-1

I am following the below document to configure the SAML SSO for WAS 8.5.5 and we are stuck at the very first step. As per the guide, we are supposed to add an identity provider using metadata of the identity provider & then import the SAML token signer certificate. But in our case we have received a single file called Federation Metadata.xml from the external identity provider which has both metadata & SAML token signer certificate info with in the same file. So the question is how do i export Metadata & token signer certificate out of it to accomplish step 1.

https://www.ibm.com/support/knowledgecenter/en/SSAW57_8.5.5/com.ibm.websphere.nd.multiplatform.doc/ae/twbs_configuresamlssopartners.html

M I P
  • 867
  • 10
  • 25
Santosh Kondapuram
  • 9
  • 4

1 Answers1

0

You can extract the token signing certificate from the FederationMetadata.xml file via the following steps.

  1. Find the element <ds:Signature> in the FederationMetadata.xml file, then the <KeyInfo> element within it and then the <X509Certificate> element below that.
  2. Take the base64 string within the X509Certificate element and paste this into a new text document.
  3. Save and close the text document and change the extension from .txt to .cer. This should be the public portion of cert you can use to import.
Gilligan
  • 451
  • 1
  • 5
  • 14
  • Hi @Gilligan appreciate your help in exporting the token signing certificate from FederationMetadata.xml. I am in process of enabling the SAML TAI using the Admin console and my application is frontended with IBM HTTP server configured with wild card certs. so what should be our sso_1.sp.acsurl must look like and also what should i use in the place of context root ? is it samlsps or our deployed business application context root. – Santosh Kondapuram Feb 26 '18 at 21:20
  • I am not all that familiar with WebSphere, so I may not be much help on that front. I suspect it would be asking for your business application's URL though. – Gilligan Mar 05 '18 at 21:53