Using centralized ( and often cloud based) user registries (Identity providers - IdPs) becomes more and more popular. The service provider then (SP) i.e. the application requiring authentication and authorization uses protocols like SAML and/or OpenID Connect to access the user registries.

There are multiple articles around using SAML with traditional WebSphere Application Server (tWAS) - and of courseWebSphere Liberty. The official WAS documentation as well as for example SAML assertions across WebSphere Application Server security domains are covering the setup and configuration of these access protocols. Please start there to set-up the SAML / OpenIDConnect when using WebSphere as a service provider.

These authentication protocols allow to provide users group information as well. Using this group information in role assignment is imho not that intuitive hence I've tried to document the steps in the following blog post and hope it helps others: https://blog.2innovate.at/posts/asserting_saml_users_and_groups_in_websphere_application_server/

While this allows to use group information provided via authentication protocols for role assignments on the WAS level it still does not work that easy for some of the stacked products.

------------------------------
Hermann Huebler

#IBMChampion
------------------------------

Hi Hermann.  Thank you for posting and sharing your guidance with others.

------------------------------
Diane Chalmers
Project Manager for WebSphere User Groups
------------------------------

Original Message:
Sent: Thu April 02, 2020 04:22 AM
From: Hermann Huebler
Subject: Using SAML group names to assign roles in WebSphere

Using centralized ( and often cloud based) user registries (Identity providers - IdPs) becomes more and more popular. The service provider then (SP) i.e. the application requiring authentication and authorization uses protocols like SAML and/or OpenID Connect to access the user registries.

There are multiple articles around using SAML with traditional WebSphere Application Server (tWAS) - and of courseWebSphere Liberty. The official WAS documentation as well as for example SAML assertions across WebSphere Application Server security domains are covering the setup and configuration of these access protocols. Please start there to set-up the SAML / OpenIDConnect when using WebSphere as a service provider.

These authentication protocols allow to provide users group information as well. Using this group information in role assignment is imho not that intuitive hence I've tried to document the steps in the following blog post and hope it helps others: https://blog.2innovate.at/posts/asserting_saml_users_and_groups_in_websphere_application_server/

While this allows to use group information provided via authentication protocols for role assignments on the WAS level it still does not work that easy for some of the stacked products.

------------------------------
Hermann Huebler

#IBMChampion
------------------------------