IBM Support

PI32293: SAML WEB SSO TAI IS NOT WORKING WHEN IDP CERTIFICATE RENEWED

Fixes are available

PI34548;8.5.5: URL fragments may be removed when requests are processed by the SAML web SSO TAI
8.5.5.6: WebSphere Application Server V8.5.5 Fix Pack 6
8.0.0.11: WebSphere Application Server V8.0 Fix Pack 11
8.5.5.7: WebSphere Application Server V8.5.5 Fix Pack 7
PI34088;8.5.5: Error in SAML Web SSO TAI with custom SP-initiated SSO
7.0.0.39: WebSphere Application Server V7.0 Fix Pack 39
8.5.5.8: WebSphere Application Server V8.5.5 Fix Pack 8
8.0.0.12: WebSphere Application Server V8.0 Fix Pack 12
8.5.5.9: WebSphere Application Server V8.5.5 Fix Pack 9
7.0.0.41: WebSphere Application Server V7.0 Fix Pack 41
8.5.5.10: WebSphere Application Server V8.5.5 Fix Pack 10
8.5.5.11: WebSphere Application Server V8.5.5 Fix Pack 11
8.0.0.13: WebSphere Application Server V8.0 Fix Pack 13
7.0.0.43: WebSphere Application Server V7.0 Fix Pack 43
8.5.5.12: WebSphere Application Server V8.5.5 Fix Pack 12
8.0.0.14: WebSphere Application Server V8.0 Fix Pack 14
8.5.5.13: WebSphere Application Server V8.5.5 Fix Pack 13
7.0.0.45: WebSphere Application Server V7.0 Fix Pack 45
8.0.0.15: WebSphere Application Server V8.0 Fix Pack 15
7.0.0.45: Java SDK 1.6 SR16 FP60 Cumulative Fix for WebSphere Application Server
7.0.0.39: Java SDK 1.6 SR16 FP7 Cumulative Fix for WebSphere Application Server
7.0.0.41: Java SDK 1.6 SR16 FP20 Cumulative Fix for WebSphere Application Server
7.0.0.43: Java SDK 1.6 SR16 FP41 Cumulative Fix for WebSphere Application Server
8.5.5.14: WebSphere Application Server V8.5.5 Fix Pack 14

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • The SAML WEB SSO TAI is not working when an IdP certificate is
    renewed. After updating a certificate on Websphere application
    server, a server restart is required to make the SAML TAI
    recognize the update.
    

Local fix

  • restart the websphere
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  IBM WebSphere Application Server            *
    *                  administrators of SAML web single sign-on   *
    *                  (SSO)                                       *
    ****************************************************************
    * PROBLEM DESCRIPTION: SAML web SSO does not recognize         *
    *                      updates to the trust store that         *
    *                      are made after the application server   *
    *                      has started.                            *
    ****************************************************************
    * RECOMMENDATION:  Install a fix pack that contains this       *
    *                  APAR.                                       *
    ****************************************************************
    If, after the application server is started, an Identity
    Provider (IdP) certificate is updated in the trust store
    configured for the SAML web single sign-on service provider
    (SP), evaluation of trust will fail for the IdP using the new
    certificate.
    

Problem conclusion

  • The SAML web single sign-on (SSO) runtime loads a trust store
    only once and that trust store instance is used across
    requests until the server is restarted.  If the trust store is
    updated after it is loaded, the updates to the trust store
    are not be recognized by the SAML web SSO runtime until the
    application server restarts.
    
    The SAML web SSO runtime is updated to allow a trust store to
    be updated while the application server is running. A custom
    property is added that enables the runtime to reload the trust
    store after trust validation has failed.  This action can only
    be performed once per request.
    
    Set the following SAML web SSO TAI custom property to true to
    enable reloading of the trust store across all SPs:
    
    retryOnceAfterTrustFailure=true
    
    The property can be scoped to specific SPs using this custom
    property:
    
    sso_<id>.sp.retryOnceAfterTrustFailure=true
    
    
    The fix for this APAR is currently targeted for inclusion in
    fix packs 7.0.0.39, 8.0.0.11, and 8.5.5.6.  Please refer to
    the Recommended Updates page for delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    
    Keywords: IBMWL3WSS, SAMLWSSO
    

Temporary fix

Comments

APAR Information

  • APAR number

    PI32293

  • Reported component name

    WEBSPHERE APP S

  • Reported component ID

    5724J0800

  • Reported release

    850

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2015-01-07

  • Closed date

    2015-02-12

  • Last modified date

    2015-09-09

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBSPHERE APP S

  • Fixed component ID

    5724J0800

Applicable component levels

  • R700 PSY

       UP

  • R800 PSY

       UP

  • R850 PSY

       UP



Document information

More support for: WebSphere Application Server
General

Software version: 850

Reference #: PI32293

Modified date: 09 September 2015