PingOne® For Enterprise

What is PingOne® for Enterprise?

PingOne® for Enterprise is a fast, simple and easy identity-as-a-service (IDaaS) single sign-on (SSO) offering that enables
enterprises to give their users federated access to applications with a single click from a secure, cloud-based dock,
accessible from any browser or mobile device. PingOne for Enterprise reduces user password sprawl and improves user
experience, all while improving business agility and driving administrative efficiency.  Access PingOne Data Sheet

WebSphere SAML SP for ISIM SSO

Use Case

Provide Federated single sign-on (SSO) capabilities for IBM Security Identity Manager without the use of IBM Security Access Manager. IBM’s documentation for ISIM explicitly defines how to configure SSO with the use of ISAM’s WebSEAL Authentication. After further investigation and prototyping, SSO capabilities using a third party IdP (Okta) have been successfully implemented into a live environment.

 

How to Configure

To configure single sign-on with the WebSphere SAML SP, Trust Association Interceptor and third part IdP, complete the following steps:

1.      Deploy WebSphere SAML SP

WebSphere supports SAML web SSO and serves as the service provider for ISIM. WebSphere will consume the SAML Assertion from our IdP and establish a security context for the user into ISIM.

2.      Configure WebSphere Trust Association Interceptor

Enable Trust Association for the Assertion Consumer Service deployed with WebSphere. The TAI will validate the request from a third-party IdP and will then perform an identity lookup to verify the user exists in ISIM.

3.      Configure ISIM for SSO

To reiterate, the Knowledge Center documentation for ISIM states you are required to use IBM Security Access Manager to accomplish SSO, but this is not the case. There are a few properties that must be configured to prepare ISIM for SSO. Once these properties are enabled, the ISIM console and ISIM self-service login pages will be expecting SSO as the method of authentication.

4.      Configure ISIM Security Domain

The deployment of the ISIM application creates its own security domain, named ISIMSecurityDomain. For ISIM to invoke the TAI there are three TAI properties which must be set within the ISIM security domain. These properties tell the security domain to leverage the TAI which contains the triggers, login URLs, and other ID mapping properties to complete SSO.

**NOTE** Application security is enabled by default for ISIM. For any application using TAI, application security must be enabled.

5.      Enable Trust Association Interceptor

Once the Assertion Consumer Service, Trust Association Interceptor, and various properties are configured the next step is to enable the TAI for Global Security.

Assumptions

There are a few key assumptions to completing the configuration of the WebSphere SAML SP and SSO.

  • Knowledge of deploying WebSphere middleware applications
  • Certificate management
  • Preconfigured and functioning IdP
  • Understanding of Security Context for WebSphere applications
  • General understanding of SAML

 

 

 

 

Joshua Moore
PathMaker Group Consultant