SAML service provider with samlWeb-2.0 in Websphere Liberty

Question

I am struggling to enable samlWeb-2.0 on a Websphere Liberty server. I need to implement the Service Provider part for authentication, using an existing Identity Provider provided by my employer.

The samlWeb-2.0 feature is installed and enabled, and I've followed IBM's instructions for configuring it, with key store and IdP metadata. I'm able to extract the SP metadata by accessing /ibm/saml20/defaultSP/samlmetadata, and it all looks like I think it should.

But, I can't get the server to actually filter any requests. IBM:s documentation explicitly states that "When SAML is configured and enabled, all unauthenticated requests will use SAML authentication", but I can't see that it does. I've added an authentication filter to match all URL:s, but that doesn't make any difference either.

I expected the authentication filter to block unauthenticated requests and/or redirect it to the IdP:s login form, but nothing happens.

What am I missing in my configuration to activate the authentication filter?

This is my server.xml:

<server>
<featureManager>
    <feature>localConnector-1.0</feature>
    <feature>jsp-2.2</feature>
    <feature>jpa-2.0</feature>
    <feature>samlWeb-2.0</feature>
</featureManager>

<keyStore
    fileBased="true"
    location="/home/misc/keystore.jks"
    password="password"
    />

<samlWebSso20
    id="defaultSP"
    idpMetadata="/home/misc/idpMetadata.xml"
    spHostAndPort="https://myapp"
    authFilterRef="defaultAuthenticationFilter"
    />

<authFilter id="defaultAuthenticationFilter">
    <requestUrl urlPattern="/**" id="default"></requestUrl>
</authFilter>

<webApplication contextRoot="/" id="myApp" location="myApp.war" name="myApp" />
</server>

Answer 1

Liberty security only intercepts request URL that has authorization constraints defined in web.xml. Does your web application has security/authorization constraint, and URL you accessed has role constrained?