Enabling single sign-on for SAML 2.0
Configure HCL Connections™ if you want to use the SAML (Security Assertion Markup Language) 2.0 Web SSO redirection services support to implement user authentication and single sign-on (SSO).
Complete the following prerequisite conditions:
- Verify that the Default application (Snoop) is protected by SAML 2.0.
- Ensure that you can access Connections applications from a web browser.
-
Each href attribute in the LotusConnections-config.xml file is case-sensitive and must specify a fully-qualified domain name.
Note: Lowercase is required for URLs. Many modern browsers will set the domain to lowercase before making a request. For URLs to match with those browsers, lowercase must be used when specifying domain names.
-
The connectionsAdmin J2C alias that you specified during installation must correspond to a valid account that can authenticate with SAML. It may map to a backend administrative user account. This account must be capable of authenticating for single sign-on against SAML. If you need to update the user ID or credentials for this alias, see the Changing references to administrative credentials topic.
-
Install Connections, if you have not already done so, with all necessary software components as described in Installing.
-
Using the WebSphere Application server administrative console, navigate to Global security > Web and SIP security > Trust association > Interceptors > com.ibm.ws.security.web.saml.ACSTrustAssociationInterceptor and make the following changes:
-
Modify the SAML filter for Connections by copying and pasting the following values into the sso_1.sp.filter Values field:
request-url^=/login|/service/authredirect.jsp;request-url!=forceLogin -
Create a new property called sso_1.sp.enforceTaiCookie and set its value to false.
-
-
Run Full Resynchronize for all nodes.
-
Stop all Connections clusters and then stop the DM.
-
Restart the DM and then restart all Connections clusters.
Parent topic:Configuring SAML redirection services for web SSO