| Explanation | This method is not implemented. |
| Action | None |
| Explanation | The key information for the Security Assertion Markup Language (SAML) provider in not available to sign a SAML assertion. |
| Action | Check the configuration information for the provider and ensure that the signing key information for the provider exists in its respective keystore. |
| Explanation | A key information object is not associated with a key alias. |
| Action | Ensure that the key information object is associated with an alias during the creation process. |
| Explanation | An attempt to create a CredentialConfig object, which is based on a null Subject, has been detected. A valid CredentialConfig object cannot be created. |
| Action | Specify a valid Subject. |
| Explanation | An attempt to create a CredentialConfig object, which is based on a Subject without a Principal, has been detected. A valid CredentialConfig object cannot be created. |
| Action | Specify a valid Subject with a valid Principal. |
| Explanation | This method is not implemented. |
| Action | None |
| Explanation | This method is not implemented. |
| Action | None |
| Explanation | This method is not implemented. |
| Action | None |
| Explanation | This method is not implemented. |
| Action | None |
| Explanation | This method is not implemented. |
| Action | None |
| Explanation | This method is not implemented. |
| Action | None |
| Explanation | This method is not implemented. |
| Action | None |
| Explanation | This method is not implemented. |
| Action | None |
| Explanation | This method is not implemented. |
| Action | None |
| Explanation | This method is not implemented. |
| Action | None |
| Explanation | This method is not implemented. |
| Action | None |
| Explanation | This method is not implemented. |
| Action | None |
| Explanation | The SAML Assertion Issuer address provided is not valid. |
| Action | Ensure that the Security Assertion Markup Language (SAML) Assertion Issuer address is valid. |
| Explanation | A signed SAML cannot be modified. |
| Action | A signed SAML cannot be modified. |
| Explanation | Only a string or OMElement data type is allowed for marshalling. |
| Action | Provide either the required String or OMElement data type. |
| Explanation | This method is not implemented. |
| Action | None |
| Explanation | This method is not implemented. |
| Action | None |
| Explanation | This method is not implemented. |
| Action | None |
| Explanation | This method is not implemented. |
| Action | None |
| Explanation | This method is not implemented. |
| Action | None |
| Explanation | This method is not implemented. |
| Action | None |
| Explanation | This method is not implemented. |
| Action | None |
| Explanation | This method is not implemented. |
| Action | None |
| Explanation | This method is not implemented. |
| Action | None |
| Explanation | This method is not implemented. |
| Action | None |
| Explanation | This method is not implemented. |
| Action | None |
| Explanation | This method is not implemented. |
| Action | None |
| Explanation | This method is not implemented. |
| Action | None |
| Explanation | This method is not implemented. |
| Action | None |
| Explanation | This method is not implemented. |
| Action | None |
| Explanation | An unsupported confirmation method has been specified. |
| Action | Specify a "bearer," "holder-of-key," or "sender-vouches" confirmation method. |
| Explanation | This method is not implemented. |
| Action | None |
| Explanation | This method is not implemented. |
| Action | None |
| Explanation | This method is not implemented. |
| Action | None |
| Explanation | This method is not implemented. |
| Action | None |
| Explanation | This method is not implemented. |
| Action | None |
| Explanation | This method is not implemented. |
| Action | None |
| Explanation | The create request for the TokenType value is not valid. |
| Action | Provide a valid TokenType value. |
| Explanation | The Security Assertion Markup Language (SAML) assertion namespace is not known. |
| Action | Provide a valid namespace. |
| Explanation | The Security Assertion Markup Language (SAML) assertion during the call to the newSAMLToken method is not valid. |
| Action | Ensure that you provide a valid SAML assertion. |
| Explanation | The Security Assertion Markup Language (SAML) token cannot be created from the XMLStructure value during a call to the newSAMLToken method. |
| Action | Ensure that you provide a valid XML structure for the assertion. |
| Explanation | The Security Assertion Markup Language (SAML) issuer is not associated with a name identifier. |
| Action | Ensure that the SAML provider is associated with a name identifier. |
| Explanation | This Security Assertion Markup Language (SAML) statement is not supported. |
| Action | Do not use unsupported SAML statements. |
| Explanation | A Null or empty ID has been provided for a Security Assertion Markup Language (SAML) assertion. |
| Action | Provide a name identifier. |
| Explanation | A null issue date has been provided. |
| Action | Do not provide a null date value. |
| Explanation | You cannot modify a signed Security Assertion Markup Language (SAML) assertion. |
| Action | Do not attempt to modify a signed SAML assertion. |
| Explanation | You cannot marshal an object that is not a String or an OMElement data type. |
| Action | Check the type of object that you are attempting to marshal and ensure that it is a String or a OMElement data type. |
| Explanation | The authentication method is not valid. |
| Action | Use a valid authentication method. |
| Explanation | A null argument value has been passed on a setAuthnContext method call. |
| Action | Do not pass a null argument value. |
| Explanation | A null argument value has been passed on a setAuthnInstant method call. |
| Action | Do not pass a null argument value. |
| Explanation | The Security Assertion Markup Language (SAML) assertion on a newSAMLToken method call is not valid. |
| Action | Pass a valid XML structure for the assertion. |
| Explanation | A Security Assertion Markup Language (SAML) token cannot be created from the XMLStructure that is provided on a call to the newSAMLToken method. |
| Action | Pass a valid XML structure for the assertion. |
| Explanation | The expected token type is SAML 2.0. However, a different version has been found. |
| Action | Pass a valid SAML 2.0 version string. |
| Explanation | The missing element and attribute must be specified. |
| Action | Check and modify token issuer configuration. |
| Explanation | The parameter type is incorrect. |
| Action | Check and modify to use the correct class type. |
| Explanation | The Security Assertion Markup Language (SAML) assertion was received at a time that is earlier than the NotBefore setting in the assertion. This condition is not allowed. A possible reason for the error is that the receiver's clock is out of sync with the clock of the creator of the assertion. |
| Action | Synchronize the clocks of the receiver and the creator of the assertion or increase the clock skew using the clockSkew custom property on the configured SAML token consumer. |
| Explanation | The Security Assertion Markup Language (SAML) assertion was received at a time that is at or after the NotOnOrAfter setting in the assertion. This condition is not allowed. Possible reasons for the error are that the receiver's clock is out of sync with the clock of the creator of the assertion or the assertion has been obtained and resent by an unauthorized application. |
| Action | Synchronize the clocks of the receiver and the creator of the assertion or increase the clock skew using the clockSkew custom property on the configured SAML token consumer. |
| Explanation | The IssueInstant in the Security Assertion Markup Language (SAML) assertion indicates that it was issued after the current time. This condition is not allowed. A possible reason for the error is that the receiver's clock is out of sync with the clock of the creator of the assertion. |
| Action | Synchronize the clocks of the receiver and the creator of the assertion or increase the clock skew using the clockSkew custom property on the configured SAML token consumer. |
| Explanation | A Security Assertion Markup Language (SAML) assertion must contain the attribute shown in the message. The SAML assertion being validated does not have this attribute, or the attribute does not have a value. |
| Action | Ensure that the creator of the SAML assertion includes the attribute in the error message on the Assertion element. |
| Explanation | A Security Assertion Markup Language (SAML) assertion must contain the element shown in the message. The SAML assertion being validated either does not have this element, or the element does not have a value. |
| Action | Ensure that the creator of the SAML assertion includes the element indicated in the error message in the Assertion. |
| Explanation | The Security Assertion Markup Language (SAML) assertion contains the element shown in the message, but there is no value for the element. This condition is not allowed. |
| Action | Ensure that the creator of the SAML assertion includes a value for the element shown in the message. |
| Explanation | When a Security Assertion Markup Language (SAML) assertion contains the element shown in the message, it must also contain the attribute shown in the message. The SAML assertion being validated does not have the attribute shown in the message, or the attribute does not have a value. |
| Action | Ensure that the creator of the SAML assertion includes the attribute shown in the message. |
| Explanation | The Security Assertion Markup Language (SAML) assertion on a newSAMLToken method call or inbound message is not valid. The reason for the error will be shown after this message. |
| Action | See the user action for the message that appears after this error. |
| Explanation | An element in the Security Assertion Markup Language (SAML) assertion being processed contains an attribute that is not supported. The valid values are shown in the message. |
| Action | Ensure that the creator of the SAML assertion includes a valid value for the element's attribute shown in the message. |
| Explanation | An element in the Security Assertion Markup Language (SAML) assertion being processed contains an element value that is not supported. The valid values are shown in the message. |
| Action | Ensure that the creator of the SAML assertion includes a valid value for the element shown in the message. |
| Explanation | A Security Assertion Markup Language (SAML) assertion must contain the element pair shown in the message. The SAML assertion being validated either does not have the sub-element shown in the message, or the sub-element does not have a value. |
| Action | Ensure that the creator of the SAML assertion includes the element pair indicated in the error message in the Assertion. |
