• Add a Comment
  • Edit
  • More Actions v
  • Quarantine this Entry

Comments (4)

1 Eric Wood commented Permalink

Shane,

 
For updating the DefaultNameIDFormat in a cluster situation, what's the recommended method? If we edit the file on the dmgr, WAS doesn't necessarily synchronize it, and the "reload configurations" button doesn't either. Would the TFIM command line do this? If so, can you update the article (or post to comments) how that would work.
 
Thanks!

2 Shane Weeden commented Permalink

Eric, with respect to your question the recommended approach with TFIM 6.2.2 is to use the command line. That said, you should be able to update the configuration on the dmgr node, then use standard WebSphere admin console operations for the cluster to force re-synch of the config repository for all nodes.

 
With the command line:
 
/opt/IBM/WebSphere/AppServer/profiles/AppSrv01/bin/wsadmin.sh -user
wasadmin -password <pwd>
 
Find the list of domains:
wsadmin> $AdminTask manageItfimDomain {-operation list}
{server1=tfim01}
 
Find the list of federations:
wsadmin> $AdminTask manageItfimFederation {-operation list -fimDomainName tfim01}
{Role=ip, Protocol=SAML1_1, Name=saml11idp}
{Role=ip, Protocol=SAML2_0, Name=saml20idp}
 
List all partners:
wsadmin> $AdminTask manageItfimPartner {-operation list -fimDomainName tfim01}
{Status=Enabled, Partner Name=salesforce.com, Federation=saml11idp, Partner Role=sp}
{Status=Enabled, Partner Name=Google Apps, Federation=saml20idp, Partner Role=sp}
 
 
Create a response file for the federation:
wsadmin> $AdminTask manageItfimFederation {-operation createResponseFile -fimDomainName tfim01 -federationName saml20idp -fileId /tmp/myfed.rsp}
 
 
Create a response file for the partner:
wsadmin> $AdminTask manageItfimPartner {-operation createResponseFile -fimDomainName tfim01 -federationName saml20idp -partnerName "Google Apps" -fileId /tmp/mypartner.rsp}
 
 
Edit the response file to add/update required properties. For example in the both response files I have:
<void method="put">
<string>DefaultNameIdFormat</string>
<object class="java.util.ArrayList">
<void method="add">
 
<string>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</string>
</void>
</object>
</void>
 
 
To update the federation:
wsadmin> $AdminTask manageItfimFederation {-operation modify -fimDomainName tfim01 -fileId /tmp/myfed.rsp}
 
To update the partner:
wsadmin> $AdminTask manageItfimPartner {-operation modify -fimDomainName tfim01 -federationName saml20idp -partnerName "Google Apps" -fileId /tmp/mypartner.rsp}
 
To reload runtime config (which should also do a node sync):
wsadmin> $AdminTask reloadItfimRuntime {-fimDomainName tfim01}

3 Guy Johnson commented Permalink

Hi Shane, thanks for this example.

 
In your conclusion you mention "Larger deployments would require some auto-provisioning integration, however all the required building blocks are already in place." This may be my case.
 
I would like to be able to configure federations and partners in TFIM via a programmatic interface. The Java and WSAdmin approaches seem clunky and limited to processes which need to run on machines with WS installed. I'd like to be able to invoke such configurations from other processes on the LAN. It seems like it should be possible since WSAdmin is actually just converting its calls to SOAP. I'd like to just use SOAP directly to invoke things like manageItfimPartner. It seems all it would require is a simple SOAP layout for WSAdmin calls. Can you direct me to something like that? Thanks!

4 Shane Weeden commented Permalink

Guy - Presently the wsadmin commands represent the only supported programmatic interface for management of TFIM 6.2.x, or of course the console. Whilst I can make no commitments in this forum, I expect the strategy for programmatic federation management in the future will largely be driven by REST interfaces to our appliance platform such as can be seen in the IBM Security Access Manager for Mobile release from December 2013.

Add a Comment Add a Comment