Setting up SAML 2.0 in one cell

If required in your environment, set up SAML (Security Assertion Markup Language) 2.0 Web SSO redirection services support for HCL Docs.

Before you begin

Before you can configure HCL Docs with SAML 2.0, complete the following tasks.
  1. Install HCL Connections 5.5 or later.
  2. Set up SAML 2.0 for Connections.

About this task

HCL Docs is supported in the SAML 2.0 environment with redirection services for all available bookmarks. Redirection is identical to redirection in the traditional environment of web browsers, without the need to go through an extra front end application web page. The WebSphere Application Server SAML service provider (SP) supports SAML 2.0 Identity Provider (IdP) initiated single sign-on (SSO).

Procedure

  1. Set up SAML 2.0 for File Viewer.
    You must always install the File Viewer application in the same cell as Connections. After deploying File Viewer, complete these steps:
    1. Configure the File Viewer URL.
      1. Log in to the WebSphere Application Server console.
      2. Go to Security > Global security > Trust association > Interceptors > com.ibm.ws.security.web.saml.ACSTrustAssociationInterceptor
      3. Add viewer as the value in property sso_1.sp.filter, for example,

        sso_1.sp.filter =

        request-url^=/snoop|/viewer/|/activities/|/blogs/|/cognos/|/communities/|/connections/|/dogear/|/files/|/forums/|/homepage/|/manage/|/metrics/|/moderation/|/news/|/profiles/|/search/|/wikis/|;request-url!=/anonymous/;request-url!=/api/;request-url!=/atom/;request-url!=/atom2/;request-url!=/bookmarklet/;request-url!=/calendar/;request-url!=/help/;request-url!=/home/;request-url!=/js/;request-url!=/mobile/;request-url!=/nav/;request-url!=/oauth/;request-url!=/oauth2/;request-url!=/opensocial/;request-url!=/p2pd/;request-url!=/resources/;request-url!=/tools/;request-url!=/serviceconfigs/;request-url!=/serverstats/;request-url!=/static/

      4. Go to System administration > Nodes and Full Resynchronize all the Nodes.
    2. Configure Concerto service.
      Follow steps 4b and 4c in Setting up SAML 2.0 for Connections to copy the Concerto JAR file on all nodes on which the File Viewer application is installed.
    3. Restart all clusters.
  2. Setting up SAML 2.0 for one cell.
    You must complete these steps when you install HCL Docs in the same cell as Connections.
    1. Configure the HCL Docs URL.
      1. Log in to the WebSphere Application Server console.
      2. Go to Security > Global security > Trust association > Interceptors > com.ibm.ws.security.web.saml.ACSTrustAssociationInterceptor.
      3. Add docs in the value of property sso_1.sp.filter, for example,

        sso_1.sp.filter =

        request-url^=/snoop|/docs/|/activities/|/blogs/|/cognos/|/communities/|/connections/|/dogear/|/files/|/forums/|/homepage/|/manage/|/metrics/|/moderation/|/news/|/profiles/|/search/|/wikis/|;request-url!=/anonymous/;request-url!=/api/;request-url!=/atom/;request-url!=/atom2/;request-url!=/bookmarklet/;request-url!=/calendar/;request-url!=/help/;request-url!=/home/;request-url!=/js/;request-url!=/mobile/;request-url!=/nav/;request-url!=/oauth/;request-url!=/oauth2/;request-url!=/opensocial/;request-url!=/p2pd/;request-url!=/resources/;request-url!=/tools/;request-url!=/serviceconfigs/;request-url!=/serverstats/;request-url!=/static/

      4. Go to System administration > Nodes and Full Resynchronize all the Nodes.
    2. Configure Concerto service.
      Follow steps 4b and 4c in Setting up SAML 2.0 for Connections. to copy the Concerto JAR file on all nodes on which the HCL Docs application is installed.
    3. Set docsAdmin j2calias.
      Get docsAdmin role:
      1. Logon WAS admin console and go to Applications > Enterprise Applications > IBMDocs > Security role to user/group mapping.

      2. Select docsAdmin role and get the Mapped users....
        Note: The Mapped users value will be used in next step. The mapped user must be a user in IDP LDAP.
      Create J2C Alias.
      1. Logon WAS admin console and go to Security > Global security > JAAS > J2C authentication data.
      2. Create an alias docsAdmin and type the user name and password that you get from previous step.
      3. Click OK and Save.
      4. Go to System administration > Nodes and Synchronize all the Nodes.
    4. Restart all clusters.
  3. If you set the auth_type property to SAML in the cfg.properties file when you deployed the HCL Docs components, nothing more needs to be done. If you are setting up SAML after deploying the HCL Docs components, you must make the following manual changes:
    1. Edit DOCSCLUSTER_INSTALLPATH /config/concord-config.json to set auth_type to SAML.
    2. Edit the JSON files:

      WAS_INSTALL_PATH /profiles/Dmgr01/config/cells/cellName /LotusConnections-config/docs-daemon-config.json and viewer-daemon-config.json to set auth_typeto SAML.

    3. Synchronize the nodes.
    4. Ripple start the Common Cluster (or whatever cluster the News application is running under).