IBM Support

PI34548: URL FRAGMENTS MAY BE REMOVED WHEN REQUESTS ARE PROCESSED BY THE SAML WEB SSO TAI

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • When a request containing GET parameters in the URL is
    processed by the SAML web single sign-on (SSO) trust
    association interceptor (TAI) and requires a redirect to an
    identity provider (IdP) login page, the parameters from the
    request will be lost by the time the browser successfully
    authenticates with WebSphere.
    

Local fix

  • N/A
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  IBM WebSphere Application Server users of   *
    *                  SAML web single sign-on                     *
    ****************************************************************
    * PROBLEM DESCRIPTION: GET parameters in a SAML Web            *
    *                      SSO request may be deleted by the       *
    *                      ACSTrustAssociationInterceptor.         *
    ****************************************************************
    * RECOMMENDATION:  Install a fix pack that contains this       *
    *                  APAR.                                       *
    ****************************************************************
    When a user requests a web page that has URL fragments, if the
    user is not authenticated and needs to be authenticated via
    the SAML web single sign-on TAI, the fragment may be lost
    after the user is authenticated.
    For example:
    A user requests https://example.com/home?lang=en-us#!/somePage
    The user is not authenticated, so the authentication process
    occurs.
    After authentication, instead of
    https://example.com/home?lang=en-us#!/somePage,
    https://example.com/home is displayed.
    

Problem conclusion

  • The SAML TAI preserves the requested URL before redirecting
    the user to the identity provider (IdP). However, the fragment
    is not part of request URL. Because of this, the fragment is
    lost after the user is authenticated.
    
    The SAML TAI is updated to use a javascript to reset the
    original requested web page after the user is authenticated.
    
    
    The following SAML TAI custom properties are added:
    
    redirectToIdPonServerSide
    sso_<id>.sp.redirectToIdPonServerSide
    
    Valid values are true and false. The default value is true.
    redirectToIdPonServerSide applies to all service providers
    (SPs) and sso_<id>.sp.redirectToIdPonServerSide applies to a
    specific SP.
    
    When either of these values are set to false for the active
    SP, the TAI will do a client-side redirect.
    
    The fix for this APAR is currently targeted for inclusion in
    fix pack 7.0.0.39, 8.0.0.11 and 8.5.5.7.  Please refer to the
    Recommended Updates page for delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    
    Keywords: IBMWL3WSS, SAMLWSSO
    

Temporary fix

Comments

APAR Information

  • APAR number

    PI34548

  • Reported component name

    WEBS APP SERV N

  • Reported component ID

    5724H8800

  • Reported release

    800

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2015-02-09

  • Closed date

    2015-04-14

  • Last modified date

    2015-10-27

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBS APP SERV N

  • Fixed component ID

    5724H8800

Applicable component levels

  • R700 PSY

       UP

  • R800 PSY

       UP

  • R850 PSY

       UP



Document information

More support for: WebSphere Application Server
General

Software version: 8.0

Reference #: PI34548

Modified date: 27 October 2015