Setting up SAML 2.0 in two different cells

You can set up SAML 2.0 for IBM Docs when IBM Docs and IBM Connections are in different cells.

Procedure

  1. Configure single sign-on (SSO) between the IBM Connections cell and the IBM Docs cell.
  2. To exchange the SOAP SSL between the cells, follow these steps:
    1. Import SOAP SSL from the IBM Connections cell on the IBM Docs cell.
      1. Log in the WebSphere console of the IBM Docs cell.
      2. Go to Security > SSL certificate and key management > Key stores and certificates > CellDefaultTrustStore > Signer certificates.
      3. Click Retrieve from port.
      4. Enter the host of the IBM Connections cell deployment manager and SOAP port, and choose an alias name.
      5. Click OK.
      6. Click Save.
    2. Import SOAP SSL from the IBM Docs cell on the IBM Connections cell.
      1. Log in the WebSphere console of IBM Connections cell.
      2. Go to Security > SSL certificate and key management > Key stores and certificates > CellDefaultTrustStore > Signer certificates.
      3. Click Retrieve from port. Enter the host of Connections Docs cell deployment manager and SOAP port, and choose an alias name.
      4. Click OK.
      5. Click Save.
  3. To build SAML IDP and SAML SP partnership, follow these steps:
    1. Enable SAML web single sign-on:
      1. Enable your system to use the SAML web SSO feature. For instructions, see Enabling your system to use the SAML web single sign-on (SSO) feature.
      2. Configure SSO partners. For instructions, see Configuring single sign-on partners.
    2. Set up SAML 2.0 support for IBM Docs as follows:
      1. From the WebSphere Application Server administrative console, navigate to Global security > Trust association > Interceptors > com.ibm.ws.security.web.saml.ACSTrustAssociationInterceptor. Then set the Custom property sso_1.sp.login.error.page to com.ibm.connections.concerto.services.ADFSIdPMapping if Microsoft Active Directory Federation Services (ADFS) is used. Otherwise, use com.ibm.connections.concerto.services.TFIMIdPMapping.
        Note:
        • TFIMIdPMapping is used for IBM TFIM 6.2.2, SAML 2.0 IdP only.
        • ADFSIdPMapping is used for MS ADFS 2.0, SAML 2.0 IdP only.
      2. Obtain the com.ibm.connections.concerto.services.jar from the connections_root/Concerto directory on Connections node.
      3. Copy com.ibm.connections.concerto.services.jar over the WebSphere Application Server's library extension folder. For example:
        • Windows: C:\IBM\WebSphere\AppServer\lib\ext
        • AIX, Linux: /opt/IBM/WebSphere/AppServer/lib/ext
          Note: For a multi-node ND deployment, all the nodes must have this redirection service JAR available for the SAML TAI to pick up.
    3. Install the default application (also known as Snoop). For more information about the default application, see Default Application.
    4. Protect Snoop with SAML as follows:
      • From the WebSphere Application Server administrative console, navigate to Security > Global security > Trust association > Interceptors > com.ibm.ws.security.web.saml.ACSTrustAssociationInterceptor.
      • Under Custom properties, create the property sso_1.sp.filter and give it the value request-url^=/snoop/. For more information about configuring the SAML TAI, see Enabling your system to use the SAML web single sign-on (SSO) feature.
    5. Run Full Resynchronize for all nodes, and restart all application server instances.
    6. Run a test LOGIN against Snoop by pointing your browser to its own URL. For example: https://[host]:[port]/snoop and then verify that Snoop is protected adequately by SAML 2.0.
    7. Enable single sign-on to enable Connetions Docs for SAML 2.0.
    8. Run Full Resynchronize for all nodes, and then restart all application server instances.
    9. Run a test LOGIN against Docs by pointing your browser to a protected Connections URL. For example: https://[host]:[port]/homepage.
  4. To configure the IBM Docs URL, follow these steps:
    1. Log in to the WebSphere console.
    2. Go to Security > Global security > Trust association > Interceptors > com.ibm.ws.security.web.saml.ACSTrustAssociationInterceptor.
    3. Add "docs n the value of property sso_1.sp.filter, such as:
      sso_1.sp.filter =

request-url^=/snoop|/docs/|/activities/|/blogs/|/cognos/|/communities/|/connections/|/dogear/|/files/|/forums/|/homepage/|/manage/|/metrics/|/moderation/|/news/|/profiles/|/search/|/wikis/|;request-url!=/anonymous/;request-url!=/api/;request-url!=/atom/;request-url!=/atom2/;request-url!=/bookmarklet/;request-url!=/calendar/;request-url!=/help/;request-url!=/home/;request-url!=/js/;request-url!=/mobile/;request-url!=/nav/;request-url!=/oauth/;request-url!=/oauth2/;request-url!=/opensocial/;request-url!=/p2pd/;request-url!=/resources/;request-url!=/tools/;request-url!=/serviceconfigs/;request-url!=/serverstats/;request-url!=/static/
    4. Go to System administration > Nodes and Full Resynchronize all the Nodes.
  5. To set docsAdmin j2calias on the Connections cell, follow these steps:
    1. Get docsAdmin role on the Docs cell.
      1. Log onto the IBM Docs WAS admin console and go to Applications > Enterprise Applications > IBMDocs > Security role to user/group mapping.
      2. Select docsAdmin role and get the Mapped users.
        Note: The Mapped users value will be used in next step. The mapped user must be a user in IDP LDAP.
    2. Create a J2C alias on the Connections cell.
      1. Log onto the Connections WAS admin console and go to Security > Global security > JAAS - J2C authentication data.
      2. New an alias docsAdmin and input the user name and password get from previous step.
      3. Click OK and Save.
      4. Go to System administration > Nodes and Synchronize all the Nodes.
  6. Restart the Docs cluster.