Integrate with IBM WAS TAI authentication
WebSphere Application Server provides Trust Association Interceptors (TAI) plug-ins to generate an authenticated session and security context for applications. The login process is coded to recognize an established WAS authentication, and use the implicit login path for such cases.Portal does not reuse group information by default. Configure portal to reuse Subject group information from the WAS security context.
Configure SAML TAI to allow users available in the connected repositories to log in. The SAML TAI configuration accepts users available in the connected repositories (localRealm config) and asserted users from the IdP (idAssertion). An asserted user fits the portal concept of transient users, whose user attributes are not stored locally, but are trusted and verified after configuration.
See:
- Step by step guide to implement SAML 2.0 for Portal 8.5 (Local)
- Configure transient users
- Enable the system to use the SAML web single sign-on (SSO) feature
WEB_INBOUND login flow
To recognize portal transient users, before creating the LTPA token, place a login module in the WEB_INBOUND login flow, then update the distinguished name created by the TAI so. Users do not have to be known in the connected repositories, as long their distinguished name structure fits the portal pattern.
See: Portal transient user support with WAS SAML TAI business case clarification
Parent topic: Roadmaps for integration
See also
Understanding the SAML trust association interceptor for the WebSphere Application Server