IBM Websphere Plugin
Apache CXF Fediz ships a plugin to secure an IBM Websphere 7/8 Application Server using WS-Federation.
This page describes how to enable Federation for a IBM Websphere Application Server (WAS) instance hosting Relying Party (RP) applications. This configuration is not for a Websphere instance hosting the Fediz IDP and IDP STS WARs but for applications that use SAML assertions for authentication. After this configuration is done, the Websphere-RP instance will validate the incoming SignInResponse created by the IDP server.
...
- Open the Administative Console with Administrator privileges and navigate to Security / Global security
- Ensure Application security is enabled
- Navigate to Security / Global security / Web and SIP security and select Trust association
- Check the Enable trust association check box
- Select Interceptors
- Click on New and specify the Interceptor class name as
org.apache.cxf.fediz.was.tai.FedizInterceptor
Property | Value |
---|---|
config.file.location | Specify the path to the fediz-config.xml file |
role.group.mapper | Specify the class of the Role to Group Mapper |
groups.mapping.file | Specify the path to the Role - Group mapping file |
groups.mapping.refresh.timeout | Specify the refresh time (in sec) to reload the Group mapping file |
The file defined in groups.mapping.file
must have the following structure:
Code Block | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||
<?xml version="1.0" encoding="UTF-8"?> <mapping> <samlToJ2EE> <claim>User</claim> <groups> <j2eeGroup>Authenticated</j2eeGroup> <j2eeGroup>Users</j2eeGroup> </groups> </samlToJ2EE> <samlToJ2EE> <claim>Manager</claim> <groups> <j2eeGroup>Manager</j2eeGroup> <j2eeGroup>Authenticated</j2eeGroup> </groups> </samlToJ2EE> <samlToJ2EE> <claim>Admin</claim> <groups> <j2eeGroup>Admin</j2eeGroup> <j2eeGroup>Authenticated</j2eeGroup> </groups> </samlToJ2EE> </mapping> |
...