Fixes are available
9.0.0.5: WebSphere Application Server traditional V9.0 Fix Pack 5
8.0.0.14: WebSphere Application Server V8.0 Fix Pack 14
9.0.0.6: WebSphere Application Server traditional V9.0 Fix Pack 6
8.5.5.13: WebSphere Application Server V8.5.5 Fix Pack 13
9.0.0.7: WebSphere Application Server traditional V9.0 Fix Pack 7
7.0.0.45: WebSphere Application Server V7.0 Fix Pack 45
8.0.0.15: WebSphere Application Server V8.0 Fix Pack 15
7.0.0.45: Java SDK 1.6 SR16 FP60 Cumulative Fix for WebSphere Application Server
9.0.0.8: WebSphere Application Server traditional V9.0 Fix Pack 8
8.5.5.14: WebSphere Application Server V8.5.5 Fix Pack 14
9.0.0.9: WebSphere Application Server traditional V9.0 Fix Pack 9
9.0.0.10: WebSphere Application Server traditional V9.0 Fix Pack 10
8.5.5.15: WebSphere Application Server V8.5.5 Fix Pack 15
9.0.0.11: WebSphere Application Server traditional V9.0 Fix Pack 11
9.0.5.0: WebSphere Application Server traditional Version 9.0.5 Refresh Pack
9.0.5.1: WebSphere Application Server traditional Version 9.0.5 Fix Pack 1
9.0.5.2: WebSphere Application Server traditional Version 9.0.5 Fix Pack 2
8.5.5.17: WebSphere Application Server V8.5.5 Fix Pack 17
9.0.5.3: WebSphere Application Server traditional Version 9.0.5 Fix Pack 3
9.0.5.4: WebSphere Application Server traditional Version 9.0.5 Fix Pack 4
9.0.5.5: WebSphere Application Server traditional Version 9.0.5 Fix Pack 5
WebSphere Application Server traditional 9.0.5.6
9.0.5.7: WebSphere Application Server traditional Version 9.0.5 Fix Pack 7
9.0.5.8: WebSphere Application Server traditional Version 9.0.5.8
8.5.5.20: WebSphere Application Server V8.5.5.20
8.5.5.18: WebSphere Application Server V8.5.5 Fix Pack 18
8.5.5.19: WebSphere Application Server V8.5.5 Fix Pack 19
9.0.5.9: WebSphere Application Server traditional Version 9.0.5.9
9.0.5.10: WebSphere Application Server traditional Version 9.0.5.10
8.5.5.16: WebSphere Application Server V8.5.5 Fix Pack 16
8.5.5.21: WebSphere Application Server V8.5.5.21
9.0.5.11: WebSphere Application Server traditional Version 9.0.5.11
APAR status
Closed as program error.
Error description
In SAML Web SSO, when the redirect target is null, "INTERNAL ERROR: Please contact your support." is displayed in the browser. There is no information in the FFDC or SystemOut.log for problem diagnosis.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: IBM WebSphere Application Server users of * * SAML Web SSO * **************************************************************** * PROBLEM DESCRIPTION: Additional diagnostics are required * * when the SAML Web SSO redirect URL is * * null * **************************************************************** * RECOMMENDATION: Install a fix pack that contains this * * APAR. * **************************************************************** In SAML Web SSO, when the redirect target is null, the runtime sets the redirect target to NO_TARGET. This results in "INTERNAL ERROR: Please contact your support." being displayed in the browser. . There should be some indication in the SystemOut.log that this condition has happened so that the administrator can attempt to address the issue.
Problem conclusion
The SAML Web SSO TAI is updated to redirect to the configured error page when the redirect target is null. . When the redirect target is null, the following error message will appear in the SystemOut.log file: . CWSML7035E: The SAML Web Single Sign-on (SSO) Trust Association Interceptor (TAI) is unable to determine a redirect target URL. The redirect URL can come from the sso_<id>.sp.targetUrl SAML TAI custom property, the RelayState parameter in the SAMLResponse or the WasSamlSpReqUrl cookie. If you do not intend to have a value for the sso_<id>.sp.targetUrl SAML TAI custom property or have your IdP send a RelayState parameter in the SAMLResponse, then check earlier in the log to see if you have a CWSML7036W warning that indicates that the request URL host name is not the same as the ACS URL host name. If you see that warning, then that condition must be corrected to fix this error. The value for the relayState parameter on the SAMLResponse is [{0}]. . EXPLANATION: The SAML Web SSO TAI cannot find a redirect URL for the current request. The redirect URL can come from three places: 1) the sso_<id>.sp.targetUrl SAML TAI custom property, 2) the RelayState parameter in the SAMLResponse and 3) the WasSamlSpReqUrl cookie. At least one of these three things must be present in order for the SAML TAI to be able to determine the redirect URL. In this case, none of these three things are present, therefore, the SAML TAI can not determine the redirect URL. Note that the SAML TAI may have set a WasSamlSpReqUrl cookie earlier in the process, but the browser did not make the cookie available to the SAML TAI. Also, the RelayState parameter must be a URL that uses the http or https protocol. . USER ACTION: Ensure at least one of the following is true: 1) the sso_<id>.sp.targetUrl SAML TAI custom property is configured for the current SP, 2) the IdP sets the RelayState parameter on the SAMLResponse with a valid URL that uses the http or https protocol or 3) the WasSamlSpReqUrl cookie is made available to the SAML TAI. In order for the WasSamlSpReqUrl to be available to the SAML TAI, the original request URL must have the same host name as the ACS URL that is configured on the sso_<id>.sp.acsUrl TAI custom property. . . The SAML TAI is also updated to check for duplicate acsUrl entries at load time. If any are found, the following warning will be emitted: . CWSML7038W: The SAML Web Single Single Sign-on (SSO) Trust Association Interceptor (TAI) has two assertion consumer service URL custom properties configured that have the same URL path: [{0}] and [{1}]. This condition can cause unexpected behavior at run time. To prevent further issues, all text after <hostname>:<port> must be unique for each [sso_<id>.sp.acsUrl] custom property value. . EXPLANATION: The value for each SAML [sso_<id>.sp.acsUrl] custom property must have a unique URL path. A URL path does not include the protocol and <hostname>:<port> parts of a URL string. For example, although the URL strings for https://somewhere.ibm.com/samlsps/hello/app and https://elsewhere.ibm.com/samlsps/hello/app are different, the URL paths are the same. If two acsUrl entries have the same URL path, when a SAMLResponse is sent to one of the URLs that has a duplicate path, the service provider that is chosen to handle the request will be indeterminate. . USER ACTION: Ensure that the URL configured for each of the [so_<id>.sp.acsUrl] custom properties have unique URL paths, meaning that they have unique text after the <hostname>:<port> part of the URL string. The fix for this APAR is currently targeted for inclusion in fix pack 7.0.0.45, 8.0.0.14, 8.5.5.13 and 9.0.0.5. Please refer to the Recommended Updates page for delivery information: http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
Temporary fix
Comments
APAR Information
APAR number
PI61915
Reported component name
WEBS APP SERV N
Reported component ID
5724H8800
Reported release
700
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2016-05-05
Closed date
2017-08-16
Last modified date
2017-08-16
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBS APP SERV N
Fixed component ID
5724H8800
Applicable component levels
R700 PSY
UP
R800 PSY
UP
R850 PSY
UP
R900 PSY
UP
Document Information
Modified date:
03 May 2022