Understanding the WebSphere Application Server SAML Trust Association Interceptor

This has come up in conversations a few times, so Martin Lansche's developerWorks article: -

Understanding the WebSphere Application Server SAML Trust Association Interceptor

is perfectly timed.

Summary:  Recent fixpacks to IBM® WebSphere® Application Server versions 7.0, 8.0 and 8.5 include a new SAML Trust Association Interceptor (TAI) that introduces new advanced single sign on capabilities. The TAI includes many properties, and understanding  what these options do and when to use them can be a challenge. The purpose of this article is to help you make sense of the SAML TAI. This content is part of the IBM WebSphere Developer Technical Journal.

Introduction

IBM WebSphere Application Server — and stack products running on top of a WebSphere Application Server platform — has had a customizable authentication framework since V5.1 based on the Trust Association Interceptor (TAI) interface. There are multiple product implementations of this interface. In 2012, the WebSphere Application Server full profile edition shipped a new Security Assertion Markup Language (SAML) TAI that is available on WebSphere Application Server versions 7.0, 8.0 and 8.5. (At the time of this writing, the IBM WebSphere Application Server Liberty profile does not have SAML support.) This TAI is by far the most comprehensive TAI available so far. This article will explain:

• How the SAML TAI can be used.

• When it is appropriate to use the SAML TAI.

• How the various SAML TAI properties work together.

• The intricate path that the SAML TAI weaves through the WebSphere Application Server authorization process.

This article assumes a firm understanding of the WebSphere Application Server authentication process (as described in the article Advanced authentication in WebSphere Application Server), as well as an understanding of:

• Digital signing

• Encryption

• Identity assertion

• TAIs in general.