Configuring SAML redirection services for web SSO

To gain SAML support for all IBM® Connections components accessed via a browser, set up SAML redirection services to use the default authenticator. This process replaces the web login page for Connections with your SAML Identity Provider (IdP) through the use of a redirect.

Before you begin

Install IBM Connections 5.5, CR1.

About this task

IBM Connections provides SAML v2 support in a way to integrate with third parties that may handle authentication via the LTPA mechanism outside of the Connections cell. If there is a need to integrate SSO traffic originating from outside of the Connections cell, then the SAML TAI must be configured to allow LTPA also to be used as an authentication mechanism.
This SAML support has been tested with the following two SAML Identity Providers (IdP):
  • TFIM - IBM TFIM 6.2.2, SAML 2.0 IdP only
  • MS-ADFS - Microsoft™ ADFS 2.0, SAML 2.0 IdP only
Review the following table to understand the current level of SAML support (and its limitations) in Connections and verify that your requirements can be met. If your requirements are not clearly met, then do not proceed with configuring SAML.
Table 1. SAML support in IBM Connections using the default authenticator

This table describes how SAML is supported for SAML (within) and LTPA (outside) for Authentication security implementations.
Connections components accessed via a browser SAML (within cell) and LTPA (outside cell) for Authentication, with LTPA for SSO
Connections web-based interface as follows:
  • All applications such as Home page, Profiles, Communities, Wikis, Files, Forums, Activities, Bookmarks, and Blogs (except for Metrics).
  • Metrics is not supported except for the conditions detailed in the third row.
  • All widgets in Communities except for the CCM widget (Library).
 Supported
Integration with CCM/FileNet Supported
Integration with Metrics/Cognos Supported
All other components, which includes:
  • Mobile web-based
  • Mobile Native Apps
  • Connections Mail
  • WebSphere® Portal integration Desktop, IBM Notes®, and other client application integration and other add-ons
  • IBM Forms (added in IFR1)
Not supported

FileNet® administration user interfaces will not be protected by SAML following this configuration. Existing built-in login screens continue to protect FileNet administration user interfaces.

Refer to the following topics in the WebSphere Application Server information center to understand how to enable single sign-on with SAML: