SAML Web SSO known issues and limitations

Edit online

Known issues and limitations exist when you use Security Assertion Markup Language (SAML) Web single sign-on (SSO) in a WebSphere® Application Server Network Deployment cell that includes IBM® Modernized Runtime Extension for Java™ (MoRE) .

SAML Web SSO

The following known issues and limitations are for security.
  • If the samlWeb-2.0 feature is configured as a class name for a trust association interceptor, when WebSphere Application Server starts, you see the following error message in the SystemOut.log and SystemErr.log files. Disregard this message.
    • SECJ0125E: Trust Association Init Unable to load Trust Association class samlWeb-2.0.
  • Although SAML SSO on WebSphere Application Server does not require session affinity, SAML SSO on a managed Liberty server does require session affinity.
  • You can migrate an existing WebSphere Application Server SAML ACSTrustAssociationInterceptor TAI configuration to the managed Liberty servers in a cell.
    • Some SAML TAI properties do not migrate.
    • Some properties and property values can cause the migration to fail. In these instances, the managed Liberty server might do one or more of the following actions:
      • Intercept requests unexpectedly
      • Allow improper authentication of a user
      • Impact the user experience significantly
    • You cannot use SP-Initiated SAML SSO on managed Liberty servers when you use a migrated configuration.
    • Because WebSphere Application Server and managed Liberty servers share a configuration, including the host and port, you must have a web server that routes requests to the correct server.
  • For WebSphere Application Server SAML ACSTrustAssociation TAI configurations that are migrated to the managed Liberty servers, ensure that the filter that intercepts the URLs on WebSphere Application Server do not also intercept URLs on the managed Liberty servers. Migrated configurations utilize bookmark-style SAML IdP-initiated SSO. After the user logs in to the IdP, the IdP redirects the user back to the server with the SAMLResponse to a pre-configured URL. If the filter for a configuration entry can intercept URLs for both server types, the SAMLResponse might be redirected to the wrong server type.
  • The following properties are not migrated from WebSphere Application Server to managed Liberty servers.
    • enforceTaiCookie
    • preventReplayAttackScope
    • redirectToIdPonServerSide
    • replayAttackTimeWindow
    • retryOnceAfterTrustFailure
    • useJavaScript
    • sso_(id).sp.acsUrl
    • sso_(id).sp.charEncoding
    • sso_(id).sp.cookiegroup
    • sso_(id).sp.CRLPATH
    • sso_(id).sp.defaultRealm
    • sso_(id).sp.disableDecodeURL
    • sso_(id).sp.enforceTaiCookie
    • sso_(id).sp.groupMap
    • sso_(id).sp.interceptAdminApp
    • sso_(id).sp.keyName
    • sso_(id).sp.preserveRequestState
    • sso_(id).sp.preventReplayAttack
    • sso_(id).sp.preventReplayAttackScope
    • sso_(id).sp.redirectToIdPonServerSide
    • sso_(id).sp.redirectToIdPonServerSide
    • sso_(id).sp.retryOnceAfterTrustFailure
    • sso_(id).sp.trustedAnySigner
    • sso_(id).sp.trustedAlias
    • sso_(id).sp.useJavaScript
    • sso_(id).sp.userMapImpl
    • sso_(id).sp.X509PATH
  • The following table lists the properties that cause migration from a WebSphere Application Server SAML ACSTrustAssociationInterceptor TAI configuration to managed Liberty servers in the cell to fail. If you encounter any of these failure conditions, a different configuration method is required. If your migration fails, a message is written to the SystemOut.log file on the node agent and the node agent trace.log file.
    • To see the migration information in the trace.log file, set the following trace specification for your node agents:
      • com.ibm.ws.report.*=all

    In the following table, if a global property matches a qualified property, only the qualified property is shown in the table.