| Explanation | The Security Assertion Markup Language (SAML) assertion being processed contains an element that is valid for the schema, but the run time does not support the element. Processing of the SAML assertion has stopped. |
| Action | Ensure that the creator of the SAML assertion does not include the element shown in the error message. |
| Explanation | The Security Assertion Markup Language (SAML) assertion being processed contains an element that is valid for the schema, but the run time does not support the element. Processing of the SAML assertion has stopped. |
| Action | Ensure that the creator of the SAML assertion does not include the element shown in the error message. |
| Explanation | If a Security Assertion Markup Language (SAML) V1.1 assertion contains an AttributeStatement element, the AttributeStatement element must contain at least one Subject or Attribute sub-elements. The SAML 1.1 assertion being validated contains an AttributeStatement element that contains neither Subject or Attribute sub-elements. |
| Action | Ensure that the creator of the SAML assertion either does not include the AttributeStatement element, or includes at least one of the Subject or Attribute sub-elements in the AttributeStatement element. |
| Explanation | The AuthenticationInstant in the Security Assertion Markup Language (SAML) assertion indicates that it was issued after the current time. This condition is not allowed. A possible reason for the error is that the receiver's clock is out of sync with the clock of the creator of the assertion. |
| Action | Synchronize the clocks of the receiver and the creator of the assertion or increase the clock skew using the clockSkew custom property on the configured SAML token consumer. |
| Explanation | If a Security Assertion Markup Language (SAML) V1.1 assertion contains a Subject element, the Subject element must contain at least one NameIdentifier or SubjectConfirmation sub-elements. The SAML 1.1 assertion being validated contains a Subject element that contains neither NameIdentifier or SubjectConfirmation sub-elements. |
| Action | Ensure that the creator of the SAML assertion either does not include the Subject element, or includes at least one of the NameIdentifier or SubjectConfirmation sub-elements in the Subject element. |
| Explanation | In the Security Assertion Markup Language (SAML) V1.1 schema, the ConfirmationMethod element is a child of the SubjectConfirmation element. Although the schema does not require that the ConfirmationMethod be present in the SubjectConfirmation element, in order for a SAML assertion to be processed successfully, at least one ConfirmationMethod must be present in the assertion. The valid values for the ConfirmationMethod element are [urn:oasis:names:tc:SAML:1.0:cm:bearer, urn:oasis:names:tc:SAML:1.0:cm:sender-vouches, and urn:oasis:names:tc:SAML:1.0:cm:holder-of-key]. |
| Action | Ensure that the creator of the SAML assertion includes at least one ConfirmationMethod in the assertion. The ConfirmationMethod element is a child of the SubjectConfirmation element. The SubjectConfirmation element is a child of the Subject element, which can be a child of either the AttributeStatement or AuthenticationStatement elements. |
| Explanation | The AuthnInstant in the Security Assertion Markup Language (SAML) assertion indicates that it was issued after the current time. This condition is not allowed. A possible reason for the error is that the receiver's clock is out of sync with the clock of the creator of the assertion. |
| Action | Synchronize the clocks of the receiver and the creator of the assertion or increase the clock skew using the clockSkew custom property on the configured SAML token consumer. |
| Explanation | The Security Assertion Markup Language (SAML) assertion was received at a time that is at or after the SessionNotOnOrAfter setting in the assertion. This condition is not allowed. Possible reasons for the error are that the receiver's clock is out of sync with the clock of the creator of the assertion or the assertion has been obtained and resent by an unauthorized application. |
| Action | Synchronize the clocks of the receiver and the creator of the assertion or increase the clock skew using the clockSkew custom property on the configured SAML token consumer. |
| Explanation | The value for the Version attribute in the Security Assertion Markup Language (SAML) V2.0 assertion being processed is not correct. There is only one correct value. The correct value is shown in the message. |
| Action | Ensure that the creator of the SAML assertion sets the Version attribute in the SAML 2.0 assertion correctly. |
| Explanation | The Security Assertion Markup Language (SAML) assertion was received at a time that is earlier than the NotBefore setting on the SubjectConfirmationData in the assertion. This condition is not allowed. A possible reason for the error is that the receiver's clock is out of sync with the clock of the creator of the assertion. |
| Action | Synchronize the clocks of the receiver and the creator of the assertion or increase the clock skew using the clockSkew custom property on the configured SAML token consumer. |
| Explanation | The Security Assertion Markup Language (SAML) assertion was received at a time that is at or after the NotOnOrAfter setting on the SubjectConfirmationData in the assertion. This condition is not allowed. Possible reasons for the error are that the receiver's clock is out of sync with the clock of the creator of the assertion, the assertion was cached on the client and resent after it expired, or the assertion has been obtained and resent by an unauthorized application. |
| Action | Synchronize the clocks of the receiver and the creator of the assertion, increase the clock skew using the clockSkew custom property on the SAML token consumer in the WS-Security provider bindings or, if using a WebSphere Application Server client, increase the cache cushion using cacheCushion custom property on the SAML token generator in the WS-Security client bindings. |
| Explanation | The method shown in the message was performed on an object that is read-only. This method is not allowed on read-only objects. |
| Action | Ensure that the object is not read-only or do not invoke the method. |
| Explanation | The method shown in the message was performed on an object that contains an encrypted Assertion. This method is not allowed on an object that contains an encrypted Assertion. |
| Action | Ensure that the object does not contain an encrypted Assertion or do not invoke the method. |
| Explanation | A SAMLAttribute object has a value set in a field that is not supported by the SAML token type that it is being added to. The attribute will be added to the SAML token, but the value for the unsupported attribute will not be reflected in the XML associated with the SAML token. |
| Action | Do not set values in a SAMLAttribute object that are incompatible with the SAML token type to which they are being added. |
| Explanation | The element shown in the message is used to retrieve the certificate to validate the signature or the key to decrypt the SAML assertion. The run time only supports a subset of retrieval methods. The methods that are supported are shown in the message. |
| Action | Ensure that the creator of the SAML assertion uses one of the supported KeyInfo types. |
| Explanation | The element shown in the message is used to retrieve the certificate to validate the signature or the key to decrypt the assertion. The run time only supports a subset of retrieval methods. The methods that are supported are shown in the message. |
| Action | Ensure that the creator of the SAML assertion uses one of the supported X509Data types. |
| Explanation | The element shown in the message is used to retrieve the certificate to validate the signature or the key to decrypt the assertion. The run time only supports a subset of retrieval methods. The methods that are supported are shown in the message. |
| Action | Ensure that the creator of the SAML assertion uses one of the supported SecurityTokenReference sub-elements. |
| Explanation | A key was obtained from the SAML assertion. A key was defined in the SAML configuration. These two keys do not match. This condition is not allowed. |
| Action | Do one of the following: 1) Re-configure the SAML configuration to use the key that is in the SAML assertion. 2) Ensure that the creator of the SAML assertion uses the key defined in the SAML configuration. |
| Explanation | The KeyInfo element in the SAML assertion is used to retrieve the certificate to validate the signature or the key to decrypt the assertion. Although the method in the assertion used to retrieve the certificate is sufficent to evaluate the signature, it is not sufficient to evaluate trust because it does not yield an X.509 certificate. |
| Action | Ensure that the creator of the SAML assertion uses one of the supported KeyInfo types that will yield an X.509 certificate or turn off trust validation. |
| Explanation | The redirect target URL matches the value configured for the ACS URL. This condition is not allowed. |
| Action | See the message that displays after CWSML7030E to determine where the redirect target URL was obtained then modify the SAML TAI configuration or IdP configuration to ensure that the redirect target URL does not match the ACS URL. |
| Explanation | The redirect target URL was obtained from the SAMLResponse. |
| Action | No user action is required. |
| Explanation | The redirect target URL was obtained from the SAML TAI configuration. |
| Action | No user action is required. |
| Explanation | The SAML TAI can not redirect the client request to the requested URL. |
| Action | See the message that displays after CWSML7033E for the cause of the error. |
| Explanation | The redirect target URL was obtained from the SAMLResponse. |
| Action | No user action is required. |
| Explanation | The SAML Web SSO TAI cannot find a redirect URL for the current request. The redirect URL can come from three places: 1) the sso_<id>.sp.targetUrl SAML TAI custom property, 2) the RelayState parameter in the SAMLResponse and 3) the WasSamlSpReqUrl cookie. At least one of these three things must be present in order for the SAML TAI to be able to determine the redirect URL. In this case, none of these three things are present, therefore, the SAML TAI can not determine the redirect URL. Note that the SAML TAI may have set a WasSamlSpReqUrl cookie earlier in the process, but the browser did not make the cookie available to the SAML TAI. Also, the RelayState parameter must be a URL that uses the http or https protocol. |
| Action | Ensure at least one of the following is true: 1) the sso_<id>.sp.targetUrl SAML TAI custom property is configured for the current SP, 2) the IdP sets the RelayState parameter on the SAMLResponse with a valid URL that uses the http or https protocol or 3) the WasSamlSpReqUrl cookie is made available to the SAML TAI. In order for the WasSamlSpReqUrl to be available to the SAML TAI, the original request URL must have the same host name as the ACS URL that is configured on the sso_<id>.sp.acsUrl TAI custom property. |
