responsivstrap transparent positive 300x83 1
download pdf
Staff efficiency in enhanced, and security is improved when you deliver single-sign-on (SSO) for IBM BPM through using Azure Security.

This blueprint is a step-by-step guide to configuring a Security Assertion Markup Language (SAML) based Single Sign-On (SSO) arrangement for accessing a Unity Process Node running the IBM Business process Management (IBM BPM) server on an IBM WebSphere Application Server v8.5 (IBM WAS).

This blueprint assumes that you have a basic understanding of internet security and the concepts of single sign on.

Problem Description and Scope

SAML is an XML-based open standard that enables Identity providers (IdPs) to pass identity data to Service providers (SPs), in this case IBM BPM in a Responsiv Unity Process module.  It can be used as the basis for implementing single sign-on (SSO) across multiple enterprise applications.

One Responsiv customer is using this blueprint to open their systems to their staff and partners – allowing business automation to span multiple companies.

In this article we will look at the setting up of a SAML SSO implementation to access the IBM BPM Process Portal user interface, which is running on a Responsiv Unity Process node. In SAML terms this will be the Service Provider.

The product that is performing the SAML Identity provider (IdP) role here is IBM Security Access Manager (ISAM). In other Enterprise Integration scenarios this role could be performed by Microsoft Azure AD or another identity management platform.

Connecting Responsiv Unity or IBM WebSphere to Azure image 1

I loaded the certificate from the WebSphere server as a signer certificate into the pdsrv certificate database (used by WebSeal reverse proxies). I then followed the steps below from chapter 6:

  • Upload mapping rules (javascript files)
  • Create the federation (under the Secure Federation application of ISAM – accessed in the LMI management Interface). Details were entered per the below snippets in order to establish the federation.
  • Export the details of this SAML federation to an xml file for import to the Service Provider.

The resulting Federation details:

Connecting Responsiv Unity or IBM WebSphere to Azure image 2

Connecting Responsiv Unity or IBM WebSphere to Azure image 3Connecting Responsiv Unity or IBM WebSphere to Azure image 4

 

The Federation details were exported to generate the federation_metadata XML file. This is imported later into the Service Provider (SP) (i.e., imported into WAS).

Service Provider Configuration (WAS)

Working through the relevant section of the IBM WAS documentation on the IBM Knowledge Centre (KC):

https://www.ibm.com/support/knowledgecenter/SSAW57_8.5.5/com.ibm.websphere.nd.multiplatform.doc/ae/twbs_enablesamlsso.html

Firstly, create a new Enterprise Application to install the WebsphereSamlSP.ear file (find in the installable apps folder at the WAS home location – detailed below for both Unity versions).

  • WAS Home on Unity 4 Process Node: /opt/ibm/BPM/v8.5
  • WAS Home on Unity 5 Process Node: /responsiv/modules/3RDv5.0/BAW/install/BPM

This SAML application installation can be done using the WebSphere administrative console as shown below.

Connecting Responsiv Unity or IBM WebSphere to Azure image 5

Connecting Responsiv Unity or IBM WebSphere to Azure image 6

Take the default options:

Connecting Responsiv Unity or IBM WebSphere to Azure image 7

Click Finish.

Connecting Responsiv Unity or IBM WebSphere to Azure iamge 8

Save to the master configuration when prompted.

See it listed in the applications list and start it (using the select & submit actions):

Connecting Responsiv Unity or IBM WebSphere to Azure image 9

Connecting Responsiv Unity or IBM WebSphere to Azure image 10

Enabling the Trust Association Interceptor (TAI). Navigate through Global security > Web and SIP security > Trust Association to reach the menu shown below.

Connecting Responsiv Unity or IBM WebSphere to Azure image 11

Setting the interceptor details:

Connecting Responsiv Unity or IBM WebSphere to Azure 1

For the acsUrl (ACS = Assertion consumer service) set the value to https://<server>.<domain>:9443/samlsps/ProcessPortal

Connecting Responsiv Unity or IBM WebSphere to Azure 2

Updating custom properties for name com.ibm.websphere.security.DeferTAItoSSO.

Connecting Responsiv Unity or IBM WebSphere to Azure 3

Possible VALUE BEFORE:

com.ibm.ws.security.spnego.TrustAssociationInterceptorImpl

VALUE AFTER:

com.ibm.ws.security.web.saml.ACSTrustAssociationInterceptor

Also setup for name com.ibm.websphere.security.InvokeTAIbeforeSSO.

Value to be: com.ibm.ws.security.web.saml.ACSTrustAssociationInterceptor

Connecting Responsiv Unity or IBM WebSphere to Azure 4

Restart the WebSphere deployment manager.

