Setting up SAML 2.0 in two different cells
You can set up SAML 2.0 for HCL Docs when HCL Docs and HCL Connections are in different cells.
Procedure
- Configure single sign-on (SSO) between the HCL Connections cell and the HCL Docs cell.
- To exchange the SOAP SSL between the cells, follow these
steps:
- Import SOAP SSL from the HCL Connections cell on the HCL Docs cell.
- Log in the WebSphere console of the HCL Docs cell.
- Go to Security > SSL certificate and key management > Key stores and certificates > CellDefaultTrustStore > Signer certificates.
- Click Retrieve from port.
- Enter the host of the HCL Connections cell deployment manager and SOAP port, and choose an alias name.
- Click OK.
- Click Save.
- Import SOAP SSL from the HCL Docs cell on the HCL Connections
cell.
- Log in the WebSphere console of HCL Connections cell.
- Go to Security > SSL certificate and key management > Key stores and certificates > CellDefaultTrustStore > Signer certificates.
- Click Retrieve from port. Enter the host of Connections Docs cell deployment manager and SOAP port, and choose an alias name.
- Click OK.
- Click Save.
- Import SOAP SSL from the HCL Connections cell on the HCL Docs cell.
- To build SAML IDP and SAML SP partnership, follow these
steps:
- Enable SAML web single sign-on:
- Enable your system to use the SAML web SSO feature. For instructions, see Enabling your system to use the SAML web single sign-on (SSO) feature.
- Configure SSO partners. For instructions, see Configuring single sign-on partners.
- Set up SAML 2.0 support for HCL Docs as follows:
- From the WebSphere Application Server administrative console,
navigate to Global security > Trust association > Interceptors > com.ibm.ws.security.web.saml.ACSTrustAssociationInterceptor. Then set the Custom property sso_1.sp.login.error.page to com.ibm.connections.concerto.services.ADFSIdPMapping if
Microsoft Active Directory Federation Services (ADFS) is used. Otherwise,
use com.ibm.connections.concerto.services.TFIMIdPMapping. Note:
- TFIMIdPMapping is used for IBM TFIM 6.2.2, SAML 2.0 IdP only.
- ADFSIdPMapping is used for MS ADFS 2.0, SAML 2.0 IdP only.
- Obtain the com.ibm.connections.concerto.services.jar from the connections_root/Concerto directory on Connections node.
- Copy com.ibm.connections.concerto.services.jar over the WebSphere
Application Server's library extension folder. For example:
- Windows: C:\IBM\WebSphere\AppServer\lib\ext
- AIX, Linux: /opt/IBM/WebSphere/AppServer/lib/extNote: For a multi-node ND deployment, all the nodes must have this redirection service JAR available for the SAML TAI to pick up.
- From the WebSphere Application Server administrative console,
navigate to Global security > Trust association > Interceptors > com.ibm.ws.security.web.saml.ACSTrustAssociationInterceptor. Then set the Custom property sso_1.sp.login.error.page to com.ibm.connections.concerto.services.ADFSIdPMapping if
Microsoft Active Directory Federation Services (ADFS) is used. Otherwise,
use com.ibm.connections.concerto.services.TFIMIdPMapping.
- Install the default application (also known as Snoop). For more information about the default application, see Default Application.
- Protect Snoop with SAML as follows:
- From the WebSphere Application Server administrative console, navigate to Security > Global security > Trust association > Interceptors > com.ibm.ws.security.web.saml.ACSTrustAssociationInterceptor.
- Under Custom properties, create the property sso_1.sp.filter and give it the value request-url^=/snoop/. For more information about configuring the SAML TAI, see Enabling your system to use the SAML web single sign-on (SSO) feature.
- Run Full Resynchronize for all nodes, and restart all application server instances.
- Run a test LOGIN against Snoop by pointing your browser to its own URL. For example: https://[host]:[port]/snoop and then verify that Snoop is protected adequately by SAML 2.0.
- Enable single sign-on to enable Connetions Docs for SAML 2.0.
- Run Full Resynchronize for all nodes, and then restart all application server instances.
- Run a test LOGIN against Docs by pointing your browser to a protected Connections URL. For example: https://[host]:[port]/homepage.
- Enable SAML web single sign-on:
- To configure the HCL Docs URL, follow these steps:
- Log in to the WebSphere console.
- Go to Security > Global security > Trust association > Interceptors > com.ibm.ws.security.web.saml.ACSTrustAssociationInterceptor.
- Add "docs n the value of property sso_1.sp.filter,
such as:
sso_1.sp.filter = request-url^=/snoop|/docs/|/activities/|/blogs/|/cognos/|/communities/|/connections/|/dogear/|/files/|/forums/|/homepage/|/manage/|/metrics/|/moderation/|/news/|/profiles/|/search/|/wikis/|;request-url!=/anonymous/;request-url!=/api/;request-url!=/atom/;request-url!=/atom2/;request-url!=/bookmarklet/;request-url!=/calendar/;request-url!=/help/;request-url!=/home/;request-url!=/js/;request-url!=/mobile/;request-url!=/nav/;request-url!=/oauth/;request-url!=/oauth2/;request-url!=/opensocial/;request-url!=/p2pd/;request-url!=/resources/;request-url!=/tools/;request-url!=/serviceconfigs/;request-url!=/serverstats/;request-url!=/static/
- Go to System administration > Nodes and Full Resynchronize all the Nodes.
- To set docsAdmin j2calias on the Connections cell, follow
these steps:
- Get docsAdmin role on the Docs
cell.
- Log onto the HCL Docs WAS admin console and go to Applications > Enterprise Applications > IBMDocs > Security role to user/group mapping.
- Select docsAdmin role and get the Mapped
users.Note: The Mapped users value will be used in next step. The mapped user must be a user in IDP LDAP.
- Create a J2C alias on the Connections cell.
- Log onto the Connections WAS admin console and go to Security > Global security > JAAS - J2C authentication data.
- New an alias docsAdmin and input the user name and password get from previous step.
- Click OK and Save.
- Go to System administration > Nodes and Synchronize all the Nodes.
- Get docsAdmin role on the Docs
cell.
- Restart the Docs cluster.