Integration Server 10.11 | Integration Server Administrator's Guide | Authenticating Clients | SAML Authentication | Accepting SAML2 Tokens at the Transport Level
 
Accepting SAML2 Tokens at the Transport Level
Integration Server supports including SAML2.0 tokens in the HTTP header, making it possible to use SAML tokens with all types of services. This enables integration with other security providers.
To use this functionality, you must add the issuer of the SAML assertion to the list of trusted SAML issuers. For more information, see Identifying Trusted STSs to Integration Server . Integration Server:
The client sending the request must include the custom HTTP header named "wmIS-SAML2-Assertion" and send the Base64 encoded SAML2.0 assertions as the header value.
When Integration Server receives an HTTP request with the custom header "wmIS-SAML2-Assertion" and finds a Base64 encoded SAML2.0 assertion in the header, Integration Server decodes from Base64 and validates the assertion. If validation of the assertion succeeds, Integration Server searches for an Integration Server user that matches the NameID from the SAML2.0 Assertion. Integration Server first checks for a local user defined on Integration Server and then searches Central Users or LDAP. If Integration Server finds a username that matches the NameID, Integration Server uses that username for the session. Otherwise, Integration Server uses the user defined in the "defaultUserName" option of the SamlAssertLoginModule module in the IS_Transport login context of Integration Server is_jaas.cnf. If the "defaultUserName" option is set to "Default", Integration Server uses the Default user account, which allows access to resources that have the Anonymous ACL.