Hi friends , i am configuring SAML in websphere for enable sso . my env is :
IDP: keycloak-v21
SP: WebSphereSamlSP.war in (/opt/IBM/WebSphere/Appserver/installableAPps), this is my Assertion Consumer Service
WAS: 9.0.0.7
maximo: 7.6.1
I already followed the steps in:
https://www.ibm.com/docs/en/was-nd/9.0.5?topic=swss-enabling-your-system-use-saml-web-single-sign-sso-feature
I got below log in acs-server(WebSphereSamlSP)
[23-5-27 11:48:02:534 CST] 000000bc WebCollaborat > SetUnauthenticatedSubjectIfNeeded Entry
[23-5-27 11:48:02:534 CST] 000000bc WebCollaborat 3 Invoked and received Subject are null, setting it anonymous/unauthenticated.
[23-5-27 11:48:02:534 CST] 000000bc WebCollaborat < SetUnauthenticatedSubjectIfNeeded:true Exit
[23-5-27 11:48:02:534 CST] 000000bc WebCollaborat 3 com.ibm.ws.security.web.WebCollaborator.WebComponentMetaData attribute is set.
[23-5-27 11:48:02:534 CST] 000000bc EJSWebCollabo 3 WebComponentMetaData
com.ibm.ws.webcontainer.metadata.WebComponentMetaDataImpl@fdfc8966[WebSphereSamlSP#WebSphereSamlSPWeb.war#IBMWebSphereSamlACSListenerServlet]
[23-5-27 11:48:02:535 CST] 000000bc EJSWebCollabo 3 preInvoke pushing app name WebSphereSamlSP
[23-5-27 11:48:02:535 CST] 000000bc WebSecurityCo 3 Setting pushed security to "true" for: com.ibm.ws.security.web.WebSecurityContext@9a32fef3
[23-5-27 11:48:02:535 CST] 000000bc EJSWebCollabo 3 preInvoke
app_name=WebSphereSamlSP isAdminApp=false isAppSecurityOn=false
[23-5-27 11:48:02:535 CST] 000000bc EJSWebCollabo 3 preInvoke
Skip authorization for non-system apps when app security is disabled.
[23-5-27 11:48:02:535 CST] 000000bc IBMWebSphereS > handleRedirect Entry
[23-5-27 11:48:02:536 CST] 000000bc IBMWebSphereS 3 samlres[not null]
[23-5-27 11:48:02:536 CST] 000000bc IBMWebSphereS 3 target[null]
[23-5-27 11:48:02:537 CST] 000000bc IBMWebSphereS 3 RelayState[http://mas76/maximo]
So , in second line , I notice the acs server get null subject from my SAMLResponse. There is no authenticated token generated , so when web is redirected to my application , it 's not authenticated. Is my understanding right?
this is my SAMLResponse , i post it to the Assertion Consumer Service, i didn't know whether the format or subject is correct .
can anyone give some advices ? Thank you very much.
------------------------------
De Zhao Liu
------------------------------