IBM Support

IZ85970: SAML 2.0 BEARER SUBJECT CONFIRMATION DATA PROCESSING NOT CONFORMANT

Fixes are available

Tivoli Federated Identity Manager 6.2.0 Fixpack 8 (6.2.0-TIV-TFIM-FP0008)
Tivoli Fed Id Mgr Business Gateway v6.2.0, Fix Pack 8, 6.2.0-TIV-TFIMBG-FP0008
Tivoli Federated Identity Manager 6.2.0 Fixpack 9 (6.2.0-TIV-TFIM-FP0009)
Tivoli Fed Id Mgr Business Gateway v6.2.0, Fix Pack 9, 6.2.0-TIV-TFIMBG-FP0009
Tivoli Federated Identity Manager 6.2.0 Fixpack 13 (6.2.0-TIV-TFIM-FP0013)
Tivoli Fed Id Mgr Business Gateway v6.2.0, Fix Pack 13, 6.2.0-TIV-TFIMBG-FP0013

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • First issue: When issuing an assertion i f the SAML 2.0
assertion
is generated with a bearer subject confirmation method and no
Claims element is supplied in the RST then the Recipient
attribute
of the SubjectConfirmationData is never set.

Second issue: When validating an assertion if the bearer subject
confirmation method is present and the recipient does not match
the assertion consumer service URL in claims then validation
fails. The spec says this need only match for SSO profiles, not
for other generic SAML assertion valdation use cases (like
Web Services).

Local fix

  • 



Problem summary


    

  • First issue: When issuing an assertion if the SAML 2.0

assertion
is generated with a bearer subject confirmation method and no
Claims element is supplied in the RST then the Recipient
attribute
of the SubjectConfirmationData is never set.

Second issue: When validating an assertion if the bearer subject
confirmation method is present and the recipient does not match
the assertion consumer service URL in claims then validation
fails. The spec says this need only match for SSO profiles, not
for other generic SAML assertion valdation use cases (like
Web Services).

    



Problem conclusion


    

  • The fix for this APAR is contained in the following maintenance

packages:
| fix pack | 6.2.0-TIV-TFIM-FP0008 |

    



Temporary fix


    

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    IZ85970
    • 

  • Reported component name
    TIV FED ID MGR
    • 

  • Reported component ID
    5724L7300
    • 

  • Reported release
    620
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt
    • 

  • Submitted date
    2010-09-29
    • 

  • Closed date
    2011-01-30
    • 

  • Last modified date
    2011-01-30
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    
IZ91415
    

    • 



Fix information


    

  • Fixed component name
    TIV FED ID MGR
    • 

  • Fixed component ID
    5724L7300
    • 



Applicable component levels


    

  • R620  PSY
       UP
    • 








      
              
                            

              

              [{"Line of Business":{"code":"LOB10","label":"Data and AI"},"Business Unit":{"code":"BU029","label":"Software"},"Product":{"code":"SSZSXU","label":"Tivoli Federated Identity Manager"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"620"}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            06 October 2021
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback