Skip to content

Configuring SAML redirection services for web SSO

To gain SAML support for all HCL Connections™ components that are accessed through a browser, set up SAML redirection services to use the default authenticator. This process replaces the web login page for Connections with your SAML Identity Provider (IdP) by using a redirect.

Connections provides SAML v2 support in a way to integrate with third parties that might handle authentication through the LTPA mechanism outside of the Connections cell. If you need to integrate SSO traffic that originates from outside of the Connections cell, then the SAML TAI must be configured to allow LTPA also to be used as an authentication mechanism.

This SAML support was tested with the following two SAML Identity Providers (IdP):

  • Tivoli Federated Identity Manager - IBM Tivoli Federated Identity Manager 6.2.2, SAML 2.0 IdP only
  • MS-ADFS - Microsoft™ ADFS 2.0, SAML 2.0 IdP only

Review the following table to understand the current level of SAML support in Connections and verify that your requirements can be met. If your requirements are not clearly met, then do not proceed with configuring SAML.

Other features and clients can still use WebSphere LTPA or built-in forms-based authentication. The following applications might not redirect to the SAML IdP and can use built-in login forms that are supplied by the Connections application, WebSphere, or the clients.

  • Mobile web-based
  • Mobile Native Apps
  • Connections Mail
  • WebSphere® Portal integration Desktop, Notes®, and other client application integration and other add-ons
  • HCL Connections Surveys (added in Connections 6)
  • Direct access to the FileNet Administration Console outside of the integration to the Connections user interface - common for administrators and developers, but not most users.
  • Direct access to Connections APIs

These additional applications still function, but do not redirect to, or use, your SAML IdP for authentication. When you use any of these noted applications, WebSphere's built-in authentication mechanisms must still be correctly configured and functioning when you use SAML for Connections.

Refer to the following topics in the WebSphere Application Server knowledge center to understand how to enable single sign-on with SAML:

Parent topic:Authentication with SAML