    Table 1. Properties that cause migration to fail
    Property Failure condition Comments Actions
    sso_(id).sp.charEncoding Set to any value except for UTF-8 Liberty cannot override the character set on the request to the IdP. Remove the sso_(id).sp.charEncoding property
    sso_(id).sp.cookiegroup Value is set to any value This property specifies a tag to be added to an LTPA cookie for the configured SAML SSO partner. When a web request is received with an LTPA cookie, the LTPA cookie is valid only if the tag matches this value. Liberty does not support this function. Remove the sso_(id).sp.cookiegroup property
    sso_(id).sp.CRLPATH Value is set to any value This property specifies the certificate store that is used for certificate revocation lists (CRLs) used in validating the SAML signature. Liberty does not support this function. Remove the sso_(id).sp.CRLPATH property.
    sso_(id).sp.enforceTaiCookie Value is set to true (default) When this property is set to true, the server ensures that the LTPA cookie was created with the configuration entry that matches the filter for the request. Therefore, users that logged in with IdP1 for appA are not automatically granted access to appB that uses IdP2. Liberty does not support this function. Set the sso_(id).sp.enforceTaiCookie property to false.
    sso_(id).sp.filter The filter property is not specified OR the value contains logical OR (||) or regular expression (~=) A filter property must be specified. Also, the Liberty server does not support either the use of logical OR or regular expressions in the authFilter. 1) Make sure that you specify a filter property. 2) Set the sso_(id).sp.filter property to a value that intercepts your requests, but does not include the logical OR or regular expression operators.
    sso_(id).sp.groupMap Value set to localRealm or addGroupsFromLocalReam When this property is set to addGroupsFromLocalRealm, the TAI maps the groups from the SAML assertion to matching groups and parent groups in the WebSphere registry. In addition to the groups that are found in the WebSphere registry, the user's Subject contains the groups from the SAML assertion. Liberty does not support this function. Remove the sso_(id).sp.groupMap property.
    sso_(id).sp.idMap Value is set to localRealmThenAssertion When this property is set to localRealmThenAssertion, if the user that is logging in is not found in the local registry, ID assertion is used. Set the sso_(id).sp.idMap property to idAssertion or localRealm.
    sso_(id).sp.login.error.page Value set to a class name When this property is set to a class name, it relies on custom classes to do IdP mapping or implement SP-Initiated SSO. The Liberty server does not support IdP mapping and SP-Initiated SSO is not supported by using a custom class name. If you want to migrate this configuration, this property must be set to the URL for initial request redirection. If you do not require SP-Initiated login, remove the sso_(id).sp.login.error.page property.
    sso_(id).sp.preserveRequestState Value is set to false When this property is set to false, the inbound URL cookie is not written to the browser, and the target application is identified by either the targetUrl or RelayState property in the SAMLResponse. The Liberty server cannot turn off the creation of the URL cookie. Remove the sso_(id).sp.preserveRequestState property or set it to true.
    sso_(id).sp.preventReplayAttack Value is set to false When this property is set to false, the SAML TAI does not prevent two identical SAML assertions from being sent in client request. The option to disable replay attack checking is not available in Liberty. Remove the sso_(id).sp.preventReplayAttack property or set it to true.
    sso_(id).sp.redirectToIdPonServerSide Value is set to true. This property is overridden by sso_(id).sp.useJavaScript. The value for this property is ignored if sso_(id).sp.useJavaScript is configured. When this property is set to true, the TAI does not use JavaScript upon redirection to the IdP. The Liberty server cannot turn off JavaScript. Set the sso_(id).sp.redirectToIdPonServerSide property to false.
    sso_(id).sp.trustAnySigner Value set to true This property indicates that SAML SSO does not check the truststore for the SAML Assertion signing certificate. Liberty does not support this function. Make sure that this property is set to false and the IdP's signer certificate is in your truststore.
    sso_(id).sp.trustedAlias Value is set to any value This property specifies the certificate that is used to validate the signature in the SAML assertion. This certificate overrides any certificate value that might be present in the SAML assertion. Liberty does not support this function. If you want to migrate this configuration, do the following actions:
    1. Do not specify this property.
    2. Make sure that the IdP includes a KeyInfo element in the SAML assertion that contains the certificate to use to validate the signature.
    		 Do not specify this property and make sure that the IdP includes a KeyInfo element in the SAML assertion that contains the certificate to use to validate the signature.
    sso_(id).sp.useJavaScript Value is set to false (default) When this property is set to false, the TAI does not use JavaScript upon redirection to the IdP. The Liberty server cannot turn off JavaScript. Set sso_(id).sp.useJavaScript to true.
    sso_(id).sp.userMapImpl Value is set to any value This property specifies the name of a custom class for mapping users. It is used to map a user ID in the SAML assertion to another user ID that exists in the local user registry. Liberty does not support this function. Do not include the sso_(id).sp.userMapImpl property.
    sso_(id).sp.X509PATH Value is set to any value This property specifies the certificate store that is used for the intermediary certificates that are used in validating the SAML signature. Liberty does not support this function. Do not include the sso_(id).sp.X509PATH property, and make sure that all of your X.509 paths can be fully resolved in the truststore.