IBM Support

PI48578: CWWSS8014E error in SAML Web SSO can be misleading

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • You can get the CWWSS8014E error message in SAML Web SSO when
    the DN of the signer certificate that signed the SAML
    assertion does not match sso_<id>.idp_<id>.allowedIssuerDN.
    
    CWWSS8014E: The Issuer name in the SAML Assertion is not
    trusted.
    
    This message implies that the Issuer element in the SAML
    Assertion is incorrect, not that the signer certificate is
    incorrect.
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  IBM WebSphere Application Server            *
    *                  administrators of SAML Web Single Sign-On   *
    ****************************************************************
    * PROBLEM DESCRIPTION: CWWSS8014E error message in SAML Web    *
    *                      SSO can be misleading                   *
    ****************************************************************
    * RECOMMENDATION:  Install a fix pack that contains this       *
    *                  APAR.                                       *
    ****************************************************************
    The SAML Web Single Sign-On CWWSS8014E error shown below can be
    misleading:
    CWWSS8014E: The Issuer name in the SAML Assertion is not
    trusted.
    You can get this error for the following reasons:
    1) The Issuer element in the SAML Assertion does not match the
    value configured for the sso_<id>.idp_<id>.allowedIssuerName
    TAI custom property.
    2) The DN of the signer certificate does not match the value
    configured for the sso_<id>.idp_<id>.allowedIssuerDN TAI custom
    property.
    3) A value is configured for the
    sso_<id>.idp_<id>.allowedIssuerDN TAI custom property but, at
    the time the Issuer validation is being performed, the signer
    certificate for the SAML Assertion is not available.
    

Problem conclusion

  • The SAML Web Single Sign-On TAI is updated to emit more
    detailed messages.
    
    To CWWSS8014E, an insert is added to indicate the Issuer name
    that is in the SAML Assertion that failed validation:
    
    CWWSS8014E: The Issuer name in the SAML Assertion is not
    trusted. [{0}]
    
    
    When the signer certificate of the SAML Assertion does not
    match allowedIssuerDN, the following message will be emitted:
    
    CWWSS8042E: The Subject DN of the signer certificate in the
    SAML Assertion is not trusted: [{0}]
    
    
    When there is a value configured for allowedIssuerDN and the
    signer certificate of the SAML Assertion is not available at
    the time the Issuer validation is performed, one of the
    following messages will be emitted:
    
    1) If the sso_<id>.sp.wantAssertionSigned TAI custom property
    is set to true, the following message will be emitted:
    
    CWWSS8042E: The Subject DN of the signer certificate in the
    SAML Assertion is not trusted: []
    
    Also, if com.ibm.ws.security.web.* trace is enabled, the
    following entry will be in the trace:
    
    Unable to evaluate trusted Issuer Subject DN because the
    signer certificate is not available.
    
    
    2) If the sso_<id>.sp.wantAssertionSigned TAI custom property
    is not set to true, the following message will be emitted:
    
    CWWSS8043E: The allowed issuer validation failed for the
    certificate Subject DN.  The signer certificate is not
    available.  Ensure that the [wantAssertionsSigned] custom
    property is set to true.
    
    Also, if com.ibm.ws.security.web.* trace is enabled, the
    following entry will be in the trace:
    
    Unable to evaluate trusted Issuer Subject DN because the
    [wantAssertionsSigned] property is set to false.
    
    
    The fix for this APAR is currently targeted for inclusion in
    fix packs 7.0.0.41, 8.0.0.12, and 8.5.5.8.  Please refer to
    the Recommended Updates page for delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    
    Keywords: IBMWL3WSS, SAMLWSSO
    

Temporary fix

Comments

APAR Information

  • APAR number

    PI48578

  • Reported component name

    WEBSPHERE APP S

  • Reported component ID

    5724J0800

  • Reported release

    700

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2015-09-12

  • Closed date

    2015-09-14

  • Last modified date

    2015-09-14

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBSPHERE APP S

  • Fixed component ID

    5724J0800

Applicable component levels

  • R700 PSY

       UP

  • R800 PSY

       UP

  • R850 PSY

       UP



Document information

More support for: WebSphere Application Server
General

Software version: 7.0

Reference #: PI48578

Modified date: 14 September 2015