Software AG Products 10.5 | Administering Integration Server | Configuring Integration Server for Secure Communication | Accepting SAML2 Tokens at the Transport Level
 
Accepting SAML2 Tokens at the Transport Level
Integration Server supports including SAML2 tokens in the HTTP header, making it possible to use SAML2 tokens with all types of services. This enables integration with other security providers.
To use this functionality, you must do the following on Integration Server:
1. Configure the Integration Server is_jaas.cnf as shown below by adding the SamlAssertLoginModule as the first login module to the IS_Transport login context:
com.wm.app.b2b.server.auth.jaas.SamlAssertLoginModule requisite mode="transport" defaultUserName="Default";
2. Add the issuer of the SAML assertion to the list of trusted SAML issuers. For more information, see Identifying Trusted STSs to Integration Server .
The client sending the request must include the custom HTTP header named "wmIS-SAML2-Assertion" and send the Base64 encoded SAML2 assertions as the header value.
When Integration Server receives an HTTP request with the custom header "wmIS-SAML2-Assertion" and finds a Base64 encoded SAML2 assertion in the header, Integration Server decodes from Base64 and validates the assertion. If validation of the assertion succeeds, Integration Server searches for an Integration Server user that matches the NameID from the SAML2 Assertion. Integration Server first checks for a local user defined on Integration Server and then searches Central Users or LDAP. If Integration Server finds a username that matches the NameID, Integration Server uses that username for the session. Otherwise, Integration Server uses the user defined in the "defaultUserName" option of the SamlAssertLoginModule module shown above. If the "defaultUserName" option is set to "Default", Integration Server uses the Default user account, which allows access to resources that have the Anonymous ACL.