IBM Support

PH04344: INVALIDATE SAML TOKEN WHEN USER LOGS OUT FROM WEBSPHERE APPLICATION.

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as new function.

Error description

  • When SAML web SSO is configured, after user logs out from
    WebSphere application, SAML token is still valid. If user
    accessing protected resouces, no login required.
    

Local fix

  • No local fix.
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  IBM WebSphere Application Server users of   *
    *                  SAML Web Single Sign-On (SSO)               *
    ****************************************************************
    * PROBLEM DESCRIPTION: The SAML Web SSO TAI cannot log out     *
    *                      from a SAML IdP                         *
    ****************************************************************
    * RECOMMENDATION:  Install a fix pack that includes this       *
    *                  APAR.                                       *
    ****************************************************************
    Although the SAML Single Logout Profile is not supported by
    the SAML Web Single Sign-On Trust Association Interceptor
    (TAI) in WebSphere Application Server, application developers
    may need the ability to log out from their SAML Identity
    Provider (IdP) from applications running on WebSphere.
    

Problem conclusion

  • The SAML Signle Sign-On TAI is updated to provide the ability
    to log out from SAML IdPs.
    
    The following SAML TAI custom properties are added:
    
    logoutUrl
    sso_<id>.sp.logoutUrl
    
    If a value is not specified for sso_<id>.sp.logoutUrl, the
    value for logoutUrl will be used.
    
    The logout request will be redirected to the URL that is
    specified on the logoutUrl property.
    
    
    The fix for this APAR is currently targeted for inclusion in
    fix pack 8.5.5.16 and 9.0.0.11.  Please refer to the
    Recommended Updates page for delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

Comments

APAR Information

  • APAR number

    PH04344

  • Reported component name

    WEBS APP SERV N

  • Reported component ID

    5724H8800

  • Reported release

    900

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2018-10-23

  • Closed date

    2018-12-18

  • Last modified date

    2018-12-18

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBS APP SERV N

  • Fixed component ID

    5724H8800

Applicable component levels

  • R850 PSY

       UP

  • R900 PSY

       UP

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"9.0","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
24 November 2021