IBM Support

PI14280: In SAML Web SSO, user principal selection is different if you are using ID Assertion or not

Fixes are available

8.5.5.3: WebSphere Application Server V8.5.5 Fix Pack 3
7.0.0.35: WebSphere Application Server V7.0 Fix Pack 35
8.5.5.4: WebSphere Application Server V8.5.5 Fix Pack 4
7.0.0.37: WebSphere Application Server V7.0 Fix Pack 37
8.5.5.5: WebSphere Application Server V8.5.5 Fix Pack 5
8.5.5.6: WebSphere Application Server V8.5.5 Fix Pack 6
8.5.5.7: WebSphere Application Server V8.5.5 Fix Pack 7
7.0.0.39: WebSphere Application Server V7.0 Fix Pack 39
8.5.5.8: WebSphere Application Server V8.5.5 Fix Pack 8
8.5.5.9: WebSphere Application Server V8.5.5 Fix Pack 9
7.0.0.41: WebSphere Application Server V7.0 Fix Pack 41
8.5.5.10: WebSphere Application Server V8.5.5 Fix Pack 10
8.5.5.11: WebSphere Application Server V8.5.5 Fix Pack 11
7.0.0.43: WebSphere Application Server V7.0 Fix Pack 43
8.5.5.12: WebSphere Application Server V8.5.5 Fix Pack 12
8.5.5.13: WebSphere Application Server V8.5.5 Fix Pack 13
7.0.0.45: WebSphere Application Server V7.0 Fix Pack 45
7.0.0.45: Java SDK 1.6 SR16 FP60 Cumulative Fix for WebSphere Application Server
7.0.0.35: Java SDK 1.6 SR16 FP1 Cumulative Fix for WebSphere Application Server
7.0.0.37: Java SDK 1.6 SR16 FP3 Cumulative Fix for WebSphere Application Server
7.0.0.39: Java SDK 1.6 SR16 FP7 Cumulative Fix for WebSphere Application Server
7.0.0.41: Java SDK 1.6 SR16 FP20 Cumulative Fix for WebSphere Application Server
7.0.0.43: Java SDK 1.6 SR16 FP41 Cumulative Fix for WebSphere Application Server
8.5.5.14: WebSphere Application Server V8.5.5 Fix Pack 14

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as new function.

Error description

  • In SAML Web SSO in WebSphere Application Server V7.0 and
    V8.5.5, the selection of the user principal is different if you
    are using ID Assertion or localRealm.
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  IBM WebSphere Application Server V7.0       *
    *                  and V8.5.5 users of SAML Web Single Sign    *
    *                  On (SSO)                                    *
    ****************************************************************
    * PROBLEM DESCRIPTION: In SAML Web SSO, user principal         *
    *                      selection is different if you are       *
    *                      using ID Assertion or not               *
    ****************************************************************
    * RECOMMENDATION:  Install a fix pack that contains this       *
    *                  APAR.                                       *
    ****************************************************************
    When configuring the SAML Web Single Sign On TAI, if you are
    using ID Assertion, the SAML NameID or attribute can be
    selected as the authenticated user principal.  If you are
    using localRealm (mapping the SAML assertion to the user
    registry), the user principal can be either the NameID or be
    resolved by a custom mapping.
    The user principal selection should not be restricted in this
    manner.
    This issue does not exist in WebSphere Application Server
    release v8.0.
    

Problem conclusion

  • The runtime is updated so that the user principal can be
    resolved with one of the following configuration options
    regardless of the use of ID Assertion:
    
    * NameID
    * Assertion Attribute
    * Custom mapping
    
    The SAML Web SSO TAI in WebSphere Application Server
    release v8.0 behaves this way.
    
    The fix for this APAR is currently targeted for inclusion in
    fix packs 7.0.0.35 and 8.5.5.3.  Please refer to the
    Recommended Updates page for delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    
    Keywords: IBMWL3WSS, SAMLWSSO
    

Temporary fix

Comments

APAR Information

  • APAR number

    PI14280

  • Reported component name

    WEBS APP SERV N

  • Reported component ID

    5724H8800

  • Reported release

    850

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2014-03-24

  • Closed date

    2014-06-23

  • Last modified date

    2015-09-09

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBS APP SERV N

  • Fixed component ID

    5724H8800

Applicable component levels

  • R700 PSY

       UP

  • R850 PSY

       UP



Document information

More support for: WebSphere Application Server
General

Software version: 850

Reference #: PI14280

Modified date: 09 September 2015