WebSphere Application Server & Liberty

WebSphere Application Server & Liberty

Join this online group to communicate across IBM product users and experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only
Back to discussions
Expand all | Collapse all

How do I make ACS(Assertion Consumer Service) can authenticate my SAMLResponse when enabling SAML?

  • 1.  How do I make ACS(Assertion Consumer Service) can authenticate my SAMLResponse when enabling SAML?

    Posted Tue May 30, 2023 12:35 PM

    Hi friends , i am configuring  SAML in websphere  for enable sso . my env is :

    IDP: keycloak-v21
    SP:    WebSphereSamlSP.war   in (/opt/IBM/WebSphere/Appserver/installableAPps), this is my Assertion Consumer Service
    WAS: 9.0.0.7
    maximo: 7.6.1

    I already followed the steps in:
    https://www.ibm.com/docs/en/was-nd/9.0.5?topic=swss-enabling-your-system-use-saml-web-single-sign-sso-feature

    I got below log in acs-server(WebSphereSamlSP)

    [23-5-27 11:48:02:534 CST] 000000bc WebCollaborat >  SetUnauthenticatedSubjectIfNeeded Entry
[23-5-27 11:48:02:534 CST] 000000bc WebCollaborat 3   Invoked and received Subject are null, setting it anonymous/unauthenticated.
[23-5-27 11:48:02:534 CST] 000000bc WebCollaborat <  SetUnauthenticatedSubjectIfNeeded:true Exit
[23-5-27 11:48:02:534 CST] 000000bc WebCollaborat 3   com.ibm.ws.security.web.WebCollaborator.WebComponentMetaData attribute is set.
[23-5-27 11:48:02:534 CST] 000000bc EJSWebCollabo 3   WebComponentMetaData
                                 com.ibm.ws.webcontainer.metadata.WebComponentMetaDataImpl@fdfc8966[WebSphereSamlSP#WebSphereSamlSPWeb.war#IBMWebSphereSamlACSListenerServlet]
[23-5-27 11:48:02:535 CST] 000000bc EJSWebCollabo 3   preInvoke pushing app name WebSphereSamlSP
[23-5-27 11:48:02:535 CST] 000000bc WebSecurityCo 3   Setting pushed security to "true" for: com.ibm.ws.security.web.WebSecurityContext@9a32fef3
[23-5-27 11:48:02:535 CST] 000000bc EJSWebCollabo 3   preInvoke
                                 app_name=WebSphereSamlSP isAdminApp=false isAppSecurityOn=false
[23-5-27 11:48:02:535 CST] 000000bc EJSWebCollabo 3   preInvoke
                                 Skip authorization for non-system apps when app security is disabled.
[23-5-27 11:48:02:535 CST] 000000bc IBMWebSphereS >  handleRedirect Entry
[23-5-27 11:48:02:536 CST] 000000bc IBMWebSphereS 3   samlres[not null]
[23-5-27 11:48:02:536 CST] 000000bc IBMWebSphereS 3   target[null]
[23-5-27 11:48:02:537 CST] 000000bc IBMWebSphereS 3   RelayState[http://mas76/maximo]


    So ,  in second line , I notice the acs server get null subject from my SAMLResponse. There is no authenticated token generated , so when web is redirected  to my application , it 's not authenticated.  Is my understanding right?

    this is my SAMLResponse , i post it to the Assertion Consumer Service, i didn't know whether the  format or subject  is correct .
    can anyone  give some advices ? Thank you very much.







    ------------------------------
    De Zhao Liu
    ------------------------------


  • 2.  RE: How do I make ACS(Assertion Consumer Service) can authenticate my SAMLResponse when enabling SAML?

    Posted Fri July 28, 2023 03:21 AM

    i used email entity and  login the EAM7.6 successfully.



    ------------------------------
    De Zhao Liu
    ------------------------------

    Original Message


Related Content