WebSphere Integration Guide

Configuring service provider-initiated SSO

You can imitate a service provider (SP)-initiated single sign-on (SSO) experience by configuring your WebSphere Application Server (WAS) to redirect unauthenticated users to the PingFederate SSO page.

About this task

This part of the configuration is optional. If you only want identity provider-initiated SSO, skip these steps.

By default, when an unauthenticated user tries to access a protected resource, the WebSphere Application Server (WAS) captures the requested resource URL in a browser cookie, then directs the user to a default error page.

You can override this behavior to redirect the user to the PingFederate SSO page instead. After the user authenticates, the WebSphere Application Server redirects them to the original resource URL stored in the cookie.

This creates a sign on experience that is similar to SP-initated SSO. For a true SAML-based solution, see Enabling SAML SP-Initiated web single sign-on (SSO) in the WebSphere documentation.

Steps

  1. In your WebSphere trusted association interceptor (TAI) configuration, add filter properties to allow the WAS to identify requests that should be authenticated by PingFederate. Follow the guide in the SAML TAI filter property section of SAML web single sign-on (SSO) trust association interceptor (TAI) custom properties in the WebSphere documentation.

  2. In your TAI configuration, change the sso_<id>.sp.login.error.page property to the SSO Application Endpoint URL that you noted in Creating a single sign-on connection.