WebSphere Integration Kit. Version User Guide

Similar documents
CoreBlox Integration Kit. Version 2.2. User Guide

CoreBlox Token Translator. Version 1.0. User Guide

.NET Integration Kit. Version User Guide

Web Access Management Token Translator. Version 2.0. User Guide

OAM Integration Kit. Version 3.0. User Guide

Box Connector. Version 2.0. User Guide

Quick Connection Guide

Quick Connection Guide

Dropbox Connector. Version 2.0. User Guide

Zendesk Connector. Version 2.0. User Guide

WebEx Connector. Version 2.0. User Guide

Quick Connection Guide

OpenID Cloud Identity Connector. Version 1.3.x. User Guide

Slack Connector. Version 2.0. User Guide

SSO Integration Overview

Upgrade Utility. Version 7.3. User Guide

IWA Integration Kit. Version 3.1. User Guide

Quick Connection Guide

Version 7.x. Quick-Start Guide

Google Apps Connector. Version User Guide

PingFederate 6.6. Upgrade Utility. User Guide

PingFederate Upgrade Utility. User Guide

PingFederate 6.3. Upgrade Utility. User Guide

SDK Developer s Guide

Google Apps Connector

Server 8.3. PingFederate CORS Support

SDK Developer s Guide

Entrust GetAccess 7.0 Technical Integration Brief for IBM WebSphere Portal 5.0

X.509 Certificate Integration Kit 1.2

Release 3.0. Delegated Admin Application Guide

SafeNet Authentication Service

SafeNet Authentication Service

RSA SecurID Ready Implementation Guide. Last Modified: December 13, 2013

Integration Guide. SafeNet Authentication Manager. Using SAM as an Identity Provider for PingFederate

PingOne. How to Set Up a PingFederate Connection to the PingOne Dock. Quick Start Guides. Version 1.1 December Created by: Ping Identity Support

SafeNet Authentication Service

SafeNet Authentication Service

April Understanding Federated Single Sign-On (SSO) Process

Partner Center: Secure application model

SafeNet Authentication Service

Server Clustering Guide

Quest Collaboration Services 3.6. Installation Guide

SafeNet Authentication Service

Copyright. Copyright Ping Identity Corporation. All rights reserved. PingAccess Server documentation Version 4.

Integration Guide. PingFederate SAML Integration Guide (SP-Initiated Workflow)

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. PingIdentity PingFederate 8

SAML SSO Okta Identity Provider 2

Polycom RealPresence Media Manager

CSP PARTNER APPLICATION OVERVIEW Multi-tenant application model

Cloud Access Manager How to Configure for SSO to SAP NetWeaver using SAML 2.0

Office 365 Connector 2.1

IBM InfoSphere Information Server Single Sign-On (SSO) by using SAML 2.0 and Tivoli Federated Identity Manager (TFIM)

Tanium Network Quarantine User Guide

Polycom RealPresence Resource Manager System, Virtual Edition

SAML-Based SSO Configuration

Cisco TEO Adapter Guide for SAP Java

SafeNet Authentication Manager

SafeNet Authentication Manager

x10data Application Platform v7.1 Installation Guide

Copyright. Copyright Ping Identity Corporation. All rights reserved. PingAccess manuals. Version 4.1.3

Release Date September 30, Adeptia Inc. 443 North Clark Ave, Suite 350 Chicago, IL 60654, USA

How to Change Firmware in WT1000 Terminals. A Technote by Systems Engineering

Release Date March 10, Adeptia Inc. 443 North Clark Ave, Suite 350 Chicago, IL 60610, USA Phone: (312)

SAML-Based SSO Configuration

Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco website at

Akana API Platform: Upgrade Guide

Informatica Cloud Spring REST API Connector Guide

PingFederate 5.0. Release Notes

Tanium Map User Guide. Version 1.0.0

Relativity Data Server

Mobile On the Go (OTG) Server

Webthority can provide single sign-on to web applications using one of the following authentication methods:

SafeNet Authentication Client

CA SiteMinder Federation

SafeNet Authentication Client

Upgrading MYOB BankLink Notes (desktop)

