Active Directory Single Sign-OnWorldwide Business Partner Technical Enablement 2016Van Staub – North America Embedded Solution Agreement Technical Sales

1

Agenda• review in a practical format configuring Active Directory

and Active Directory Federation Services

• configure SAML with WebSphere

• discuss SAML with Connections Cloud

• list notable resources at the end

Installing and Configuring Active Directory• the “directory” used to perform authentication with IBM

software (e.g. WebSphere Portal)• provides a variety of authentication mechanisms almost out of

the box – namely SAML, SPNEGO, and LDAP

• very easy to get started

Active Directory Federation Services 2.0• supports SAML authentication with ”relying parties”

• SAML is a protocol that specifies the identity of a user in an encrypted format

• identity of the user is provided using a “claim” (i.e. sAMAccountName or email address)

SAM

L Fl

ow

XML

Installing and Configuring ADFS 2.0• install the ADFS 2.0 software• configure the first federation server

• manually add the SSL certificate to IIS if one is not listed as available to use (I re-used a certificate; you can create a self-signed if needed)

• verify the SSL certificate you imported is also set as the Token-Signing certificate

• also make sure it’s the primary certificate

manually importing the SSL certificate into IIS

Manually set the Token-Signing

Certificate

Configuring WebSphere for SAML• ensure that security is enabled and working with Active

Directory

• install the SAML ACS enterprise application• configure the SAML TAI to work with the ADFS IdP

• steps create a global configuration• steps are shown manually for clarity

• simply deploys the SAML ACS enterprise application

• can also be done manually

• Using WAS Console go to Security -> Global Security -> Web and SIP security -> Trust Association

• Uncheck Enable trust association

• Click Interceptors• com.ibm.ws.se

curity.web.saml.ACSTrustAssociationInterceptor

• add settings seen in screenshot

• Using WAS Console go to Security -> Global Security -> Custom Properties

• add settings seen in screenshot

• Using WAS Console go to Security -> SSL Certificate and Key Management -> Key stores and Certificates• either

NodeDefaultTrustStore or CellDefaultTrustSTore

• Add SSL certificate (public key) manually or retrieve from port (i.e. the IIS server)

the Token-Signer certificate

specified earlier

certificate alias you just added to

the TrustStore

• Using WAS Console go to Security -> Federated Repositories -> Configure • Click Trusted

authentication realms - inbound

• add external ream settings seen in screenshot

Federation Server identifier seen

earlier

• Using WAS Console go to Security -> Global Security -> Web and SIP security -> Trust Association• Check Enable trust

association

Creating the Partnership• SAML 2.0 metadata XML can be exported from WebSphere

and imported into ADFS• use AdminTask.exportSAMLSpMetadata(‘-

spMetadataFileName <SpMetaDataFile> -ssoId 1′)

sso_1.sp.acsURL

sso_1.sp.acsURL

use defaults on next screens

Finished Partnership (Relying Party Trust)

ResourcesUnderstanding the WebSphere Application Server SAML Trust Association Interceptor

http://www.ibm.com/developerworks/websphere/techjournal/1307_lansche/1307_lansche.html

Step by step guide to implement SAML 2.0 for Portal 8.5

https://developer.ibm.com/digexp/docs/docs/customization-administration/step-step-guide-implement-saml-2-0-portal-8-5/

Front Side SAML SSO with microsoft product (ADFS -> WAS SAML TAI)

https://www.ibm.com/developerworks/community/blogs/8f2bc166-3bdc-4a9d-bad4-3620dbb3e46c/entry/Front_Side_SAML_SSO_with_microsoft_product_ADFS_WAS_SAML_TAI?lang=en

Step-by-Step guide to Configure Single sign-on for HTTP requests using SPNEGO web authentication

https://www-10.lotus.com/ldd/portalwiki.nsf/dx/Step-by-Step_guide_to_Configure_Single_sign-on_for_HTTP_requests_using_SPNEGO_web_authentication

AD + SAML + Kerberos + IBM Notes and Domino = SSO!

http://www.andypedisich.com/blogs/andysblog.nsf/dx/robs-saml-presentation-from-mwlug-has-been-posted.htm

BP104 Simplifying The S’s: Single Sign-On, SPNEGO and SAML (2014)

http://www.idonotes.com/IdoNotes/IdoConnect2013.nsf/dx/bp104-simplifying-the-ss-single-sign-on-spnego-and-saml-2014.htm

Thank You

31