 RU7 Patch
  • 14-Dec-2016: Technote initial release: SAML support using IS 11.5.0.1 and additional ISF 11.5 RU4 Patch and Governance 11.5 RU5 Patch.

[{"Product":{"code":"SSZJPZ","label":"IBM InfoSphere Information Server"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Not Applicable","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"11.5;11.7","Edition":"All Editions","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
08 April 2020

UID

swg21988719

Page Feedback