IBM Websphere Plugin
Apache CXF Fediz ships a plugin to secure an IBM Websphere 7/8 Application Server using WS-Federation.
This page describes how to enable Federation for a IBM Websphere Application Server (WAS) instance hosting Relying Party (RP) applications. This configuration is not for a Websphere instance hosting the Fediz IDP and IDP STS WARs but for applications that use SAML assertions for authentication. After this configuration is done, the Websphere-RP instance will validate the incoming SignInResponse created by the IDP server.
...
- Open the Administative Console with Administrator privileges and navigate to Security / Global security
- Ensure Application security is enabled
- Navigate to Security / Global security / Web and SIP security and select Trust association
- Check the Enable trust association check box
- Select Interceptors
- Click on New and specify the Interceptor class name as
org.apache.cxf.fediz.was.tai.FedizInterceptor
Property | Value |
|---|---|
config.file.location | Specify the path to the fediz-config.xml file |
role.group.mapper | Specify the class of the Role to Group Mapper |
groups.mapping.file | Specify the path to the Role - Group mapping file |
groups.mapping.refresh.timeout | Specify the refresh time (in sec) to reload the Group mapping file |
The file defined in groups.mapping.file must have the following structure:
| Code Block | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||
<?xml version="1.0" encoding="UTF-8"?>
<mapping>
<samlToJ2EE>
<claim>User</claim>
<groups>
<j2eeGroup>Authenticated</j2eeGroup>
<j2eeGroup>Users</j2eeGroup>
</groups>
</samlToJ2EE>
<samlToJ2EE>
<claim>Manager</claim>
<groups>
<j2eeGroup>Manager</j2eeGroup>
<j2eeGroup>Authenticated</j2eeGroup>
</groups>
</samlToJ2EE>
<samlToJ2EE>
<claim>Admin</claim>
<groups>
<j2eeGroup>Admin</j2eeGroup>
<j2eeGroup>Authenticated</j2eeGroup>
</groups>
</samlToJ2EE>
</mapping>
|
...