IBM Support

PI47842: WHEN DOING IDP-INITIATED SSO, IF A RELAYSTATE ISN'T IN THE SAMLRESPONSE, THE AUTHENTICATION WILL FAIL.

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • When a SAMLResponse is received from an IdP in a traditional
    IdP-initiated SSO scenario, the SAMLResponse will fail to
    validate due to the absence of a RelayState parameter
    

Local fix

  • Configure IdP to set a RelayState parameter
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  IBM WebSphere Application Server            *
    *                  administrators of SAML Web Single Sign-On   *
    ****************************************************************
    * PROBLEM DESCRIPTION: IdP-initiated SAML SSO fails when no    *
    *                      RelayState in SAMLResponse              *
    ****************************************************************
    * RECOMMENDATION:  Install a interim fix or fix pack that      *
    *                  contains this APAR.                         *
    ****************************************************************
    In the SAML Web Single Sign-On (SSO) Trust Association
    Interceptor (TAI), if a SAMLResponse that does not contain a
    RelayState parameter is received from an identity provider
    (IdP), the authentication will fail.
    This error only occurs in WebSphere Application Server v8.0,
    fixpack 8.0.0.11 and v8.5, fixpack 8.5.5.7.  This error does
    not occur in WebSphere Application Server v7.
    

Problem conclusion

  • The SAML Web SSO TAI is updated so that an error does not
    occur when a SAMLResponse that does not contain a RelayState
    is received from an IdP.
    
    The fix for this APAR is currently targeted for inclusion in
    fix packs 8.0.0.12 and 8.5.5.8.  Please refer to the
    Recommended Updates page for delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    
    Keywords: IBMWL3WSS, SAMLWSSO, FIXESPI34088
    

Temporary fix

Comments

APAR Information

  • APAR number

    PI47842

  • Reported component name

    WEBS APP SERV N

  • Reported component ID

    5724H8800

  • Reported release

    850

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2015-08-28

  • Closed date

    2015-09-04

  • Last modified date

    2015-09-16

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBS APP SERV N

  • Fixed component ID

    5724H8800

Applicable component levels

  • R800 PSY

       UP

  • R850 PSY

       UP



Document information

More support for: WebSphere Application Server
General

Software version: 850

Reference #: PI47842

Modified date: 16 September 2015