How do you pass a SAML link in a work task notification email?


We are using IdP-initiated SAML, and we access TRIRIGA via a link that looks something like this: http://idpprovider/applications/Tririga. Can we pass this link in FRONT_END_SERVER in TRIRIGAWEB.properties so that users can click on the link that they get in a work task email, and they can be redirected to TRIRIGA?

SAML does not support basic authentication for non-browser clients. This is a SAML limitation. See the following APAR IV88274 link.

[Admin: For convenience, here are the meanings of the acronyms: Identity Provider (IdP), Security Assertion Markup Language (SAML).] 

[Admin: This post is related to the 08.18.16 post about lack of support for non-browser clients. To see other related posts, use the SAML tag.]

Continue reading

What is the support for SAML SSO with external assertions, SHA-2, and multiple principal names?


What is the IBM TRIRIGA support scope for SAML SSO with external assertions, SHA-2 encryption, and multiple principal names simultaneously? We need to implement SSO with SAML and want to know if there are any restrictions when running that with the IBM TRIRIGA product.

[Admin: This post is related to the 08.18.16 post about TRIRIGA support for SAML for non-browser clients, and the 06.03.16 post about implementing SAML SSO with WebSphere Liberty.]

Continue reading

Can anyone help with a WebSphere SAML error?


Can anyone help me? What exactly is the fix for this issue? We are using WebSphere 8.5.5.9 version with IdP-initiated SAML.

[7/14/16 9:58:14:120 EDT] 000000cc ReplayManager 3 SAML Assertion with ID: _c79da00a-bcd7-405f-b1af-e1c5c4310f8a has been received in previous request.
[7/14/16 9:58:14:120 EDT] 000000cc ReplayManager E CWWSS8036E: A SAML assertion with ID [_c79da00a-bcd7-405f-b1af-e1c5c4310f8a] has already been received and processed.

This looks like it is happening outside of TRIRIGA: WebSphere Application Server 8.5.5: Messages: CWWSS.

CWWSS8036E: A SAML assertion with ID [{0}] has already been received and processed.

  • Explanation: A SAML assertion should not be replayed. The current request has a SAML assertion that has already been found in a previous request.
  • Action: Ensure the Identity Provider does not generate a SAML assertion with a duplicated ID or resend the same SAML assertion more than once.

Continue reading

Is there a way to implement SAML SSO with WebSphere Liberty?


I’m posting this for awareness. The WebSphere SAML SSO feature only works with an IdP-initiated SSO. (Refer to this article: Understanding the WebSphere Application Server SAML Trust Association Interceptor.) The IdP must be aware of the SP Entity Id as well as the RelayState which is the URL to which the browser is forwarded upon successful assertion by the WebSphere SAML SSO. (Refer to this guide for further SAML SSO configuration: Configuring SAML Web Browser SSO in Liberty.)

I confirmed that the following configuration works for SimpleSAML IdP when the user goes to the Id’s URL…

[Admin: For convenience, here are the meanings of the acronyms: Security Assertion Markup Language (SAML), Single Sign-On (SSO), Identity Provider (IdP), Trust Association Interceptor (TAI), Service Provider (SP).]

[Admin: This post is related to the 03.07.16 post about two channels of authentication with one IHS, and the 02.10.16 post about SAML SSO in TRIRIGA.]

Continue reading

How do you submit a SAML request for enhancement (RFE)?


Configuring secured SAML with WebSphere requires web pages to be protected. The design of the TRIRIGA application does not currently allow you to set up the EAR or WAR (depending on TRIRIGA platform release) to include web page protection. The ability to protect the web pages in this manner would require a major change in the TRIRIGA platform, so this would not be viewed as a defect, but as an enhancement.

So, what can I do to get this level of security? Your best option is to check the Request For Enhancement (RFE) site to see if someone has already requested that this be required in a future release. If an RFE exists, vote for it. The more votes an RFE has, the more likely it is to be included in a future release. If an RFE does not exist, create one and be sure to go to the Service Management Connect (SMC) forum and solicit votes for your enhancement request. Below is information about the RFE process that I provide to customers when a PMR leads to this sort of issue…

Continue reading