PI61915: MORE DIAGNOSTICS REQUIRED WHEN THE SAML WEB SSO REDIRECT URL IS NULL

Fixes are available

APAR status

Closed as program error.

Error description

In SAML Web SSO, when the redirect target is null,
"INTERNAL ERROR: Please contact your support." is displayed
in the browser.  There is no information in the FFDC or
SystemOut.log for problem diagnosis.

Local fix

Problem summary

****************************************************************
* USERS AFFECTED:  IBM WebSphere Application Server users of   *
*                  SAML Web SSO                                *
****************************************************************
* PROBLEM DESCRIPTION: Additional diagnostics are required     *
*                      when the SAML Web SSO redirect URL is   *
*                      null                                    *
****************************************************************
* RECOMMENDATION:  Install a fix pack that contains this       *
*                  APAR.                                       *
****************************************************************
In SAML Web SSO, when the redirect target is null, the runtime
sets the redirect target to NO_TARGET.  This results in
"INTERNAL ERROR: Please contact your support." being displayed
in the browser.
.
There should be some indication in the SystemOut.log that this
condition has happened so that the administrator can attempt
to address the issue.

Problem conclusion

The SAML Web SSO TAI is updated to redirect to the configured
error page when the redirect target is null.
.
When the redirect target is null, the following error message
will appear in the SystemOut.log file:
.
CWSML7035E: The SAML Web Single Sign-on (SSO) Trust
Association Interceptor (TAI) is unable to determine a
redirect target URL. The redirect URL can come from the
sso_<id>.sp.targetUrl SAML TAI custom property, the RelayState
parameter in the SAMLResponse or the WasSamlSpReqUrl cookie.
If you do not intend to have a value for the
sso_<id>.sp.targetUrl SAML TAI custom property or have your
IdP send a RelayState parameter in the SAMLResponse, then
check earlier in the log to see if you have a CWSML7036W
warning that indicates that the request URL host name is not
the same as the ACS URL host name. If you see that warning,
then that condition must be corrected to fix this error. The
value for the relayState parameter on the SAMLResponse is [{0}].
.
EXPLANATION: The SAML Web SSO TAI cannot find a redirect URL
for the current request.  The redirect URL can come from three
places: 1) the sso_<id>.sp.targetUrl SAML TAI custom property,
2) the RelayState parameter in the SAMLResponse and 3) the
WasSamlSpReqUrl cookie. At least one of these three things
must be present in order for the SAML TAI to be able to
determine the redirect URL. In this case, none of these three
things are present, therefore, the SAML TAI can not determine
the redirect URL. Note that the SAML TAI may have set a
WasSamlSpReqUrl cookie earlier in the process, but the browser
did not make the cookie available to the SAML TAI. Also, the
RelayState parameter must be a URL that uses the http or https
protocol.
.
USER ACTION: Ensure at least one of the following is true: 1)
the sso_<id>.sp.targetUrl SAML TAI custom property is
configured for the current SP, 2) the IdP sets the RelayState
parameter on the SAMLResponse with a valid URL that uses the
http or https protocol or 3) the WasSamlSpReqUrl cookie is
made available to the SAML TAI. In order for the
WasSamlSpReqUrl to be available to the SAML TAI, the original
request URL must have the same host name as the ACS URL that
is configured on the sso_<id>.sp.acsUrl TAI custom property.
.
.
The SAML TAI is also updated to check for duplicate acsUrl
entries at load time.  If any are found, the following warning
will be emitted:
.
CWSML7038W: The SAML Web Single Single Sign-on (SSO) Trust
Association Interceptor (TAI) has two assertion consumer
service URL custom properties configured that have the same
URL path: [{0}] and [{1}].  This condition can cause
unexpected behavior at run time.  To prevent further issues,
all text after <hostname>:<port> must be unique for each
[sso_<id>.sp.acsUrl] custom property value.
.
EXPLANATION: The value for each SAML [sso_<id>.sp.acsUrl]
custom property must have a unique URL path.  A URL path does
not include the protocol and <hostname>:<port> parts of a URL
string.  For example, although the URL strings for
https://somewhere.ibm.com/samlsps/hello/app and
https://elsewhere.ibm.com/samlsps/hello/app are different, the
URL paths are the same.  If two acsUrl entries have the same
URL path, when a SAMLResponse is sent to one of the URLs that
has a duplicate path, the service provider that is chosen to
handle the request will be indeterminate.
.
USER ACTION: Ensure that the URL configured for each of the
[so_<id>.sp.acsUrl] custom properties have unique URL paths,
meaning that they have unique text after the <hostname>:<port>
part of the URL string.


The fix for this APAR is currently targeted for inclusion in
fix pack 7.0.0.45, 8.0.0.14, 8.5.5.13 and 9.0.0.5.  Please
refer to the Recommended Updates page for delivery information:
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980

Temporary fix

Comments

APAR Information

APAR number
PI61915
Reported component name
WEBS APP SERV N
Reported component ID
5724H8800
Reported release
700
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2016-05-05
Closed date
2017-08-16
Last modified date
2017-08-16

APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name
WEBS APP SERV N
Fixed component ID
5724H8800

Applicable component levels

R700 PSY
UP
R800 PSY
UP
R850 PSY
UP
R900 PSY
UP

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.0","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
03 May 2022

Tips

PI61915: MORE DIAGNOSTICS REQUIRED WHEN THE SAML WEB SSO REDIRECT URL IS NULL

Fixes are available

Subscribe

APAR status

Closed as program error.

Error description

Local fix

Problem summary

Problem conclusion

Temporary fix

Comments

APAR Information

APAR number

Reported component name

Reported component ID

Reported release

Status

PE

HIPER

Special Attention

Submitted date

Closed date

Last modified date

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name

Fixed component ID

Applicable component levels

R700 PSY

R800 PSY

R850 PSY

R900 PSY

Document Information

Share your feedback

Need support?