--- title: Configuring single sign-on in WebSphere description: Configure a SAML trust association interceptor (TAI) on your WebSphere Application Server (WAS). component: websphere page_id: websphere:setup:pf_websphere_integration_configuring_single_sign_on_in_websphere canonical_url: https://docs.pingidentity.com/integrations/websphere/setup/pf_websphere_integration_configuring_single_sign_on_in_websphere.html revdate: July 5, 2024 section_ids: steps: Steps --- # Configuring single sign-on in WebSphere Configure a SAML trust association interceptor (TAI) on your WebSphere Application Server (WAS). ## Steps 1. Complete the steps in [Enabling your system to use the SAML web single sign-on (SSO) feature](https://www.ibm.com/support/knowledgecenter/SSEQTP_9.0.5/com.ibm.websphere.base.doc/ae/twbs_enablesamlsso.html) in the WebSphere documentation. Add custom properties to your TAI based on the table below. **Trust association interceptor custom properties for PingFederate** | Property | Description | | ----------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `sso_.sp.acsUrl` | The assertion consumer service URL for the WebSphere SAML ACS servlet, such as `https://was_host:was_port/samlsps/applicationacs`. | | `sso_.sp.EntityID` | Enter an entity ID of your choosing for your WAS. This is included in the SAML metadata file that you export in the next step. | | `sso_.idp_.EntityID` | The **SAML 2.0 Entity ID** that you entered in [Enabling single sign-on in PingFederate](pf_websphere_integration_enabling_single_sign_on_in_pf.html). | | `sso_.idp_.SingleSignOnUrl` | The PingFederate SSO URL, such as `https://pf_host:pf_port/idp/SSO.saml2`. | | `sso_.idp_.certAlias` | Enter a name of your choosing to identity the PingFederate signing certificate. You will use this when you import the certificate to WebSphere. | | `sso_.sp.login.error.page` | Your WAS authentication error page.This property is also used in the optional [Configuring service provider-initiated SSO](pf_websphere_integration_configuring_service_provider_initiated_sso.html) steps. | | `sso_.sp.targetUrl` | The URL of the target application.To test your configuration, you can enter `https://was_host:was_port/snoop`. | | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | For detailed specifications for these properties, see [SAML web single sign-on (SS) trust association interceptor (TAI) custom properties](https://www.ibm.com/support/knowledgecenter/SS7K4U_9.0.5/com.ibm.websphere.zseries.doc/ae/rwbs_samltaiproperties.html) in the WebSphere documentation. | 2. Complete the steps in [Exporting SAML web service provider metadata using the wsadmin command-line utility](https://www.ibm.com/support/knowledgecenter/SSEQTP_9.0.5/com.ibm.websphere.base.doc/ae/twbs_exportsamlspmetadata.html) in the WebSphere documentation. Save the metadata file to your PingFederate server. You will use it in [Creating a single sign-on connection](gnc1590516299053.html). 3. Complete the steps in [Importing SAML identity provider (IdP) partner metadata using the wsadmin command-line utility](https://www.ibm.com/support/knowledgecenter/SSEQTP_9.0.5/com.ibm.websphere.base.doc/ae/twbs_importsamlidpmetadata.html) in the WebSphere documentation. Select the metadata file that you saved in [Exporting SAML metadata from PingFederate](pf_websphere_integration_exporting_saml_metadata_from_pf.html). Use the alias that you chose for the `sso_.idp_.certAlias` property. 4. Complete the steps in [Configuring single sign-on (SSO) partners](https://www.ibm.com/support/knowledgecenter/SSEQTP_9.0.5/com.ibm.websphere.base.doc/ae/twbs_configuresamlssopartners.html) in the WebSphere documentation.