This has come up in conversations a few times, so Martin Lansche's developerWorks article: -
is perfectly timed.
Summary: Recent fixpacks to IBM® WebSphere® Application Server versions 7.0, 8.0 and 8.5 include a new SAML Trust Association Interceptor (TAI) that introduces new advanced single sign on capabilities. The TAI includes many properties, and understanding what these options do and when to use them can be a challenge. The purpose of this article is to help you make sense of the SAML TAI. This content is part of the IBM WebSphere Developer Technical Journal.
Introduction
IBM WebSphere Application Server — and stack products running on top of a WebSphere Application Server platform — has had a customizable authentication framework since V5.1 based on the Trust Association Interceptor (TAI) interface. There are multiple product implementations of this interface. In 2012, the WebSphere Application Server full profile edition shipped a new Security Assertion Markup Language (SAML) TAI that is available on WebSphere Application Server versions 7.0, 8.0 and 8.5. (At the time of this writing, the IBM WebSphere Application Server Liberty profile does not have SAML support.) This TAI is by far the most comprehensive TAI available so far. This article will explain:
This article assumes a firm understanding of the WebSphere Application Server authentication process (as described in the article Advanced authentication in WebSphere Application Server), as well as an understanding of:
IBM WebSphere Application Server — and stack products running on top of a WebSphere Application Server platform — has had a customizable authentication framework since V5.1 based on the Trust Association Interceptor (TAI) interface. There are multiple product implementations of this interface. In 2012, the WebSphere Application Server full profile edition shipped a new Security Assertion Markup Language (SAML) TAI that is available on WebSphere Application Server versions 7.0, 8.0 and 8.5. (At the time of this writing, the IBM WebSphere Application Server Liberty profile does not have SAML support.) This TAI is by far the most comprehensive TAI available so far. This article will explain:
• How the SAML TAI can be used.
• When it is appropriate to use the SAML TAI.
• How the various SAML TAI properties work together.
• The intricate path that the SAML TAI weaves through the WebSphere Application Server authorization process.
• Digital signing
• Encryption
• Identity assertion
• TAIs in general.