IBM Support

PI48360: MORE DIAGNOSTICS REQUIRED WHEN RELAYSTATE IS INVALID IN SAMLRESP ONSE

Fixes are available

8.5.5.10: WebSphere Application Server V8.5.5 Fix Pack 10
8.5.5.11: WebSphere Application Server V8.5.5 Fix Pack 11
8.0.0.13: WebSphere Application Server V8.0 Fix Pack 13
7.0.0.43: WebSphere Application Server V7.0 Fix Pack 43
8.5.5.12: WebSphere Application Server V8.5.5 Fix Pack 12
8.0.0.14: WebSphere Application Server V8.0 Fix Pack 14
8.5.5.13: WebSphere Application Server V8.5.5 Fix Pack 13
7.0.0.45: WebSphere Application Server V7.0 Fix Pack 45
8.0.0.15: WebSphere Application Server V8.0 Fix Pack 15
7.0.0.45: Java SDK 1.6 SR16 FP60 Cumulative Fix for WebSphere Application Server
7.0.0.43: Java SDK 1.6 SR16 FP41 Cumulative Fix for WebSphere Application Server
8.5.5.14: WebSphere Application Server V8.5.5 Fix Pack 14
8.5.5.15: WebSphere Application Server V8.5.5 Fix Pack 15
8.5.5.17: WebSphere Application Server V8.5.5 Fix Pack 17
8.5.5.20: WebSphere Application Server V8.5.5.20
8.5.5.18: WebSphere Application Server V8.5.5 Fix Pack 18
8.5.5.19: WebSphere Application Server V8.5.5 Fix Pack 19
8.5.5.16: WebSphere Application Server V8.5.5 Fix Pack 16
8.5.5.21: WebSphere Application Server V8.5.5.21

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • Its not valid when the RelayState in a SAMLResponse equals the
acsUrl.  What happens when you do that is that you get back
"INTERNAL ERROR Please contact your support." in the browser.
There are no diagnostics in SystemOut.log or SystemErr.log to
indicate what is causing the error.

Local fix

  • 



Problem summary


    

  • ****************************************************************
* USERS AFFECTED:  All users of IBM WebSphere Application      *
*                  Server and SAML Web SSO                     *
****************************************************************
* PROBLEM DESCRIPTION: If the SAML Web SSO resolved target     *
*                      URL is the acsUrl, an INTERNAL          *
*                      ERROR will occur without additional     *
*                      diagnostic information                  *
****************************************************************
* RECOMMENDATION:  Install a fix pack that contains this       *
*                  APAR.                                       *
****************************************************************
When a request is sent directly to the URL for the SAML Web
Single Sign-on (SSO) Assertion Consumer Service (ACS),
WebSphereSamlSP.ear, the following message is displayed in the
browser:
INTERNAL ERROR Please contact your support.
The URL of the ACS is set on the sso_<id>.sp.acsUrl custom
property on the SAML TAI and is defined to be
https://<hostname>:<sslport>/samlsps/<any URI pattern string>.
For instance https://myhost:9443/samlsps/go
When a web request is made to a resource protected by the SAML
Web SSO TAI, the target URL of the business application can
come from various places:
* The original request URL
* The relayState parameter in the SAMLResponse from the
Identity Provider (IdP)
* The default target URL configured for the TAI
(targetUrl or sso_<id>.sp.targetUrl custom property)
When, using these values, the target URL for a specific
request is resolved to be the ACS URL, the user will be
directed to the ACS and they will get the INTERNAL ERROR
message in the browser.  There will be no indication in any
log file that this is an error condition.

    



Problem conclusion


    

  • The SAML Web SSO TAI is updated to detect when the target URL
is resolved to be the ACS URL.  When the target URL is
resolved to the ACS URL, instead of being seeing INTERNAL
ERROR in the browser, the user will be redirected to the
configured error page and the following error will be emitted
in the SystemOut.log and FFDC:

CWSML7033E: The Security Assertion Markup Language (SAML) Web
single sign-on TAI is unable to perform a redirect.

Additionally the cause for the error will be set to this error:

CWSML7030E: The redirect target URL, [{0}], matches the value
for the assertion consumer service (ACS) URL configured for
this service provider.  You cannot redirect to the ACS URL.
The ACS URL is configured on the [{1}] TAI custom property.

One of these messages will be appended to CWSML7030E:

CWSML7032I: The redirect target URL was retrieved from the
[{0}] or [{1}] TAI custom property.  The [{3}] custom property
is set to [{4}].

CWSML7031I: The redirect target URL was retrieved from the
[{0}] parameter in the response.

CWSML7034I: The redirect target URL was retrieved from the
WasSamlSpReqUrl cookie on the request.

For instance:

CWSML7033E: The Security Assertion Markup Language (SAML) Web
single sign-on TAI is unable to perform a redirect.
...
Caused by:
CWSML7030E: The redirect target URL,
[https://myhost:9443/samlsps/go], matches the value
for the assertion consumer service (ACS) URL configured for
this service provider.  You cannot redirect to the ACS URL.
The ACS URL is configured on the [sso_<id>.sp.acsUrl] TAI
custom property. CWSML7032I: The redirect target URL was
retrieved from the [targetUrl] or [sso_<id>.sp.targetUrl] TAI
custom property.  The [sso_<id>.sp.useRelayStateForTarget]
custom property is set to [false].

-or-

CWSML7030E: The redirect target URL,
[https://myhost:9443/samlsps/go], matches the value
for the assertion consumer service (ACS) URL configured for
this service provider.  You cannot redirect to the ACS URL.
The ACS URL is configured on the [sso_<id>.sp.acsUrl] TAI
custom property. CWSML7031I: The redirect target URL was
retrieved from the [relayState] parameter in the response.

-or-

CWSML7030E: The redirect target URL,
[https://myhost:9443/samlsps/go], matches the value
for the assertion consumer service (ACS) URL configured for
this service provider.  You cannot redirect to the ACS URL.
The ACS URL is configured on the [sso_<id>.sp.acsUrl] TAI
custom property. CWSML7034I: The redirect target URL was
retrieved from the WasSamlSpReqUrl cookie on the request.


The fix for this APAR is currently targeted for inclusion in
fix packs 7.0.0.43, 8.0.0.13, and 8.5.5.10.  Please refer to
the Recommended Updates page for delivery information:
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980

Keywords: IBMWL3WSS SAMLWSSO

    



Temporary fix


    

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    PI48360
    • 

  • Reported component name
    WEBSPHERE APP S
    • 

  • Reported component ID
    5724J0800
    • 

  • Reported release
    700
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2015-09-09
    • 

  • Closed date
    2016-04-26
    • 

  • Last modified date
    2016-04-26
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    WEBSPHERE APP S
    • 

  • Fixed component ID
    5724J0800
    • 



Applicable component levels


    

  • R700  PSY
       UP
    • 

  • R800  PSY
       UP
    • 

  • R850  PSY
       UP
    • 








      
              
                            

              

              [{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.0","Line of Business":{"code":"LOB45","label":"Automation"}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            28 April 2022
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback