IBM Support

PI71380: ALLOW SAML WEB INBOUND TO RETRIEVE SAML ASSERTION FROM AN HTTP REQUEST PARAMETER.

Fixes are available

9.0.0.3: WebSphere Application Server traditional V9.0 Fix Pack 3
7.0.0.43: WebSphere Application Server V7.0 Fix Pack 43
9.0.0.4: WebSphere Application Server traditional V9.0 Fix Pack 4
8.5.5.12: WebSphere Application Server V8.5.5 Fix Pack 12
9.0.0.5: WebSphere Application Server traditional V9.0 Fix Pack 5
8.0.0.14: WebSphere Application Server V8.0 Fix Pack 14
9.0.0.6: WebSphere Application Server traditional V9.0 Fix Pack 6
8.5.5.13: WebSphere Application Server V8.5.5 Fix Pack 13
9.0.0.7: WebSphere Application Server traditional V9.0 Fix Pack 7
7.0.0.45: WebSphere Application Server V7.0 Fix Pack 45
8.0.0.15: WebSphere Application Server V8.0 Fix Pack 15
7.0.0.45: Java SDK 1.6 SR16 FP60 Cumulative Fix for WebSphere Application Server
7.0.0.43: Java SDK 1.6 SR16 FP41 Cumulative Fix for WebSphere Application Server
9.0.0.8: WebSphere Application Server traditional V9.0 Fix Pack 8
8.5.5.14: WebSphere Application Server V8.5.5 Fix Pack 14
9.0.0.9: WebSphere Application Server traditional V9.0 Fix Pack 9
9.0.0.10: WebSphere Application Server traditional V9.0 Fix Pack 10
8.5.5.15: WebSphere Application Server V8.5.5 Fix Pack 15
9.0.0.11: WebSphere Application Server traditional V9.0 Fix Pack 11
9.0.5.0: WebSphere Application Server traditional Version 9.0.5 Refresh Pack
9.0.5.1: WebSphere Application Server traditional Version 9.0.5 Fix Pack 1
9.0.5.2: WebSphere Application Server traditional Version 9.0.5 Fix Pack 2
8.5.5.17: WebSphere Application Server V8.5.5 Fix Pack 17
9.0.5.3: WebSphere Application Server traditional Version 9.0.5 Fix Pack 3
9.0.5.4: WebSphere Application Server traditional Version 9.0.5 Fix Pack 4
9.0.5.5: WebSphere Application Server traditional Version 9.0.5 Fix Pack 5
9.0.5.6: WebSphere Application Server traditional Version 9.0.5 Fix Pack 6
9.0.5.7: WebSphere Application Server traditional Version 9.0.5 Fix Pack 7
9.0.5.8: WebSphere Application Server traditional Version 9.0.5.8
8.5.5.20: WebSphere Application Server V8.5.5.20
8.5.5.18: WebSphere Application Server V8.5.5 Fix Pack 18

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • Customer has a requirement to send a SAML token on a JAX-RS
    call.  The use of SAML Web inbound requires that the SAML
    Assertion be placed in the HTTP header of the inbound request.
     The customer's application does not support updating the
    HTTP header so an alternative is required.
    

Local fix

  • add function to retrive saml from HTTP request parameter.
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  IBM WebSphere Application Server users of   *
    *                  SAML web inbound                            *
    ****************************************************************
    * PROBLEM DESCRIPTION: Allow SAML Web inbound TAI to           *
    *                      retrieve a SAML Assertion from an       *
    *                      HTTP request parameter                  *
    ****************************************************************
    * RECOMMENDATION:  Install a fix pack that contains this       *
    *                  APAR.                                       *
    ****************************************************************
    There is no way for the SAML Web inbound Trust Associaton
    Interceptor (TAI) to obtain a SAML Assertion from anywhere but
    the HTTP request header.  If a partner application cannot
    update the HTTP request header, SAML Web inbound cannot be
    used.
    

Problem conclusion

  • The SAML Web inbound TAI is updated to allow the SAML
    Assertion to be passed as an HTTP request parameter.
    
    The following SAML Web inbound TAI custom property is added:
    
    parameterName
    
    The parameterName property specifies a list of parameter names
    in the inbound request that the TAI will look for to extract
    the SAML Assertion. You can specify a single parameter name or
    multiple parameter names separated by a comma or "|".
    
    Examples:
    parameterName=saml_token
    parameterName=param one, param two
    parameterName=saml1 token|saml2 token|saml3_token
    
    Previously, the headerName property was required.  Now, at
    least one of the headerName or parameterName properties are
    required.
    
    If both headerName and parameterName are specified, the
    headers will be inspected first.
    
    
    The fix for this APAR is currently targeted for inclusion in
    fix pack 7.0.0.43, 8.0.0.14, 8.5.5.12, and 9.0.0.4.  Please
    refer to the Recommended Updates page for delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

Comments

APAR Information

  • APAR number

    PI71380

  • Reported component name

    WEBS APP SERV N

  • Reported component ID

    5724H8800

  • Reported release

    850

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2016-10-27

  • Closed date

    2016-12-13

  • Last modified date

    2016-12-13

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBS APP SERV N

  • Fixed component ID

    5724H8800

Applicable component levels

  • R700 PSY

       UP

  • R800 PSY

       UP

  • R850 PSY

       UP

  • R900 PSY

       UP

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.5","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
23 November 2021