关于“WAS支持IdP仅启动SAML Web SSO”的说明

Question

Can someone explain this to me, In IBM info center, they mentioned that “WebSphere Application Server supports IdP initiated SAML web SSO only”. I have two J2EE applications, deployed on two different instances of WAS v8.5, these applications use form based authentication mechanism to authenticate users. And I want to configure SAML SSO between them, where I will use an external identity provider and I will configure each WAS instance to act as a service provider, dose the above statement means that I cannot implement SAML SOO since the authentication will be held at the service providers, if not would anyone please explain me the above statement?

Answer 1

In SAML version 1, the user always started at the Idp, and then followed a link to the Sp. The login was initiated at the Idp.

With SAML version 2, the AuthnRequest message was added to the protocol, which enables the user to start at the Sp. Then the Sp issues an AuthnRequest message to the Idp and the Idp replies with a Response message containing the assertions.

It looks like WAS only supports the first scenario, which means that Sp-initiated auto-login is not possible. However you can always provide a link on the Sp start page to the Idp for manual login.

Answer 2

The WebSphere Application Server currently does not support true Sp-Initiated SSO. As mentioned in the previous answer, it supports Idp-initiated. However, it also supports a kind of hybrid that it calls "Bookmark style SSO and TAI filter", where you can send the client to WebSphere, it redirects to the Idp, who then sends the SAMLResponse back to the WebSphere. This keeps you from having to send clients directly to the IdP. This is a very common use case.

You can read about bookmark style SSO and TAI filter here:

http://www-01.ibm.com/support/knowledgecenter/SSEQTP_8.5.5/com.ibm.websphere.base.doc/ae/cwbs_samlssosummary.html

" Bookmark style SSO and TAI filter:

Consider a bookmark style SSO which traditionally fits into an SP-initiated SSO. The user accesses the business application without authenticating to the IdP first. The WebSphere SAML TAI can be configured to initiate an SSO. Each SSO partner configuration contains an IdP login application and a routing filter. Each filter defines a list of selection rules that represent conditions that are matched against the HTTP request to determine whether or not the HTTP request is selected for an SSO partner. The filter rule is a combination of HTTP request header, referrer data, and target application name. The WebSphere SAML TAI runtime environment checks the user request against all filter rules to uniquely identify the SSO partner, and redirects the request to the selected IdP login application. The TAI filter allows an IdP-initiated SSO to provide similar functionality as the combination of an SP-initiated SSO and an IdP discovery service."