Federated Identity Manager Business Gateway Version Configuration Guide GC

Stonesoft Firewall/VPN Express. Release Notes for Version 5.5.4

Micro Focus The Lawn Old Bath Road Newbury, Berkshire RG14 1QN UK

About Configuring Oracle Access Manager

Cisco TelePresence Management Suite Provisioning Extension 1.6

Integration Guide. SafeNet Authentication Manager. Using SAM as an Identity Provider for Okta

Technical Support 1600 N. Lorraine

StoneGate Management Center. Release Notes for Version 4.0.1

DISCLAIMER COPYRIGHT List of Trademarks

Tanium Comply User Guide. Version 1.7.3

Relativity Data Server 2.2

CA CloudMinder. SSO Partnership Federation Guide 1.51

Symantec ediscovery Platform

Setting Up an Environment for Testing Applications in a Federated Portal Network

Cisco Unified IP Conference Phone 8831 and 8831NR Release Notes for Firmware Release 10.3(1)SR3

Policy Manager for IBM WebSphere DataPower 8.0: Installation Guide

Symantec Ghost Solution Suite Web Console - Getting Started Guide

One Identity Active Roles 7.2

Integration Guide. SafeNet Authentication Manager. Using SAM as an Identity Provider for SonicWALL Secure Remote Access

EAM Portal User's Guide

StoneGate Management Center. Release Notes for Version 5.1.4

Tisio CE Release Notes

Integration Guide. SafeNet Authentication Service. Protecting SugarCRM with SAS

Guide for Administrators

Transcription:

WebSphere Integration Kit Version 2.1.1 User Guide

2012 Ping Identity Corporation. All rights reserved. PingFederate WebSphere User Guide Version 2.1.1 December, 2012 Ping Identity Corporation 1001 17th Street, Suite 100 Denver, CO 80202 U.S.A. Phone: 877.898.2905 (+1 303.468.2882 outside North America) Fax: 303.468.2909 Web Site: www.pingidentity.com Trademarks Ping Identity, the Ping Identity logo, PingFederate, PingOne, PingConnect, and PingEnable are registered trademarks of Ping Identity Corporation ("Ping Identity"). All other trademarks or registered trademarks are the property of their respective owners. Disclaimer The information provided in this document is provided "as is" without warranty of any kind. Ping Identity disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Ping Identity or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Ping Identity or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Document Lifetime Ping Identity may occasionally update online documentation between releases of the related software. Consequently, if this PDF was not downloaded recently, it may not contain the most up-to-date information. Please refer to documentation.pingidentity.com for the most current information. From the Web site, you may also download and refresh this PDF if it has been updated, as indicated by a change in this date: December 17, 2012 PingFederate WebSphere Integration Kit 2 User Guide

Contents Introduction... 4 Intended Audience... 4 System Requirements... 4 Zip Manifest... 4 Processing Overview... 5 Installation and Setup... 6 Installing the OpenToken Adapter and Configure PingFederate... 6 Configuring the WebSphere Application Server... 7 PingFederate WebSphere Integration Kit 3 User Guide

