Troubleshooting SAML 2.0
Review the topics in this section to see if your issue is addressed.
Perform the following steps so that your SAML 2.0 Web SSO support
for IBM® Connections deployment
can collect pertinent trace data.
- Test SAML with Snoop. Be sure not to configure Connections until you have done so.
- Enable the Security trace as follows:
com.ibm.ws.security.*=all:com.ibm.ws.security.policy.*=off
- Enable the directory services trace as follows:
com.ibm.connections.directory.services.*=all
- Enable the http client trace as follows:
com.ibm.connections.httpClient.*=all
- Enable the redirection services trace as follows:
com.ibm.connections.concerto.services.*=all
Disabling SAML to validate fully functioning integration for third party servers
IBM® Connections can incorporate many services into IBM® Social Business Platform. It is necessary to isolate system-wide security features to validate whether third party servers, such as Cognos® or FileNet® servers, can be deployed properly as a fully functional integrated server with Connections prior to enabling the SAML protection.
Before you begin
Procedure
- Select and delete the SAML TAI com.ibm.ws.security.web.saml.ACSTrustAssociationInterceptor.
- Disable SAML TAI, but leave OAuth TAI enabled as follows:
- Set InvokeTAIbeforeSSO properties to com.ibm.ws.security.oauth20.tai.OAuthTAI only.
- Remove DeferTAItoSSO properties.
- Configure custom authenticator services to use the DefaultAuthenticator as
follows:
- Check out the LotusConnections-config.xml.
- Verify that the XML element <customAuthenticator name="DefaultAuthenticator" /> is specified. If the value is not "DefaultAuthenticator", edit it to be so and then save the file.
- Check the file back in.
- Run Full Resynchronize for all nodes, and then restart all application server instances.