IBM Support

PI48360: MORE DIAGNOSTICS REQUIRED WHEN RELAYSTATE IS INVALID IN SAMLRESP ONSE

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • Its not valid when the RelayState in a SAMLResponse equals the
    acsUrl.  What happens when you do that is that you get back
    "INTERNAL ERROR Please contact your support." in the browser.
    There are no diagnostics in SystemOut.log or SystemErr.log to
    indicate what is causing the error.
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of IBM WebSphere Application      *
    *                  Server and SAML Web SSO                     *
    ****************************************************************
    * PROBLEM DESCRIPTION: If the SAML Web SSO resolved target     *
    *                      URL is the acsUrl, an INTERNAL          *
    *                      ERROR will occur without additional     *
    *                      diagnostic information                  *
    ****************************************************************
    * RECOMMENDATION:  Install a fix pack that contains this       *
    *                  APAR.                                       *
    ****************************************************************
    When a request is sent directly to the URL for the SAML Web
    Single Sign-on (SSO) Assertion Consumer Service (ACS),
    WebSphereSamlSP.ear, the following message is displayed in the
    browser:
    INTERNAL ERROR Please contact your support.
    The URL of the ACS is set on the sso_<id>.sp.acsUrl custom
    property on the SAML TAI and is defined to be
    https://<hostname>:<sslport>/samlsps/<any URI pattern string>.
    For instance https://myhost:9443/samlsps/go
    When a web request is made to a resource protected by the SAML
    Web SSO TAI, the target URL of the business application can
    come from various places:
    * The original request URL
    * The relayState parameter in the SAMLResponse from the
    Identity Provider (IdP)
    * The default target URL configured for the TAI
    (targetUrl or sso_<id>.sp.targetUrl custom property)
    When, using these values, the target URL for a specific
    request is resolved to be the ACS URL, the user will be
    directed to the ACS and they will get the INTERNAL ERROR
    message in the browser.  There will be no indication in any
    log file that this is an error condition.
    

Problem conclusion

  • The SAML Web SSO TAI is updated to detect when the target URL
    is resolved to be the ACS URL.  When the target URL is
    resolved to the ACS URL, instead of being seeing INTERNAL
    ERROR in the browser, the user will be redirected to the
    configured error page and the following error will be emitted
    in the SystemOut.log and FFDC:
    
    CWSML7033E: The Security Assertion Markup Language (SAML) Web
    single sign-on TAI is unable to perform a redirect.
    
    Additionally the cause for the error will be set to this error:
    
    CWSML7030E: The redirect target URL, [{0}], matches the value
    for the assertion consumer service (ACS) URL configured for
    this service provider.  You cannot redirect to the ACS URL.
    The ACS URL is configured on the [{1}] TAI custom property.
    
    One of these messages will be appended to CWSML7030E:
    
    CWSML7032I: The redirect target URL was retrieved from the
    [{0}] or [{1}] TAI custom property.  The [{3}] custom property
    is set to [{4}].
    
    CWSML7031I: The redirect target URL was retrieved from the
    [{0}] parameter in the response.
    
    CWSML7034I: The redirect target URL was retrieved from the
    WasSamlSpReqUrl cookie on the request.
    
    For instance:
    
    CWSML7033E: The Security Assertion Markup Language (SAML) Web
    single sign-on TAI is unable to perform a redirect.
    ...
    Caused by:
    CWSML7030E: The redirect target URL,
    [https://myhost:9443/samlsps/go], matches the value
    for the assertion consumer service (ACS) URL configured for
    this service provider.  You cannot redirect to the ACS URL.
    The ACS URL is configured on the [sso_<id>.sp.acsUrl] TAI
    custom property. CWSML7032I: The redirect target URL was
    retrieved from the [targetUrl] or [sso_<id>.sp.targetUrl] TAI
    custom property.  The [sso_<id>.sp.useRelayStateForTarget]
    custom property is set to [false].
    
    -or-
    
    CWSML7030E: The redirect target URL,
    [https://myhost:9443/samlsps/go], matches the value
    for the assertion consumer service (ACS) URL configured for
    this service provider.  You cannot redirect to the ACS URL.
    The ACS URL is configured on the [sso_<id>.sp.acsUrl] TAI
    custom property. CWSML7031I: The redirect target URL was
    retrieved from the [relayState] parameter in the response.
    
    -or-
    
    CWSML7030E: The redirect target URL,
    [https://myhost:9443/samlsps/go], matches the value
    for the assertion consumer service (ACS) URL configured for
    this service provider.  You cannot redirect to the ACS URL.
    The ACS URL is configured on the [sso_<id>.sp.acsUrl] TAI
    custom property. CWSML7034I: The redirect target URL was
    retrieved from the WasSamlSpReqUrl cookie on the request.
    
    
    The fix for this APAR is currently targeted for inclusion in
    fix packs 7.0.0.43, 8.0.0.13, and 8.5.5.10.  Please refer to
    the Recommended Updates page for delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    
    Keywords: IBMWL3WSS SAMLWSSO
    

Temporary fix

Comments

APAR Information

  • APAR number

    PI48360

  • Reported component name

    WEBSPHERE APP S

  • Reported component ID

    5724J0800

  • Reported release

    700

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2015-09-09

  • Closed date

    2016-04-26

  • Last modified date

    2016-04-26

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBSPHERE APP S

  • Fixed component ID

    5724J0800

Applicable component levels

  • R700 PSY

       UP

  • R800 PSY

       UP

  • R850 PSY

       UP



Document information

More support for: WebSphere Application Server
General

Software version: 7.0

Reference #: PI48360

Modified date: 26 April 2016