IBM Support

PH47550: SAML: ADD USEJAVASCRIPT PROPERTY TO REPLACE REDIRECTTOIDPONSERVERSIDE FOR BETTER UNDERSTANDING

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • There are at least three properties that the WebSphere single
sign-on components use to mean "use JavaScript when redirecting
to the provider": redirectToIdPonServerSide,
isClientSideRedirectSupported, and useJavaScript.  The one that
the SAML Web SSO component in WebSphere Application Server uses
is redirectToIdPonServerSide.  The name of this property does
not convey what it does and the property can be  confusing to
both customers and support personnel.  There should be a
property provided that has a better name.

Local fix

  • 



Problem summary


    

  • ****************************************************************
* USERS AFFECTED:  All users of IBM WebSphere Application      *
*                  Server and SAML web SSO                     *
****************************************************************
* PROBLEM DESCRIPTION: Add SAML web SSO useJavaScript custom   *
*                      property to replace                     *
*                      redirectToIdPonServerSide               *
****************************************************************
* RECOMMENDATION:  Install a fix pack or interim fix that      *
*                  contains this APAR.                         *
****************************************************************
The meaning of the SAML web SSO property,
sso_<id>.sp.redirectToIdPonServerSide, can be confusing to
customers and support personnel.

    



Problem conclusion


    

  • A new property is introduced to the SAML web SSO TAI called
useJavaScript.  The useJavaScript property means to use
JavaScript when the TAI redirects a login request to an IdP.

The meaning of the true and false values of the useJavaScript
property are opposite of those for the redirectToIdPonServerSide
property.  However, the default behavior of the runtime is the
same regardless of which property you use.  That is,
redirectToIdPonServerSide defaults to true and useJavaScript
defaults to false.

The following custom properties are added to the SAML web SSO
TAI:

=========================
sso_<id>.sp.useJavaScript

Values: true/false(default)

Description:
When this property is set to true, the TAI uses JavaScript when
a request is redirect to an IdP.  When you do not use
JavaScript, any fragments that are present on the original
inbound request are lost.

When the sso_<id>.sp.login.error.page property is set to a class
name to implement SP-Initiated SSO, the value for this property
is ignored.  When this property is set to a value, the value for
the sso_<id>.sp.redirectToIdPonServerSide property is ignored.

=========================
useJavaScript

Values: true/false(default)

Description:

When this property is set to true, the TAI uses JavaScript when
a request is redirect to an IdP.  When you do not use
JavaScript, any fragments that are present on the original
inbound request are lost.

When the sso_<id>.sp.login.error.page property is set to a class
name to implement SP-Initiated SSO, the value for this property
is ignored.  When this property is set to a value, the value for
the redirectToIdPonServerSide property is ignored.

The fix for this APAR is targeted for inclusion in fix pack
8.5.5.23 and 9.0.5.14.  For more information, see 'Recommended
Updates for WebSphere Application Server':
https://www.ibm.com/support/pages/node/715553

    



Temporary fix


    

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    PH47550
    • 

  • Reported component name
    WEBS APP SERV N
    • 

  • Reported component ID
    5724H8800
    • 

  • Reported release
    850
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2022-06-28
    • 

  • Closed date
    2022-09-16
    • 

  • Last modified date
    2023-01-25
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    WEBS APP SERV N
    • 

  • Fixed component ID
    5724H8800
    • 



Applicable component levels


    








      
              
                            

              

              [{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.5","Line of Business":{"code":"LOB45","label":"Automation"}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            25 January 2023
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback