IBM Support

PM99786: POOR DIAGNOSTICS WHEN SAML TOKEN VALIDATION FAILS

Fixes are available

8.5.5.2: WebSphere Application Server V8.5.5 Fix Pack 2
7.0.0.33: WebSphere Application Server V7.0 Fix Pack 33
8.0.0.9: WebSphere Application Server V8.0 Fix Pack 9
8.5.5.3: WebSphere Application Server V8.5.5 Fix Pack 3
7.0.0.35: WebSphere Application Server V7.0 Fix Pack 35
8.5.5.4: WebSphere Application Server V8.5.5 Fix Pack 4
8.0.0.10: WebSphere Application Server V8.0 Fix Pack 10
7.0.0.37: WebSphere Application Server V7.0 Fix Pack 37
8.5.5.5: WebSphere Application Server V8.5.5 Fix Pack 5
8.5.5.6: WebSphere Application Server V8.5.5 Fix Pack 6
8.0.0.11: WebSphere Application Server V8.0 Fix Pack 11
8.5.5.7: WebSphere Application Server V8.5.5 Fix Pack 7
7.0.0.39: WebSphere Application Server V7.0 Fix Pack 39
8.5.5.8: WebSphere Application Server V8.5.5 Fix Pack 8
8.0.0.12: WebSphere Application Server V8.0 Fix Pack 12
8.5.5.9: WebSphere Application Server V8.5.5 Fix Pack 9
7.0.0.41: WebSphere Application Server V7.0 Fix Pack 41
8.5.5.10: WebSphere Application Server V8.5.5 Fix Pack 10
8.5.5.11: WebSphere Application Server V8.5.5 Fix Pack 11
8.0.0.13: WebSphere Application Server V8.0 Fix Pack 13
7.0.0.43: WebSphere Application Server V7.0 Fix Pack 43
8.5.5.12: WebSphere Application Server V8.5.5 Fix Pack 12
8.0.0.14: WebSphere Application Server V8.0 Fix Pack 14
8.5.5.13: WebSphere Application Server V8.5.5 Fix Pack 13
7.0.0.45: WebSphere Application Server V7.0 Fix Pack 45
8.0.0.15: WebSphere Application Server V8.0 Fix Pack 15
7.0.0.45: Java SDK 1.6 SR16 FP60 Cumulative Fix for WebSphere Application Server
7.0.0.35: Java SDK 1.6 SR16 FP1 Cumulative Fix for WebSphere Application Server
7.0.0.37: Java SDK 1.6 SR16 FP3 Cumulative Fix for WebSphere Application Server
7.0.0.39: Java SDK 1.6 SR16 FP7 Cumulative Fix for WebSphere Application Server
7.0.0.41: Java SDK 1.6 SR16 FP20 Cumulative Fix for WebSphere Application Server
7.0.0.43: Java SDK 1.6 SR16 FP41 Cumulative Fix for WebSphere Application Server
8.5.5.14: WebSphere Application Server V8.5.5 Fix Pack 14

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • When a SAML token is expired, the validation of the token will
    fail.  The information required to determine the cause of the
    failure is not provided in the returned error:
    
    com.ibm.websphere.wssecurity.wssapi.WSSException: CWSML6010E:
    Invalid SAML assertion.
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  IBM WebSphere Application Server users of   *
    *                  WS-Security enabled JAX-WS applications     *
    *                  and SAML or SAML Web Single Sign On         *
    ****************************************************************
    * PROBLEM DESCRIPTION: When a SAML token fails validation      *
    *                      for schema or time-based issues, the    *
    *                      information needed to fix the error     *
    *                      is not returned.                        *
    ****************************************************************
    * RECOMMENDATION:  Install a fix pack that contains this       *
    *                  APAR.                                       *
    ****************************************************************
    When validation of a SAML token fails because of schema or
    time-based issues, there is not enough information in the
    returned exception to determine the cause of the error.  Trace
    also shows to be inadequate in many cases.  Most of the errors
    return:
    com.ibm.websphere.wssecurity.wssapi.WSSException: CWSML6010E:
    Invalid SAML assertion.
    

Problem conclusion

  • The SAML code is updated to return more user-friendly errors
    for schema and time-based errors.  27 new messages were added
    to accomodate the new error handling. The CWSML6010E will
    remain the same, but messages like the following examples will
    be appended to it:
    
    CWSML7001E: The NotOnOrAfter condition is out of range. The
    NotOnOrAfter setting in the assertion is [{0}]. The current
    time is [{1}]. The current clock skew setting is {2} minutes.
    
    CWSML7013E: The [AttributeStatement] element does not contain
    either [Subject] or [Attribute] sub-elements.  This condition
    is not allowed.
    
    CWSML7016E: The SAML 1.1 assertion being processed contains no
    [ConfirmationMethod] elements.  At least one
    [ConfirmationMethod] element must be present in the SAML
    assertion to be processed successfully.
    
    If using the
    com.ibm.websphere.wssecurity.wssapi.token.SAMLTokenFactory.newSA
    MLToken API, the new errors will appear on
    e.getCause().getMessage() .
    
    ==============
    Additionally, new validations are put in place to ensure that
    the SAML assertion is validated properly.  Most of the
    updates are included because the original assertion
    validation is incorrect.  One update in the SAML 1.1
    processing is included because of WebSphere WS-Security
    requirements for proper operation.
    
    SAML 2.0 Updates:
    =================
    
    If a SAML 2.0 assertion is missing the Version attribute, the
    following error will occur:
     //CWSML7003E: The Version attribute on the Assertion element
    is missing or empty.
    
    If a SAML 2.0 assertion has incorrect value for the Version
    attribute, an error will occur.  An example
    of an error when an incorrect Version value is encountered is:
     //CWSML7019E: The value for the Version attribute is not
    supported. The Version attribute value in the assertion is
    [1.1].  The value for the Version attribute in a SAML 2.0
    assertion must be [2.0].
    
    For a SAML 2.0 assertion, the NotBefore and NotOnOrAfter
    attributes on the SubjectConfirmationData element are now
    being validated.  Examples of the errors when the
    SubjectConfirmationData is out of range are:
     //CWSML7020E: The [NotBefore] condition on the
    [SubjectConfirmationData] element is out of range. The
    NotBefore setting in the SubjectConfirmationData is
    [2014-04-09T23:40:23.617Z]. The current time is
    [2014-04-09T23:30:23.617Z]. The current clock skew setting is 3
    minutes
     //CWSML7021E: The [NotOnOrAfter] condition on the
    [SubjectConfirmationData] element is out of range. The
    NotOnOrAfter setting in the SubjectConfirmationData is
    [2014-04-09T23:44:23.617Z]. The current time is
    [2014-04-09T23:47:25.458Z]. The current clock skew setting is
    3 minutes
    
    For a SAML 2.0 assertion, the Method attribute on the
    SubjectConfirmation element is now being validated instead of
    just making sure it exists.  An example of an error when an
    incorrect value is encountered is:
     //CWSML7008E: The value [invalid:value] for the [Method]
    attribute on the [SubjectConfirmation] element in the SAML
    assertion is not valid.  The valid values are
    [urn:oasis:names:tc:SAML:2.0:cm:bearer,
    urn:oasis:names:tc:SAML:2.0:cm:sender-vouches,
    urn:oasis:names:tc:SAML:2.0:cm:holder-of-key].
    
    SAML 1.1 Updates:
    =================
    
    In order for the WebSphere SAML token validator to operate
    properly with a SAML 1.1 assertion, a confirmation method is
    required.  The confirmation method comes from the
    ConfirmationMethod sub-selement of the SubjectConfirmation
    element.  According to the SAML 1.1 schema, the
    SubjectConfirmation element is not required.  So, although the
    schema does not require a SubjectConfirmation element be
    present in a SAML 1.1 assertion, the runtime will require a
    ConfirmationMethod element, which in turn requires the
    SubjectConfirmation element.
    
    If a SAML 1.1 assertion does not contain at least one
    ComfirmationMethod, the following error will occur:
     //CWSML7016E: The SAML 1.1 assertion being processed contains
    no [ConfirmationMethod] elements.  At least one
    [ConfirmationMethod] element must be present in the SAML
    assertion to be processed successfully.
    
    If a SAML 1.1 assertion does not contain an
    AuthenticationInstant attribute on the
    AuthenticationStatement, the following error will occur:
     //CWSML7006E: The [AuthenticationInstant] attribute on the
    [AuthenticationStatement] element is missing or empty.  This
    condition is not allowed.
    
    For a SAML 1.1 assertion, the ConfirmationMethod element is
    now being validated.  An example of an error when an incorrect
    value is encountered is:
     //CWSML7009E: The value [invalid:value] for the
    [ConfirmationMethod] sub-element of [SubjectConfirmation] in
    the SAML assertion is not valid.  The valid values are
    [urn:oasis:names:tc:SAML:1.0:cm:bearer,
    urn:oasis:names:tc:SAML:1.0:cm:sender-vouches,
    urn:oasis:names:tc:SAML:1.0:cm:holder-of-key].
    
    For a SAML 1.1 assertion, the NameID and Subject elements in
    the AuthenticationStatement are now being validated if they
    exist.
    
    
    The fix for this APAR is currently targeted for inclusion in
    fix pack 7.0.0.33, 8.0.0.9, and 8.5.5.2.  Please refer to the
    Recommended Updates page for delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

Comments

APAR Information

  • APAR number

    PM99786

  • Reported component name

    WEBS APP SERV N

  • Reported component ID

    5724H8800

  • Reported release

    700

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2013-10-23

  • Closed date

    2014-01-15

  • Last modified date

    2014-04-25

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBS APP SERV N

  • Fixed component ID

    5724H8800

Applicable component levels

  • R700 PSY

       UP

  • R800 PSY

       UP

  • R850 PSY

       UP



Document information

More support for: WebSphere Application Server
General

Software version: 7.0

Reference #: PM99786

Modified date: 25 April 2014