Also check synchronisation across nodes:

Connecting Responsiv Unity or IBM WebSphere to Azure 5

Defining the ISAM Identity Provider (IdP) to the BPM Service Partner (SP)

The following step, carried out on the WAS SP, was taken from the below ISAM documentation link:

https://www.ibm.com/support/knowledgecenter/SSAW57_9.0.5/com.ibm.websphere.nd.multiplatform.doc/ae/twbs_configuresamlssopartners.html

Execute the following commands on the linux server hosting the WAS deployment manager. This Imports the federation_metadata.xml file previously generated from the Federations screen on ISAM.

”[wasadmin@servername

Then add the certificate from the ISAM (IdP) reverse proxy into the WebSphere Cell default trust store.

Connecting Responsiv Unity or IBM WebSphere to Azure 6

Check result in list of Signer certificates.

Add idp realms inbound trust (ALL):

Connecting Responsiv Unity or IBM WebSphere to Azure 7

Export Service Provider details

Run the below command on the WAS server to extract the SP definition for Importing into the IdP.

”[wasadmin@servername

Identity Provider – Partner Setup (ISAM)

Ready to import SP federation xml into the IdP (ISAM).

Connecting Responsiv Unity or IBM WebSphere to Azure 8

Take defaults for following screens:

Connecting Responsiv Unity or IBM WebSphere to Azure 9

Result:

Connecting Responsiv Unity or IBM WebSphere to Azure 10

Connecting Responsiv Unity or IBM WebSphere to Azure 11

Connecting Responsiv Unity or IBM WebSphere to Azure 12

Note:  It was also necessary to create a dummy self-signed personal certificate in the pdsrv certificate database on behalf of the WAS server name. This Is used In the SP partner configuration on ISAM – as seen above in the two key identifier fields.

The next step is to add a federation to the Reverse Proxy as shown below:

Connecting Responsiv Unity or IBM WebSphere to Azure13

Connecting Responsiv Unity or IBM WebSphere to Azure 14

I chose below but cookbook has unchecked for reuse:

Connecting Responsiv Unity or IBM WebSphere to Azure 15

Next carry out instructions from chapter 8.1.2 – environment specific configuration. This included adding a new stanza at the end of the RP configuration file as below:

[junction:/isam]

reset-cookies-list = *ac.uuid,*JSESSIONID

In addition, I added the line highlighted below in the [TAM_CRED_ATTRS_SVC] stanza:

eperson = azn_cred_registry_id

[TAM_CRED_ATTRS_SVC:eperson]

emailAddress = mail

firstName = cn

lastName = sn

After this, apply the changes and restart the reverse proxy.

Configuring Access Control Lists on the ISAM IdP

I worked through the ACL commands per page 305 of the cookbook. These are shown below:

Connecting Responsiv Unity or IBM WebSphere to Azure 16How to check the WAS Service Provider configuration

Reviewing https://www.ibm.com/support/pages/node/277989

And https://www.ibm.com/support/knowledgecenter/SSAW57_8.5.5/com.ibm.websphere.nd.multiplatform.doc/ae/twbs_displaysamlidp.html to show the Idp information:

”[wasadmin@servername

Initiating a Web SSO Authentication from the IdP – URL Format

Here is the formation of a URL for testing a Federation (from page 103).

Format:

An IdP initiated SAML flow which uses HTTP POST binding can be triggered using 

https://<IdP reverse proxy:port>/<junction name>/sps/<identity provider federation name>/saml20/logininitial?RequestBinding=HTTPPost&PartnerId=https://<SP reverse proxy:port/<junction name>/sps/<service provider federation name>/saml20&NameIdFormat=Email&Target=https://<TargetURL>

https://IDP-isam.responsiv.co.uk:443/isam/sps/saml20/saml20/logininitial?RequestBinding=HTTPPost&PartnerId=https://servername.responsiv.co.uk:9443/samlsps/ProcessPortal/saml20&NameIdFormat=Email&Target=https://servername.responsiv.co.uk:9443/ProcessPortal

Web SSO Authentication Flow Steps – IdP Initiated

The steps for the happy path use case of a successful authentication flow go as follows:

  • The user starts the process by following a link to a URL at the IdP
  • The user authenticates with the IdP
  • A SAML response Is created and sent by an HTTP Post redirect to an assertion consumer service In the Service Provider (SP). This response Is signed by the IdP
  • The SAML TAI consumes the SAML response and logs In the user. Various security tokens are created In WAS Including an SSOToken. From this SSOToken a cookie Is created
  • The request Is dispatched to the assertion consumer service (part of the SAML TAI). This redirects the user to the landing page for the target BPM application (I.e. the Process Portal)
Georgie Whyte
Georgie Whyte
Share This