IBM Support

PH32421: SAML ASSERTIONS ARE NOT CREATED WITH AUDIENCERESTRICTION

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as new function.

Error description

  • WebSphere is unable to self-issue a SAML token that contains
    an Audience element, either with the SAMLTokenGenerator
    callback handler in the JAX-WS Policy and Bindings or with the
    SAMLTokenFactory API.
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of IBM WebSphere Application      *
    *                  Server and SAML                             *
    ****************************************************************
    * PROBLEM DESCRIPTION: WebSphere is unable to self-issue a     *
    *                      SAML token that contains an Audience    *
    *                      element.                                *
    ****************************************************************
    * RECOMMENDATION:  Install a fix pack that includes this       *
    *                  APAR.                                       *
    ****************************************************************
    WebSphere is unable to self-issue a SAML token that contains an
    Audience element.
    Neither the SAMLGenerateCallbackHandler callback handler in the
    JAX-WS Policy and Bindings nor with the SAMLTokenFactory API
    can
    produce an Audience element.
    

Problem conclusion

  • WebSphere is updated so that it can self-issue SAML tokens
    that contain an Audience element.
    
    In SAML 2.0 tokens, the Audience element is contained within
    an AudienceRestriction element.
    In SAML 1.1 tokens, the Audience element is contained within
    an AudienceRestrictionConditions element.
    
    Although the two SAML schemas allow for multiple Audience
    elements, WebSphere will only allow you to self-issue a SAML
    token that contains one Audience element.
    
    You can add the value for your Audience element in the
    following places:
    
    * The Audience property in the SAMLIssuerConfig.properties
    file.
    * The com.ibm.wsspi.wssecurity.saml.config.issuer.Audience
    property in the SAML token generator's callback handler,
    SAMLGenerateCallbackHandler.
    * The
    com.ibm.wsspi.wssecurity.saml.config.ProviderConfig.setAudie
    nce( audience) method, to be used in this
    SAMLTokenFactory.newSAMLToken method:
    
    com.ibm.websphere.wssecurity.wssapi.token.SAMLTokenFactory.n
    ewSAMLToken(CredentialConfig cred, RequesterConfig request,
    ProviderConfig providerConfig)
    
    The fix for this APAR is targeted for inclusion in fix pack
    8.5.5.20 and 9.0.5.7. For more information, see 'Recommended
    Updates for WebSphere Application Server':
    https://www.ibm.com/support/pages/node/715553
    

Temporary fix

Comments

APAR Information

  • APAR number

    PH32421

  • Reported component name

    WEBS APP SERV N

  • Reported component ID

    5724H8800

  • Reported release

    900

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2020-12-07

  • Closed date

    2020-12-22

  • Last modified date

    2021-06-01

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBS APP SERV N

  • Fixed component ID

    5724H8800

Applicable component levels

[{"Line of Business":{"code":"LOB36","label":"IBM Automation"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"900"}]

Document Information

Modified date:
03 June 2021