Fixes are available
Tivoli Federated Identity Manager 6.2.0 Fixpack 8 (6.2.0-TIV-TFIM-FP0008)
Tivoli Fed Id Mgr Business Gateway v6.2.0, Fix Pack 8, 6.2.0-TIV-TFIMBG-FP0008
Tivoli Federated Identity Manager 6.2.0 Fixpack 9 (6.2.0-TIV-TFIM-FP0009)
Tivoli Fed Id Mgr Business Gateway v6.2.0, Fix Pack 9, 6.2.0-TIV-TFIMBG-FP0009
Tivoli Federated Identity Manager 6.2.0 Fixpack 13 (6.2.0-TIV-TFIM-FP0013)
Tivoli Fed Id Mgr Business Gateway v6.2.0, Fix Pack 13, 6.2.0-TIV-TFIMBG-FP0013
APAR status
Closed as program error.
Error description
First issue: When issuing an assertion i f the SAML 2.0 assertion is generated with a bearer subject confirmation method and no Claims element is supplied in the RST then the Recipient attribute of the SubjectConfirmationData is never set. Second issue: When validating an assertion if the bearer subject confirmation method is present and the recipient does not match the assertion consumer service URL in claims then validation fails. The spec says this need only match for SSO profiles, not for other generic SAML assertion valdation use cases (like Web Services).
Local fix
Problem summary
First issue: When issuing an assertion if the SAML 2.0 assertion is generated with a bearer subject confirmation method and no Claims element is supplied in the RST then the Recipient attribute of the SubjectConfirmationData is never set. Second issue: When validating an assertion if the bearer subject confirmation method is present and the recipient does not match the assertion consumer service URL in claims then validation fails. The spec says this need only match for SSO profiles, not for other generic SAML assertion valdation use cases (like Web Services).
Problem conclusion
The fix for this APAR is contained in the following maintenance packages: | fix pack | 6.2.0-TIV-TFIM-FP0008 |
Temporary fix
Comments
APAR Information
APAR number
IZ85970
Reported component name
TIV FED ID MGR
Reported component ID
5724L7300
Reported release
620
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2010-09-29
Closed date
2011-01-30
Last modified date
2011-01-30
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
TIV FED ID MGR
Fixed component ID
5724L7300
Applicable component levels
R620 PSY
UP
[{"Line of Business":{"code":"LOB10","label":"Data and AI"},"Business Unit":{"code":"BU029","label":"Software"},"Product":{"code":"SSZSXU","label":"Tivoli Federated Identity Manager"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"620"}]
Document Information
Modified date:
06 October 2021