Introduction The PingFederate WebSphere Integration Kit allows a Service Provider (SP) enterprise to accept SAML assertions and provide single sign-on (SSO) to WebSphere-protected applications by using the PingFederate OpenToken Adapter and IBM s Trust Association Interceptor (TAI) interface. The Adapter uses the TAI interface to create an interceptor used for Web authentication by the WebSphere domain. HTTP clients can pass identity information to the WebSphere Application Server by using the PingFederate interceptor. This interceptor provides a way for WebSphere to use an external component to authenticate the user and then assert the identity to the WebSphere container. This kit also supports SP-initiated SSO functionality from inside WebSphere, enabling users to obtain SSO access to applications by clicking a Web portal link that redirects to PingFederate and the OpenToken Adapter. This feature is enabled in WebSphere (see step 9 under Step One Install the PingFederate TAI on page 7). For more information, refer to the WebSphere server documentation (http://pic.dhe.ibm.com/infocenter/wasinfo/v8r0/index.jsp). Intended Audience This document is intended for system administrators with experience in the configuration and maintenance of a WebSphere Application Server. Knowledge of networking and user-management configuration is assumed. Please consult WebSphere documentation if you encounter any difficulties in areas not directly associated with PingFederate or integration kit setup. System Requirements The following prerequisites must exist in order to implement the WebSphere Integration Kit: PingFederate 6.x (or higher) server installed with the OpenToken Adapter version 2.5.1 (or higher) WebSphere Application Server 8.0.x (or higher) Zip Manifest The distribution ZIP file for the WebSphere Integration Kit contains the following: ReadMeFirst.pdf contains links to this online documentation /dist contains libraries needed to run this adapter: opentoken-adapter-2.5.1.jar the OpenToken Adapter JAR file opentoken-agent-2.5.1.jar the OpenToken Agent JAR file for the WebSphere Application Server pf-websphere-interceptor-2.1.1.jar PingFederate TAI for the WebSphere Application Server PingFederate WebSphere Integration Kit 4 User Guide

Processing Overview The following figure illustrates a basic SSO scenario in which the PingFederate SP server leverages the OpenToken Adapter and the PingFederate TAI to allow SSO to a WebSphere domain. Processing Steps PingFederate server receives a SAML assertion. 1. The PingFederate SP server parses the SAML assertion and passes the user attributes to the OpenToken Adapter. The Adapter encrypts the data internally and generates an OpenToken. 2. A request containing the OpenToken is redirected to the SP application. OpenToken and additional attributes can be configured to transfer as part of the Request Header or as Cookies. 3. PingFederate Trust Association Interceptor for WebSphere retrieves the User ID from OpenToken and returns the User ID to the WebSphere Application Server. 4. WebSphere Application Server queries the registry. If the user is found, permissions to the resource are verified for the user, and a local security context is created. The user is given access to the protected resource. PingFederate WebSphere Integration Kit 5 User Guide

Installation and Setup Setting up the WebSphere Integration Kit involves: Installation and configuration of the OpenToken Adapter in PingFederate Configuration of the WebSphere Application Server Installing the OpenToken Adapter and Configure PingFederate Note: If you have already deployed version 2.5.1 (or higher) of the OpenToken Adapter, skip steps 1 through 4 in the following procedure. 1. Stop the PingFederate server if it is running. 2. Remove any existing OpenToken Adapter files (opentoken*.jar) from the directory: <PF_install>/pingfederate/server/default/deploy The adapter JAR file is opentoken-adapter-<version>.jar. Note: If the adapter JAR filename indicates version 2.1 or less, also delete the supporting library opentoken-java-1.x.jar from same directory. 3. Unzip the integration-kit distribution file and copy opentoken-adapter-2.5.1.jar from the /dist directory to the PingFederate directory. <PF_install>/pingfederate/server/default/deploy Note: From the integration kit /dist directory, copy the opentoken-agent-2.5.1.jar into app_server_root/lib/ext. 4. Start or restart the PingFederate server. 5. Configure an instance of the OpenToken Adapter for your SP configuration using settings on the Instance Configuration screen as indicated in the table below. For detailed instructions, see Configuring the SP OpenToken Adapter in the PingFederate Administrator s Manual. Option Password Confirm Password Description Enter any password you choose. Password confirmation. Note: In the Advanced Fields section, be sure to leave Authentication Service blank as the SP Adapter redirects a user to the protected resource directly. On the Actions screen, click the Download link and then click Export to save the properties file to any directory on the machine running WebSphere. PingFederate WebSphere Integration Kit 6 User Guide

