Setting up SAML 2.0 in two different cells

You can set up SAML 2.0 for HCL Docs when HCL Docs and HCL Connections are in different cells.

Procedure

  1. Configure single sign-on (SSO) between the HCL Connections cell and the HCL Docs cell.
  2. To exchange the SOAP SSL between the cells, follow these steps:
    1. Import SOAP SSL from the HCL Connections cell on the HCL Docs cell.
      1. Log in the WebSphere console of the HCL Docs cell.
      2. Go to Security > SSL certificate and key management > Key stores and certificates > CellDefaultTrustStore > Signer certificates.
      3. Click Retrieve from port.
      4. Enter the host of the HCL Connections cell deployment manager and SOAP port, and choose an alias name.
      5. Click OK.
      6. Click Save.
    2. Import SOAP SSL from the HCL Docs cell on the HCL Connections cell.
      1. Log in the WebSphere console of HCL Connections cell.
      2. Go to Security > SSL certificate and key management > Key stores and certificates > CellDefaultTrustStore > Signer certificates.
      3. Click Retrieve from port. Enter the host of Connections Docs cell deployment manager and SOAP port, and choose an alias name.
      4. Click OK.
      5. Click Save.
  3. To build SAML IDP and SAML SP partnership, follow these steps:
    1. Enable SAML web single sign-on:
      1. Enable your system to use the SAML web SSO feature. For instructions, see Enabling your system to use the SAML web single sign-on (SSO) feature.
      2. Configure SSO partners. For instructions, see Configuring single sign-on partners.
    2. Set up SAML 2.0 support for HCL Docs as follows:
      1. From the WebSphere Application Server administrative console, navigate to Global security > Trust association > Interceptors > com.ibm.ws.security.web.saml.ACSTrustAssociationInterceptor. Then set the Custom property sso_1.sp.login.error.page to com.ibm.connections.concerto.services.ADFSIdPMapping if Microsoft Active Directory Federation Services (ADFS) is used. Otherwise, use com.ibm.connections.concerto.services.TFIMIdPMapping.
        Note:
        • TFIMIdPMapping is used for IBM TFIM 6.2.2, SAML 2.0 IdP only.
        • ADFSIdPMapping is used for MS ADFS 2.0, SAML 2.0 IdP only.
      2. Obtain the com.ibm.connections.concerto.services.jar from the connections_root/Concerto directory on Connections node.
      3. Copy com.ibm.connections.concerto.services.jar over the WebSphere Application Server's library extension folder. For example:
        • Windows: C:\IBM\WebSphere\AppServer\lib\ext
        • AIX, Linux: /opt/IBM/WebSphere/AppServer/lib/ext
          Note: For a multi-node ND deployment, all the nodes must have this redirection service JAR available for the SAML TAI to pick up.
    3. Install the default application (also known as Snoop). For more information about the default application, see Default Application.
    4. Protect Snoop with SAML as follows:
      • From the WebSphere Application Server administrative console, navigate to Security > Global security > Trust association > Interceptors > com.ibm.ws.security.web.saml.ACSTrustAssociationInterceptor.
      • Under Custom properties, create the property sso_1.sp.filter and give it the value request-url^=/snoop/. For more information about configuring the SAML TAI, see Enabling your system to use the SAML web single sign-on (SSO) feature.
    5. Run Full Resynchronize for all nodes, and restart all application server instances.
    6. Run a test LOGIN against Snoop by pointing your browser to its own URL. For example: https://[host]:[port]/snoop and then verify that Snoop is protected adequately by SAML 2.0.
    7. Enable single sign-on to enable Connetions Docs for SAML 2.0.
    8. Run Full Resynchronize for all nodes, and then restart all application server instances.
    9. Run a test LOGIN against Docs by pointing your browser to a protected Connections URL. For example: https://[host]:[port]/homepage.
  4. To configure the HCL Docs URL, follow these steps:
    1. Log in to the WebSphere console.
    2. Go to Security > Global security > Trust association > Interceptors > com.ibm.ws.security.web.saml.ACSTrustAssociationInterceptor.
    3. Add "docs n the value of property sso_1.sp.filter, such as:
      sso_1.sp.filter =
      
      request-url^=/snoop|/docs/|/activities/|/blogs/|/cognos/|/communities/|/connections/|/dogear/|/files/|/forums/|/homepage/|/manage/|/metrics/|/moderation/|/news/|/profiles/|/search/|/wikis/|;request-url!=/anonymous/;request-url!=/api/;request-url!=/atom/;request-url!=/atom2/;request-url!=/bookmarklet/;request-url!=/calendar/;request-url!=/help/;request-url!=/home/;request-url!=/js/;request-url!=/mobile/;request-url!=/nav/;request-url!=/oauth/;request-url!=/oauth2/;request-url!=/opensocial/;request-url!=/p2pd/;request-url!=/resources/;request-url!=/tools/;request-url!=/serviceconfigs/;request-url!=/serverstats/;request-url!=/static/ 
    4. Go to System administration > Nodes and Full Resynchronize all the Nodes.
  5. To set docsAdmin j2calias on the Connections cell, follow these steps:
    1. Get docsAdmin role on the Docs cell.
      1. Log onto the HCL Docs WAS admin console and go to Applications > Enterprise Applications > IBMDocs > Security role to user/group mapping.
      2. Select docsAdmin role and get the Mapped users.
        Note: The Mapped users value will be used in next step. The mapped user must be a user in IDP LDAP.
    2. Create a J2C alias on the Connections cell.
      1. Log onto the Connections WAS admin console and go to Security > Global security > JAAS - J2C authentication data.
      2. New an alias docsAdmin and input the user name and password get from previous step.
      3. Click OK and Save.
      4. Go to System administration > Nodes and Synchronize all the Nodes.
  6. Restart the Docs cluster.