IBM Support

PM25324: SELF ISSUED SAMLV2.0 BEARER TOKEN SPECIFIES INCORRECT ISSUER ELEMENT

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • When doing a self issue of a SAML Token the IssuerURI in
    the SAMLIssuerConfig.properties file is being ignored in favor
    of the issuer being specified in the general bindings. For
    self-issue, the SAMLIssuerConfig.properties should be the sole
    source for the issuer information.
    

Local fix

  • N/A
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  IBM WebSphere Application Server V7.0 users *
    *                  of WS-Security enabled JAX-WS applications  *
    *                  and SAML                                    *
    ****************************************************************
    * PROBLEM DESCRIPTION: The IssuerURI specified in the          *
    *                      SAMLIssuerConfig.properties file is     *
    *                      not being honored.                      *
    ****************************************************************
    * RECOMMENDATION:  Install a fix pack that includes this APAR  *
    ****************************************************************
    When a user attempts to self-issue SAML Tokens using a
    IssuerURI specified in the SAMLIssuerConfig.properties file,
    it is being ignored in favor of the IssuerURI specified in the
    general bindings.  For self-issue the
    SAMLIssuerConfig.properties should be the sole
    source for the issuer information.
    
    An example of this behavior can be seen here:
    
    The client configuration is defined in the
    SAMLIssuerConfig.properties file:
    
    IssuerURI=Intra1
    
    The gen_saml20token -> Callback handler is set to:
    
    confirmationMethod = Bearer
    keyType =
    http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer
    stsURI = www.websphere.ibm.com/SAML/Issuer/Self
    
    The token built contains:
    
    <saml2:Assertion
    xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
    Version="2.0" ID="_2A8DB26382685C21B51287433994810"
    IssueInstant="2010-10-18T20:33:12.671Z">
    <saml2:Issuer>www.websphere.ibm.com/SAML/Issuer/Self</saml2:Issu
    er>
    
    When it should have contained:
    
    <saml2:Assertion
    xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
    Version="2.0" ID="_2A8DB26382685C21B51287433994810"
    IssueInstant="2010-10-18T20:33:12.671Z">
    <saml2:Issuer>Intra1</saml2:Issuer>
    

Problem conclusion

  • The code responsible for self-issuing the SAML Token was
    overriding the IssuerURI property with the one set on general
    bindings. The fix removes the override and leaves the
    IssuerURI value obtained from the SAMLIssuerConfig.properties
    file unchanged.
    
    
    The fix for this APAR is currently targeted for inclusion in
    fix pack 7.0.0.17.  Please refer to the Recommended Updates
    page for delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

Comments

APAR Information

  • APAR number

    PM25324

  • Reported component name

    WEBSPHERE APP S

  • Reported component ID

    5724J0800

  • Reported release

    700

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2010-10-27

  • Closed date

    2010-12-17

  • Last modified date

    2011-06-09

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBSPHERE APP S

  • Fixed component ID

    5724J0800

Applicable component levels

  • R700 PSY

       UP



Document information

More support for: WebSphere Application Server
General

Software version: 7.0

Reference #: PM25324

Modified date: 09 June 2011