Fix (APAR): PI34088 Status: Fix Release: 8.0.0.10 Operating System: AIX,HP-UX,IBM i,Linux,Solaris,Windows,z/OS Supersedes Fixes: CMVC Defect: xxxxxx Byte size of APAR: 415214 Date: 2015-09-22 Abstract: error in saml web SSO tai with custom sp-initiated SSO Description/symptom of problem: PI34088 resolves the following problem: ERROR DESCRIPTION: With the SAML Web SSO TAI, when custom code is used to simulate SP-initiated SSO, the TAI will fail to validate the SAMLResponse with the following error: CWWSS8006E: InResponseTo must not be present for IdP-Initiated unsolicited responses. LOCAL FIX: N/A PROBLEM SUMMARY USERS AFFECTED: IBM WebSphere Application Server users of SAML web single sign-on (SSO) PROBLEM DESCRIPTION: An error occurs in the SAML Web SSO TAI with custom SP-initiated SSO RECOMMENDATION: Install a fix pack that includes this APAR. The SAML web single sign-on (SSO) Trust Association Interceptor (TAI) supports identity provider (IdP)-initiated SSO only. If a service provider (SP) attempts to do SP-initiated SSO by including a SAMLRequest in the request to the IdP, the SP cannot process the SAMLResponse and will emit the following error: CWWSS8006E: InResponseTo must not be present for IdP-Initiated unsolicited responses. PROBLEM CONCLUSION: The SAML TAI is updated to provide an option to include a SAMLRequest in the request to the IdP by using a plug point, and process solicited SAMLResponses corresponding to the SAMLRequest. To use this feature, the user must set the login.error.page custom property to a class that implements the com.ibm.wsspi.security.web.saml.AuthnRequestProvider SPI. Following is the interface for com.ibm.wsspi.security.web.saml.AuthnRequestProvider: public interface AuthnRequestProvider extends IdentityProviderMapping { public static final String AUTHN_REQUEST="authnRequest"; public static final String REQUEST_ID = "requestId"; public static final String RELAY_STATE="relayState"; public static final String SSO_URL="ssoUrl"; /** * Maps a HttpServletRequest to a valid URL. * This is used to map the HttpServletRequest to a valid URL, * so that WebSphere can redirect user to the URL for * re-login or receiving error message * * @para req the HttpServletRequest * @param errorMsg the String * @param acsUrl the String of AssertionConsumerService URL * @param ssoUrl the ArrayList of Single-SignOn service URLs * @return the URL String of the user which should be * redirected to * @exception NotImplementedException if this implementation * is not supported. **/ public HashMap getAuthnRequest( HttpServletRequest req, String errorMsg, String acsUrl, ArrayList ssoUrls) throws NotImplementedException; } The fix for this APAR is currently targeted for inclusion in fix pack 7.0.0.39, 8.0.0.11 and 8.5.5.7. Please refer to the Recommended Updates page for delivery information: http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980 Keywords: IBMWL3WSS, SAMLWSSO, FIXEDBYPI47842 Directions to apply fix: Fix applies to Editions: Release 8.0 _x_ Application Server (Express or BASE) _x_ Network Deployment (ND) __ Edge Components __ Developer Install Fix to all WebSphere installations unless special instructions are included below. Special Instructions: None NOTE: The user must: * Logged in with the same authority level when unpacking a fix, fix pack or refresh pack. * Be at V1.4.3 or newer of the Installation Manager. Certain iFixes may require a newer version of the Installation Manager and the Installation Manager will inform you during the installation process if a newer version is required. The IBM Knowledge Center can provide details, if needed, on the use of the Installation Manager to apply the iFixes. http://publib.boulder.ibm.com/infocenter/install/v1r4/index.jsp. Shutdown WebSphere Application Server before applying the iFixes. Restart WebSphere Application Server after applying the iFixes. Directions to remove fix: The IBM Knowledge Center can provide details, if needed, on the use of the Installation Manager to remove the iFixes. http://publib.boulder.ibm.com/infocenter/install/v1r4/index.jsp. Shutdown WebSphere Application Server before removing the iFixes. Restart WebSphere Application Server after removing the iFixes. Directions to re-apply fix: 1) Shutdown WebSphere Application Server. 2) Follow the Fix instructions to apply the fix. 3) Restart WebSphere Application Server. Additional Information: