A brief bit of context ….
A colleague was asking some questions about WAS and ADFS and SAML, so I wanted to create a basic test environment to get my head around some of the new ( to me ) concepts.
I already had a Windows Server 2012 VM and another Red Hat Enterprise Linux (RHEL) VM.
The latter was already configured / installed with: -
- IBM WebSphere Application Server (WAS) Network Deployment (ND) 8.5.5.14
- IBM Business Automation Workflow (BAW) 18.0.0.1
so I was mostly good to go in the WAS/application world.
On the Windows 2012 VM, I installed / configured: -
- Active Directory Domain Services (AD)
- Active Directory Federation Services (ADFS)
- Internet Information Server
So I had a wee bit of effort to setup AD and ADFS, and also to configure IIS.
For the record, IIS isn't required for the SAML setup etc. BUT it's a useful way to generate a self-signed certificate, which can be exported, with public AND private key, as a PFX file, ready to be be imported into ADFS.
As ever, this is an ongoing work-in-progress.
Having got the AD and ADFS stuff mainly setup, I then ran through the following: -
Test ADFS Login
https://windows2012.uk.ibm.com/adfs/ls/idpinitiatedSignOn.aspx
This allowed me to verify that I could authenticate to ADFS using Windows credentials.
Start Deployment Manager
/opt/ibm/WebSphere/AppServer/profiles/Dmgr01/bin/startManager.sh
Start Node Agent
/opt/ibm/WebSphere/AppServer/profiles/AppSrv01/bin/startNode.sh
Add AD Signer to WAS
To allow WAS and AD to communicate via LDAPS ( LDAP over an SSL/TLS connection )
/opt/ibm/WebSphere/AppServer/profiles/Dmgr01/bin/wsadmin.sh -lang jython -username wasadmin -password passw0rd -f /mnt/Scripts/addADSignerToWAS.jy
Federate AD into WAS
/opt/ibm/WebSphere/AppServer/profiles/Dmgr01/bin/wsadmin.sh -lang jython -username wasadmin -password passw0rd -f /mnt/Scripts/federateAD.jy
Stop Deployment Manager
/opt/ibm/WebSphere/AppServer/profiles/Dmgr01/bin/stopManager.sh -username wasadmin -password passw0rd
Stop Node Agent
/opt/ibm/WebSphere/AppServer/profiles/AppSrv01/bin/stopNode.sh -username wasadmin -password passw0rd
Start Deployment Manager
/opt/ibm/WebSphere/AppServer/profiles/Dmgr01/bin/startManager.sh
Start Node Agent
/opt/ibm/WebSphere/AppServer/profiles/AppSrv01/bin/startNode.sh
Retrieve MetaData
This pulls the ADFS info from the AD box
wget --no-check-certificate https://windows2012.uk.ibm.com/FederationMetadata/2007-06/FederationMetadata.xml
Install ACS Sample App into SupCluster
This app is used to perform the SAML token decryption / extraction
Note that I'm installing this into the BAW (BPM) SupCluster, which does NOT run the main BAW workload - Process Server, SCA BPEL etc.
/opt/ibm/WebSphere/AppServer/profiles/Dmgr01/bin/wsadmin.sh -lang jython -username wasadmin -password passw0rd -f /opt/ibm/WebSphere/AppServer/bin/installSamlACS.py install SupCluster
Start WSAdmin Client
/opt/ibm/WebSphere/AppServer/profiles/Dmgr01/bin/wsadmin.sh -lang jython -username wasadmin -password passw0rd
Add SAML TAI
This creates the SAML TAI configuration - we'll populate this further shortly
AdminTask.addSAMLTAISSO('-enable true -acsUrl https://workflow.uk.ibm.com:9445/samlsps/acs')
Save and Sync
AdminConfig.save()
AdminNodeManagement.syncActiveNodes()
Export SP Metadata from WAS
We need this metadata to complete the ADFS configuration
AdminTask.exportSAMLSpMetadata('-spMetadataFileName /home/wasadmin/WASSAMLMetadata.xml -ssoId 1')
Import IdP Metadata into WAS
This is what we previously pulled from the ADFS box
AdminTask.importSAMLIdpMetadata('-idpMetadataFileName /home/wasadmin/FederationMetadata.xml -idpId 1 -ssoId 1 -signingCertAlias idp1')
Save and Sync
AdminConfig.save()
AdminNodeManagement.syncActiveNodes()
Quit
exit
Set TAI Properties
I'm doing this manually, but will script it later
Name:sso_1.sp.acsUrl
Value:https://workflow.uk.ibm.com:9445/samlsps/acs
Name:sso_1.sp.idMap
Value:idAssertion
Name:sso_1.idp_1.EntityID
Value:http://windows2012.uk.ibm.com/adfs/services/trust
Name:sso_1.idp_1.SingleSignOnUrl
Value:https://windows2012.uk.ibm.com/adfs/ls/
Name:sso_1.sp.login.error.page
Value:https://windows2012.uk.ibm.com/adfs/ls/idpinitiatedSignOn.aspx
Name:sso_1.sp.targetUrl
Value:https://workflow.uk.ibm.com:9445/bpc
Name:sso_1.sp.useRealm
Value:defaultWIMFileBasedRealm
Start Clusters
Access BPC: -
https://workflow.uk.ibm.com:9445/bpc
Should redirect to: -
https://windows2012.uk.ibm.com/adfs/ls/idpinitiatedSignOn.aspx
and be prompted to log on with AD acount e.g. UK\Administrator
Need to click on Sign-in button again; I don't yet know why this is the case :-(
Should then be redirected to BPC
Repeat for Process Portal: -
https://workflow.uk.ibm.com:9444/ProcessPortal
and Process Center: -
https://workflow.uk.ibm.com:9444/ProcessCenter
Sources
How to setup Microsoft Active Directory Federation Services [AD FS]
Front Side SAML SSO with microsoft product (ADFS -> WAS SAML TAI)
Enabling your system to use the SAML web single sign-on (SSO) feature
/opt/ibm/WebSphere/AppServer/profiles/Dmgr01/bin/wsadmin.sh -lang jython -username wasadmin -password passw0rd -f /opt/ibm/WebSphere/AppServer/bin/installSamlACS.py install SupCluster
Start WSAdmin Client
/opt/ibm/WebSphere/AppServer/profiles/Dmgr01/bin/wsadmin.sh -lang jython -username wasadmin -password passw0rd
Add SAML TAI
This creates the SAML TAI configuration - we'll populate this further shortly
AdminTask.addSAMLTAISSO('-enable true -acsUrl https://workflow.uk.ibm.com:9445/samlsps/acs')
Save and Sync
AdminConfig.save()
AdminNodeManagement.syncActiveNodes()
Export SP Metadata from WAS
We need this metadata to complete the ADFS configuration
AdminTask.exportSAMLSpMetadata('-spMetadataFileName /home/wasadmin/WASSAMLMetadata.xml -ssoId 1')
Import IdP Metadata into WAS
This is what we previously pulled from the ADFS box
AdminTask.importSAMLIdpMetadata('-idpMetadataFileName /home/wasadmin/FederationMetadata.xml -idpId 1 -ssoId 1 -signingCertAlias idp1')
Save and Sync
AdminConfig.save()
AdminNodeManagement.syncActiveNodes()
Quit
exit
Set TAI Properties
I'm doing this manually, but will script it later
Name:sso_1.sp.acsUrl
Value:https://workflow.uk.ibm.com:9445/samlsps/acs
Name:sso_1.sp.idMap
Value:idAssertion
Name:sso_1.idp_1.EntityID
Value:http://windows2012.uk.ibm.com/adfs/services/trust
Name:sso_1.idp_1.SingleSignOnUrl
Value:https://windows2012.uk.ibm.com/adfs/ls/
Name:sso_1.sp.login.error.page
Value:https://windows2012.uk.ibm.com/adfs/ls/idpinitiatedSignOn.aspx
Name:sso_1.sp.targetUrl
Value:https://workflow.uk.ibm.com:9445/bpc
Name:sso_1.sp.useRealm
Value:defaultWIMFileBasedRealm
Start Clusters
- MECluster
- SupCluster
- AppCluster
Access BPC: -
https://workflow.uk.ibm.com:9445/bpc
Should redirect to: -
https://windows2012.uk.ibm.com/adfs/ls/idpinitiatedSignOn.aspx
and be prompted to log on with AD acount e.g. UK\Administrator
Need to click on Sign-in button again; I don't yet know why this is the case :-(
Should then be redirected to BPC
Repeat for Process Portal: -
https://workflow.uk.ibm.com:9444/ProcessPortal
and Process Center: -
https://workflow.uk.ibm.com:9444/ProcessCenter
Sources
How to setup Microsoft Active Directory Federation Services [AD FS]
Front Side SAML SSO with microsoft product (ADFS -> WAS SAML TAI)
Enabling your system to use the SAML web single sign-on (SSO) feature