IBM Support

PM84132: NAMEIDPROVIDER NOT PICKED UP WHEN GENERATING SAML TOKENS

Fixes are available

8.0.0.7: WebSphere Application Server V8.0 Fix Pack 7
8.5.5.1: WebSphere Application Server V8.5.5 Fix Pack 1
8.0.0.8: WebSphere Application Server V8.0 Fix Pack 8
7.0.0.31: WebSphere Application Server V7.0 Fix Pack 31
8.5.5.2: WebSphere Application Server V8.5.5 Fix Pack 2
7.0.0.33: WebSphere Application Server V7.0 Fix Pack 33
8.0.0.9: WebSphere Application Server V8.0 Fix Pack 9
8.5.5.3: WebSphere Application Server V8.5.5 Fix Pack 3
7.0.0.35: WebSphere Application Server V7.0 Fix Pack 35
8.5.5.4: WebSphere Application Server V8.5.5 Fix Pack 4
8.0.0.10: WebSphere Application Server V8.0 Fix Pack 10
7.0.0.37: WebSphere Application Server V7.0 Fix Pack 37
8.5.5.5: WebSphere Application Server V8.5.5 Fix Pack 5
8.5.5.6: WebSphere Application Server V8.5.5 Fix Pack 6
8.0.0.11: WebSphere Application Server V8.0 Fix Pack 11
8.5.5.7: WebSphere Application Server V8.5.5 Fix Pack 7
7.0.0.39: WebSphere Application Server V7.0 Fix Pack 39
8.5.5.8: WebSphere Application Server V8.5.5 Fix Pack 8
8.0.0.12: WebSphere Application Server V8.0 Fix Pack 12
8.5.5.9: WebSphere Application Server V8.5.5 Fix Pack 9
7.0.0.41: WebSphere Application Server V7.0 Fix Pack 41
8.5.5.10: WebSphere Application Server V8.5.5 Fix Pack 10
8.5.5.11: WebSphere Application Server V8.5.5 Fix Pack 11
8.0.0.13: WebSphere Application Server V8.0 Fix Pack 13
7.0.0.43: WebSphere Application Server V7.0 Fix Pack 43
8.5.5.12: WebSphere Application Server V8.5.5 Fix Pack 12
8.0.0.14: WebSphere Application Server V8.0 Fix Pack 14
8.5.5.13: WebSphere Application Server V8.5.5 Fix Pack 13
7.0.0.45: WebSphere Application Server V7.0 Fix Pack 45
8.0.0.15: WebSphere Application Server V8.0 Fix Pack 15
7.0.0.45: Java SDK 1.6 SR16 FP60 Cumulative Fix for WebSphere Application Server
7.0.0.31: Java SDK 1.6 SR15 Cumulative Fix for WebSphere Application Server
7.0.0.35: Java SDK 1.6 SR16 FP1 Cumulative Fix for WebSphere Application Server
7.0.0.37: Java SDK 1.6 SR16 FP3 Cumulative Fix for WebSphere Application Server
7.0.0.39: Java SDK 1.6 SR16 FP7 Cumulative Fix for WebSphere Application Server
7.0.0.41: Java SDK 1.6 SR16 FP20 Cumulative Fix for WebSphere Application Server
7.0.0.43: Java SDK 1.6 SR16 FP41 Cumulative Fix for WebSphere Application Server
8.5.5.14: WebSphere Application Server V8.5.5 Fix Pack 14

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • When generating Security Assertion Markup Language (SAML)
    tokens, the NameIDProvider in SAMLIssuerConfig.properties is
    not picked up when adding the NameID / NameIdentifier
    attribute. The NameIdentifier created is always the default
    format, i.e. <Realm Name>/<User Name>
    

Local fix

  • N/A
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  IBM WebSphere Application Server users of   *
    *                  WS-Security enabled JAX-WS web services     *
    *                  and SAML                                    *
    ****************************************************************
    * PROBLEM DESCRIPTION: WS-Security SAML NameIDProvider and     *
    *                      AttributeProvider modifiers do not      *
    *                      work.                                   *
    ****************************************************************
    * RECOMMENDATION:  Install a fix pack that contains this       *
    *                  APAR.                                       *
    ****************************************************************
    When the NameIDProvider or AttributeProvider properties are
    set in the SAMLIssuerConfig.properties file, the classes
    specified on the properties are never invoked.
    Also, if the setNameIDProvider(String) or
    setAttributeProvider(String) methods are used on the
    com.ibm.wsspi.wssecurity.saml.config.ProviderConfig class to
    set the NameID or Attribute modifiers, a
    java.lang.NoClassDefFoundError will occur when the WS-Security
    runtime attempts to load the classes.
    

Problem conclusion

  • The NameIDProvider and AttributeProvider properties are not
    being read from the SAMLIssuerConfig.properties file. Because
    of this, the classes are never loaded or invoked.
    
    When the classes are set with the setNameIDProvider or
    setAttributeProvider methods, the runtime will attempt to load
    the classes.  However, since the callbacks required by the
    handlers are in a package that is not externalized, a
    java.lang.NoClassDefFoundError will occur for the callback
    class when the modifier class is loaded.
    
    The WS-Security runtime is updated to read the NameIDProvider
    and AttributeProvider properties from the
    SAMLIssuerConfig.properties file.  The callbacks that are to
    be used by the modifier classes are moved to an externalized
    package.
    
    The modifier class files specified on these properties must
    implement javax.security.auth.callback.CallbackHandler.
    
    The callback used for NameIDProvider is
    com.ibm.websphere.wssecurity.callbackhandler.NameIDCallback.
    The callback used for AttributeProvider is
    com.ibm.websphere.wssecurity.callbackhandler.Saml11AttributeCall
    back or
    com.ibm.websphere.wssecurity.callbackhandler.Saml20AttributeCall
    back
    
    The fix for this APAR is currently targeted for inclusion in
    fix packs 7.0.0.31, 8.0.0.7, and 8.5.5.1.
    Please refer to the Recommended Updates page for delivery
    information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

Comments

APAR Information

  • APAR number

    PM84132

  • Reported component name

    WEBS APP SERV N

  • Reported component ID

    5724H8800

  • Reported release

    700

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2013-03-05

  • Closed date

    2013-04-30

  • Last modified date

    2013-04-30

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBS APP SERV N

  • Fixed component ID

    5724H8800

Applicable component levels

  • R700 PSY

       UP

  • R800 PSY

       UP

  • R850 PSY

       UP



Document information

More support for: WebSphere Application Server
General

Software version: 7.0

Reference #: PM84132

Modified date: 30 April 2013