| Explanation | The request URL has a host name that is not the same as the host name associated with the ACS URL. Two possible causes of this issue are: 1) the request is directed to a short host name, but the ACS URL is configured as a fully-qualified host name or vice-versa and 2) an IBM HTTP server (IHS) front end that services the request redirects to the protected resource on WebSphere and the IHS and WebSphere servers have different host names. If you get a CWSML7035E error later in your SAML TAI processing, then this problem must be corrected. |
| Action | If you get a CWSML7035E error later in your SAML TAI procesing, ensure that the host name for your request URL and ACS URL match. You might have to change the value for your [sso_<id>.sp.acsUrl] TAI custom property, your IdP configuration or the URL to which requests are made. You can also create a new SP in your SAML TAI configuration to handle the alternate host name. If you want to disable this warning message, set the [com.ibm.ws.security.web.saml.acs.hostWarnings] system property to [false] and restart the application server. |
| Explanation | The value for each SAML [sso_<id>.sp.acsUrl] custom property must have a unique URL path. A URL path does not include the protocol and <hostname>:<port> parts of a URL string. For example, although the URL strings for https://somewhere.ibm.com/samlsps/hello/app and https://elsewhere.ibm.com/samlsps/hello/app are different, the URL paths are the same. If two acsUrl entries have the same URL path, when a SAMLResponse is sent to one of the URLs that has a duplicate path, the service provider that is chosen to handle the request will be indeterminate. |
| Action | Ensure that the URL configured for each of the [sso_<id>.sp.acsUrl] custom properties have unique URL paths, meaning that they have unique text after the <hostname>:<port> part of the URL string. |
| Explanation | The SAML runtime requires a key to decrypt messages. The runtime is unable to obtain the decrypting key because at least one of the properties that is shown in the message is missing from the SAML configuration. |
| Action | Ensure that the properties shown in the message are properly configured, then restart the server. |
| Explanation | The SAML runtime is unable to retrieve a key from the keystore that is specified in the message. |
| Action | Ensure that the password for the key that is specified in the message is properly configured in the SAML TAI settings, then restart the server. If the password for the key is correct, retrieve the entire call stack from the FFDC entry that contains this error to get information about the root cause of the error. |
| Explanation | The SAML TAI assertion consumer service URL property, sso_<id>.acsUrl, is required and is not present in the SAML TAI configuration. |
| Action | Ensure that the missing properties that are specified the message are properly configured in the SAML TAI settings, then restart the server. |
| Explanation | The value for the sso_<id>.sp.charEncoding SAML TAI property overrides the character encoding of the HTTPServletRequest object of the inbound request. The SAML TAI cannot set the character encoding that is shown in the message on an inbound request. The reason for the error is shown after this message. |
| Action | Make sure that the sso_<id>.sp.charEncoding SAML TAI property is set to a valid value. See the user action for the message that is displayed after this message. |
| Explanation | The SAML TAI saves the parameters of the inbound request into a cookie before the request is redirected to the identity provider (IdP) for the user to log in. The IdP sends a SAMLResponse back to the application server after the request is validated. Then, the SAML TAI restores the POST parameters from the cookie to the request before it is sent to the target application. If the SAML TAI cannot store the request POST parameters, the target application is missing the parameters when the authentication is complete. |
| Action | Do one of the following actions. 1) Send a request with parameters that are within the maximum length. 2) Increase the value for the com.ibm.websphere.security.util.postParamMaxCookieSize global security custom property. 3) Set the value for the com.ibm.websphere.security.util.postParamSaveMethod global security custom property as "Session". |
| Explanation | The AuthnRequestProvider implementation class that is specified by the sso_<id>.sp.login.error.page SAML TAI property did not return a valid HashMap object. |
| Action | Make sure that your com.ibm.wsspi.security.web.saml.AuthnRequestProvider implementation returns a valid HashMap object that the SAML TAI can use to perform initiated SP-initiated login. |
| Explanation | The AuthnRequestProvider implementation class that is specified on the sso_<id>.sp.login.error.page SAML TAI property returned a HashMap object that is missing the required keys, which are specified in the message. These keys are required for proper operation of SAML SP-initiated login. |
| Action | Make sure that your com.ibm.wsspi.security.web.saml.AuthnRequestProvider implementation returns a valid HashMap object that the SAML TAI can use to perform initiated SP-initiated login. |