WebSphere Application Server & Liberty

 View Only
  • 1.  SAML propagation using WAS Traditional

    Posted Fri March 04, 2022 12:11 PM
    • Background
      • 3 Web applications on different systems: App A, App B, App C
      • All apps are on different domains
      • App B runs on WAS Traditional
      • Web application servers for App A and App C are unknown
      • Want to integrate all 3 web applications with SSO
      • App A and B will be SSO integrated using SAML, App A as IdP and App B as SP.
      • User is to log on to App A with userid and password, but NOT to enter id/pass when using App B and App C.
      • User logs on to App A -> Click on a link to App B which will open a new browser tab or window.
      • Within App B there are menu which opens App C on a new browser tab or window, OR App B internally calls App C APIs and show response within App B.
      • Questions
        • Q1. Is this possible to do SSO integration with App C using SAML propagation as above?
        • Q2. If Q1 is YES, what are the requirements of App A, B and C to realize this?
        • Q3. If Q1 is YES, what are the limitations or restrictions for this configuration?
        • Q4. Are there any other ways to integrate 3 apps with SSO that satisfy above requirements? 


      ------------------------------
      HIRONOBU TAKAMATSU
      ------------------------------


    • 2.  RE: SAML propagation using WAS Traditional

      Posted Mon March 07, 2022 07:16 PM
      Hi Comminuty members,

      If anyone can help me on this topic, it is really appreciated. Thanks.

      ------------------------------
      HIRONOBU TAKAMATSU
      ------------------------------



    • 3.  RE: SAML propagation using WAS Traditional

      IBM Champion
      Posted Tue March 08, 2022 03:15 AM
      Hello Hironobu,

      I haven't work with SAML on WebSphere but based on my experience in other environments the answer will be yes to Q1.

      About Q4 I have achived using kerberos and SPNEGO.

      I put some resources about SAML.

      - Thread talking about other resources by @Hermann Huebler 
      https://community.ibm.com/community/user/wasdevops/communities/community-home/digestviewer/viewthread?GroupId=19&MessageKey=523dbf1b-86fd-4f5a-b80f-0fd36d31bb5f&CommunityKey=5c4ba155-561a-4794-9883-bb0c6164e14e&tab=digestviewer#bm523dbf1b-86fd-4f5a-b80f-0fd36d31bb5f

      - Ask The Experts on Web SSO: SAML & OpenID Connect for WebSphere Application Server & Liberty (https://community.ibm.com/community/user/wasdevops/blogs/andrea-pichler1/2020/10/01/ask-the-experts-on-web-sso)

      Hope this heps

      Regards, ​​

      ------------------------------
      Gabriel Aberasturi
      Versia tecnologias emergentes
      ------------------------------



    • 4.  RE: SAML propagation using WAS Traditional

      Posted Fri March 11, 2022 10:57 AM
      Hi Hironobu,

      Since the app servers for your apps are not necessarily the same, the only way to achieve this is if your IdP for each app is the same and it saves information in the browser to maintain user information.  I know of at least two implementations that do this.  Some servers that support both SAML and OIDC will even maintain sessions that are valid for both OIDC and SAML logins.  In other words: App A uses an OIDC RP and the user logs in.  App B uses a SAML SP to the same IdP (the RPs OP); the user is not prompted to login again.

      Do you know the implementation of your IdP?  You may be able to find information about your IdP to see what they do.  Alternatively, you could just try it with sample apps and see what happens.

      ------------------------------
      Barbara Jensen
      ------------------------------