IBM Support

PI34088: ERROR IN SAML WEB SSO TAI WITH CUSTOM SP-INITIATED SSO

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • With the SAML Web SSO TAI, when custom code is used to
    simulate SP-initiated SSO, the TAI will fail to validate the
    SAMLResponse with the following error:
    
    CWWSS8006E: InResponseTo must not be present for IdP-Initiated
    unsolicited responses.
    

Local fix

  • N/A
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  IBM WebSphere Application Server users of   *
    *                  SAML web single sign-on (SSO)               *
    ****************************************************************
    * PROBLEM DESCRIPTION: An error occurs in the SAML Web SSO     *
    *                      TAI with custom SP-initiated SSO        *
    ****************************************************************
    * RECOMMENDATION:  Install a fix pack that includes this       *
    *                  APAR.                                       *
    ****************************************************************
    The SAML web single sign-on (SSO) Trust Association
    Interceptor (TAI) supports identity provider (IdP)-initiated
    SSO only.  If a service provider (SP) attempts to
    do SP-initiated SSO by including a SAMLRequest in the request
    to the IdP, the SP cannot process the SAMLResponse and will
    emit the following error:
    CWWSS8006E: InResponseTo must not be present for IdP-Initiated
    unsolicited responses.
    

Problem conclusion

  • The SAML TAI is updated to provide an option to include a
    SAMLRequest in the request to the IdP by using a plug point,
    and process solicited SAMLResponses corresponding to the
    SAMLRequest. To use this feature, set the following custom
    property to your custom class that implements the
    com.ibm.wsspi.security.web.saml.AuthnRequestProvider SPI:
    
    sso_<id>.sp.login.error.page
    
    
    Following is the interface for
    com.ibm.wsspi.security.web.saml.AuthnRequestProvider:
    
    public interface AuthnRequestProvider extends
    IdentityProviderMapping {
      public static final String AUTHN_REQUEST="authnRequest";
      public static final String REQUEST_ID = "requestId";
      public static final String RELAY_STATE="relayState";
      public static final String SSO_URL="ssoUrl";
    
      /**
       * Maps a HttpServletRequest to a valid URL.
       * This is used to map the HttpServletRequest to a valid URL,
       * so that WebSphere can redirect user to the URL for
       * re-login or receiving error message
       *
       * @para    req the HttpServletRequest
       * @param   errorMsg the String
       * @param   acsUrl the String of AssertionConsumerService URL
       * @param   ssoUrl the ArrayList of Single-SignOn service URLs
       * @return  the URL String of the user which should be
       *          redirected to
       * @exception NotImplementedException if this implementation
       *            is not supported.
       **/
       public HashMap <String, String> getAuthnRequest(
                      HttpServletRequest req,
                      String errorMsg,
                      String acsUrl,
                      ArrayList<String> ssoUrls)
                      throws NotImplementedException;
    }
    
    The fix for this APAR is currently targeted for inclusion in
    fix pack 7.0.0.39, 8.0.0.11 and 8.5.5.7.  Please refer to the
    Recommended Updates page for delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    
    Keywords: IBMWL3WSS, SAMLWSSO, FIXEDBYPI47842
    

Temporary fix

Comments

APAR Information

  • APAR number

    PI34088

  • Reported component name

    WEBS APP SERV N

  • Reported component ID

    5724H8800

  • Reported release

    700

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2015-02-03

  • Closed date

    2015-04-28

  • Last modified date

    2015-11-18

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBS APP SERV N

  • Fixed component ID

    5724H8800

Applicable component levels

  • R700 PSY

       UP

  • R800 PSY

       UP

  • R850 PSY

       UP



Document information

More support for: WebSphere Application Server
General

Software version: 7.0

Reference #: PI34088

Modified date: 18 November 2015