Note: Additional attributes can be passed to WebSphere. See Passing Additional Attributes to WebSphere for more information. 6. Configure or modify the connection(s) to your IdP partner(s) to use the instance of the OpenToken Adapter you configured in the last steps. Configuring the WebSphere Application Server This section describes how to: Install the PingFederate Trust Association Interceptor (TAI) Configure WebSphere Application Server Security Step One Install the PingFederate TAI Note: If this is a first-time installation of the WebSphere Integration Kit, proceed directly to step 2 in the following procedure. If you are upgrading this integration, we strongly recommend reinstalling the OpenToken Agent and WebSphere Interceptor in the WebSphere Application Server. 1. If you are upgrading this integration: a. Temporarily stop your WebSphere Application Server if it is running. b. Remove the existing OpenToken Agent (opentoken-agent-2.5.0.jar or lower) and WebSphere Interceptor (pf-websphere-interceptor-2.1.0.jar or lower). 2. From the /dist folder in the directory where you unzipped the distribution file, copy the following jar files to your app_server_root/lib/ext/ directory: opentoken-agent-2.5.1.jar pf-websphere-interceptor-2.1.1.jar 3. From the WebSphere Application Server administrative console, go to Security Global security and ensure that the Enable application security checkbox and the LTPA option button are selected. 4. From the right side of the page, select Web and SIP security and then Trust association. 5. Under General Properties, select the Enable trust association checkbox and click Apply. 6. Return to the Trust association page (Web and SIP security Trust association) and click Interceptors. 7. Click New and enter the following into the Interceptor class name box: com.pingidentity.adapters.websphere.sp.pingfederatetrustassociationinterceptor Click Apply when you finish. 8. Click the link of the interceptor class name you added in the last step. 9. Provide entries for the following Name (key) and Value properties, as needed, and click Apply when you finish: PingFederate WebSphere Integration Kit 7 User Guide

Name agentpropertiesfilename (required) enablespsso ssourl Value Path to the properties file exported when setting up the OpenToken Adapter. See Configuring the WebSphere Application Server for more information. For example: C:/Program Files/IBM/WebSphere/AppServer/lib/ext/agent-config.txt The enablespsso option enables SP-initiated functionality for WebSphere. If enablespsso is set to true, the Websphere Interceptor redirects to the indicated ssourl (below) if OpenToken is not found in the request. By default, the enablespsso option is set to false. (Default: false) URL for redirect if SP-initiated SSO, required only if is (enablespsso) is enabled (above). The Websphere Interceptor redirects to the indicated ssourl if OpenToken is not found in the request. The value required is PingFederate s application endpoint to start the SSO: http[s]://<pf_host>:<port>/sp/startsso.ping? PartnerIdpId=<connection_id> For more information, see Developer Notes. 10. Save your configuration and restart the WebSphere Application Server. Developer Notes To allow for deep linking for SP-initiated SSO, the Websphere Interceptor appends the target-resource URL to the ssourl property. The Target Resource Parameter is how users are redirected to an URL specified in the query parameter. Example: http[s]://<ws_host>:<port>/<application>/?targetresource=<url> Passing Additional Attributes to WebSphere Additional attributes may be supplied within the TAIResult object via a javax.security.auth.subject object. To get additional attributes, invoke getpubliccredentials() on the Subject object. The returned object is of type java.lang.string, a JSON String representation of the additional parameters. Example String Representation:{"not-on-or-after":"2012-06-21T15:41:44Z", "last_name":"test", "not-before":"2012-06-21t15:36:44z", "authncontext":"urn:oasis:names:tc:saml:2.0:ac:classes:password", "email":"joe@pingidentity.com", "subject":"joe", "renew-until":"2012-06- 22T03:36:44Z"} Step Two Configure WebSphere Application Server Security When configuring WebSphere Application Server Security, be sure to do the following: Define the user registry. Create UserIDs that are identical to UserIDs in PingFederate. PingFederate WebSphere Integration Kit 8 User Guide

Give users access to the protected resource. Note: PingFederate TAI works only with protected resources. Install Unlimited jurisdiction policy files, if necessary. Due to import control restrictions, the standard Java Runtime Environment (JRE) distribution supports strong but not unlimited encryption. To use the strongest AES encryption, when permissible, download and install the appropriate version of Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy from the IBM Security information page (www- 128.ibm.com/developerworks/java/jdk/security/60/). Place these files in the JRE's jre/lib/security/directory. PingFederate WebSphere Integration Kit 9 User Guide

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback