Troubleshooting SAML 2.0
Review the topics in this section to see if your issue is addressed.
Perform the following steps so that your SAML 2.0 Web SSO support for HCL
Connections™ deployment can collect pertinent
trace data.
- Test SAML with Snoop. Be sure not to configure Connections until you have done so.
- Enable the Security trace as follows:
com.ibm.ws.security.*=all:com.ibm.ws.security.policy.*=off
- Enable the directory services trace as follows:
com.ibm.connections.directory.services.*=all
- Enable the http client trace as follows:
com.ibm.connections.httpClient.*=all
- Enable the redirection services trace as follows:
com.ibm.connections.concerto.services.*=all
Disabling SAML to validate fully functioning integration for third party servers
Connections can incorporate many services into Social Business Platform. It is necessary to isolate system-wide security features to validate whether third party servers, such as Cognos® or FileNet® servers, can be deployed properly as a fully functional integrated server with Connections prior to enabling the SAML protection.
Before you begin
Procedure
- Select and delete the SAML TAI com.ibm.ws.security.web.saml.ACSTrustAssociationInterceptor.
- Disable SAML TAI, but leave OAuth TAI enabled as follows:
- Set InvokeTAIbeforeSSO properties to com.ibm.ws.security.oauth20.tai.OAuthTAI only.
- Remove DeferTAItoSSO properties.
- Configure custom authenticator services to use the DefaultAuthenticator as
follows:
- Check out the LotusConnections-config.xml.
- Verify that the XML element <customAuthenticator name="DefaultAuthenticator" /> is specified. If the value is not "DefaultAuthenticator", edit it to be so and then save the file.
- Check the file back in.
- Run Full Resynchronize for all nodes, and then restart all application server instances.