APAR status
Closed as program error.
Error description
The SAML Assertion SubjectConfirmationData element is not unmarshalled if it is not the first child of a SubjectConfirmation element. When another element appears before the SubjectConfirmationData element in the SubjectConfirmation element in a SAML Assertion, you might see a the following in a SAML trace: [8/18/23 11:04:26:394 EDT] 000000dc SubjectConfir < getSubjectConfirmationData() Exit [8/18/23 11:04:26:394 EDT] 000000dc HTTPPOSTReque 3 SubjectConfirmationData is required [8/18/23 11:04:26:394 EDT] 000000dc ACSTrustAssoc > sendAuditEvent UNSUCCESSFUL Entry [8/18/23 11:04:26:394 EDT] 000000dc ACSTrustAssoc > getURI Entry [8/18/23 11:04:26:394 EDT] 000000dc ACSTrustAssoc 3 URI requested: /acs [8/18/23 11:04:26:394 EDT] 000000dc ACSTrustAssoc < getURI returns [/acs] Exit [8/18/23 11:04:26:394 EDT] 000000dc ACSTrustAssoc < sendAuditEvent UNSUCCESSFUL Exit [8/18/23 11:04:26:396 EDT] 000000dc ACSTrustAssoc 3 SAMLResponse could not be verified. [com.ibm.wsspi.wssecurity.core.SoapSecurityException: CWWSS8024E: The SAML Assertion MUST contain a Recipient in the <SubjectConfirmationData> element.]
Local fix
Make sure that the SubjectConfirmationData element is the first child of the SubjectConfirmation element in the SAML Assertion.
Problem summary
**************************************************************** * USERS AFFECTED: All users of IBM WebSphere Application * * Server * * and SAML SSO * **************************************************************** * PROBLEM DESCRIPTION: SAML is not unmarshalling * * SubjectConfirmationData when it is not * * the first child of * * SubjectConfirmation. * **************************************************************** * RECOMMENDATION: Install a fix pack that contains this * * APAR. * **************************************************************** The SAML SSO runtime is required to obtain a Recipient from the inbound SAML Assertion. The Recipient is an attribute of the SubjectConfirmationData element. The SubjectConfirmationData element is a child of the SubjectConfirmation element. The SAML SSO runtime is not unmarshalling the SubjectConfirmationData element if it is not the first child of the SubjectConfirmation element, therefore the Recipient is not retrieved.
Problem conclusion
The SAML SSO runtime is updated so that the SubjectConfirmationData element is always unmarshalled when it i a child of the SubjectConfirmation element. The fix for this APAR is targeted for inclusion in fix pack 9.0.5.18 and 8.5.5.25. For more information, see 'Recommended Updates for WebSphere Application Server': https://www.ibm.com/support/pages/node/715553
Temporary fix
Comments
APAR Information
APAR number
PH56494
Reported component name
WEBSPHERE APP S
Reported component ID
5724J0800
Reported release
850
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2023-08-22
Closed date
2023-10-03
Last modified date
2023-10-03
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBSPHERE APP S
Fixed component ID
5724J0800
Applicable component levels
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.5","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
04 October 2023