©Copyright International Business Machines Corporation 2008, 2013. All rights reserved. U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
NOTE: Before using this information and the product it supports, read the general information under Notices in this document.
Date: Tuesday, 26 November 2013
=====================================================================================================This cumulative fix pack corrects problems in IBM Tivoli Federated Identity Manager (Federated Identity Manager), Version 6.2.1. It requires that Federated Identity Manager, Version 6.2.1, be installed. After installing this fix pack, your Federated Identity Manager installation will be at level 6.2.1.6.
Potential cross-site scripting vulnerabiltity via macros in event page template files
Some IBM Tivoli Federated Identity Manager page macros might be vulnerable to cross site scripting attacks when their values are not properly encoded. Contact IBM Support for the list of macros that might be subjected to this issue. To remediate this, add the macros provided by IBM Support to the list of comma-separated tokens in the runtime custom property SPS.PageFactory.HtmlEscapedTokens. Add these macro so that their values are HTML-escaped in the template files. For example, if the list of macros provided is:
the value of the runtime custom property SPS.PageFactory.HtmlEscapedTokens with the above macros added can be:
@REQ_ADDR@,@DETAIL@,@EXCEPTION_STACK@,@EXCEPTION_MSG@,@RESPONSE@,@TARGET@,@DETAIL@,@SAMLSTATUS@,@EXAMPLE_MACRO1@,@EXAMPLE_MACRO2@,@EXAMPLE_MACRO3@
NOTE: Other macros that are prone to cross site scripting vulnerability can also be added to SPS.PageFactory.HtmlEscapedTokens. The value of this runtime custom property will be revised periodically and update as needed. For more information regarding the runtime custom property, access http://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.tivoli.fim.doc_6.2.1/reference/CustomPropsSPS.html.
Possible security exposure with IBM WebSphere Application Server with WS-Security enabled applications using LTPA tokens (CVE-2011-1377)
The security that the IBM WebSphere Application Server provides might be weaker than expected when using web services security (WS-Security). A user might randomly gain elevated privileges on the provider system. WS-Security might assign the identity of a previously processed LTPA token to a new inbound LTPA token after authentication. This impacts applications using either JAX-WS and JAX-RPC.
Versions affected:
The same fix applies to the IBM WebSphere Application Server Standalone, Network Deployment and Embedded (eWAS) versions. It also applies to the eWAS version that is included with IBM Tivoli Federated Identity Manager. For more information regarding the vulnerability and the fix, access http://www.ibm.com/support/docview.wss?uid=swg21587536
Use the IBM WebSphere Update Installer (WUI) to apply the fix. If the WUI has not been previously installed, the WUI can be downloaded from http://www.ibm.com/support/docview.wss?rs=180&uid=swg24020448. For detailed instructions on how to install the IBM WebSphere Update Installer, see the WebSphere Update Installer documentation.
Apply the fix provided here to all Tivoli Federated Identity Manager environments that use the affected versions of IBM WebSphere Application Server as soon as possible. Select the fix that applies to your IBM WebSphere Application Server environment and reference the corresponding readme file for detailed fix installation instructions.
Denial of Service Security Exposure with Java JRE/JDK hanging when converting 2.2250738585072012e-308 number (CVE-2010-4476)
This security alert addresses a serious security issue: CVE-2010-4476 (Java Runtime Environment hangs when converting "2.2250738585072012e-308" to a binary floating-point number). This vulnerability might cause the Java Runtime Environment to hang, go into an infinite loop, and/or crash resulting in a denial of service exposure. The JRE might hang if the number is written without scientific notation (324 decimal places). In addition to the Application Server being exposed to this attack, any Java program using the Double.parseDouble method is also at risk of this exposure including any customer written application or third party written application.
The following products contain affected versions of the Java Runtime Environment:
The same iFix applies to the IBM WebSphere Application Server Standalone, Network Deployment and Embedded (eWAS) versions. It also applies to the eWAS version that is included with IBM Tivoli Federated Identity Manager. For more information regarding the vulnerability and the iFix access http://www.ibm.com/support/docview.wss?uid=swg21462019
Use the IBM WebSphere Update Installer (WUI) to apply the fix. If the WUI has not been previously installed, the WUI can be downloaded from http://www.ibm.com/support/docview.wss?rs=180&uid=swg24020448. For detailed instructions on how to install the IBM WebSphere Update Installer, see the WebSphere Update Installer documentation.
Apply the fix provided here to all Tivoli Federated Identity Manager environments that use the affected versions of IBM WebSphere Application Server as soon as possible. Select the fix that applies to your IBM WebSphere Application Server environment and reference the corresponding readme file for detailed iFix installation instructions.
JAVA.LANG.RUNTIMEEXCEPTION: SRV.8.2: REQUESTWRAPPER OBJECTS MUST EXTEND SERVLETREQUESTWRAPPER OR HTTPSERVLETREQUESTWRAPPER (PM10357)
This APAR PM10357 is reported for WebSphere Application Server (WAS) v6.1. As a result of this APAR, operations in the IBM Tivoli Federated Identity Manager Management Console can fail with the following exception observed in the log if the Management Console is deployed on an affected version of WAS v6.1:
java.lang.RuntimeException: SRV.8.2: RequestWrapper objects must extend ServletRequestWrapper or HttpServletRequestWrapper
Apply the fix provided here to all Tivoli Federated Identity Manager environments that use the affected versions of IBM WebSphere Application Server. Select the fix that applies to your IBM WebSphere Application Server environment and reference the corresponding readme file for detailed iFix installation instructions.
The same fix applies to the IBM WebSphere Application Server Standalone, Network Deployment and Embedded (eWAS) versions. It also applies to the eWAS version that is included with IBM Tivoli Federated Identity Manager.
The IBM WebSphere Update Installer (WUI) must be used to apply the fix. If the WUI has not previously installed, download the WUI from http://www-01.ibm.com/support/docview.wss?rs=180&uid=swg24020448. For detailed instructions on how to install the IBM WebSphere Update Installer access here.
IBM Tivoli Federated Identity Manager and IBM Tivoli Federated Identity Manager Business Gateway can be affected by vulnerabilities in the Websphere IBM Java Runtime Environment (CVE-2013-2407)
A unspecified vulnerability in the Websphere IBM Java Runtime Environment (JRE) component allows remote attackers to affect the confidentiality and availability of Tivoli Federated Identity Manager (TFIM) and IBM Tivoli Federated Identity Manager Business Gateway TFIMBG) via unknown vectors related to Libraries.
The following products contain affected versions of the Java Runtime Environment:
The same iFix applies to the IBM WebSphere Application Server Standalone, Network Deployment and Embedded (eWAS) versions. It also applies to the eWAS version that is included with IBM Tivoli Federated Identity Manager. For more information regarding the vulnerability and the iFix access http://www-01.ibm.com/support/docview.wss?uid=swg21644157
Use the IBM WebSphere Update Installer (WUI) to apply the fix. If the WUI has not been previously installed, the WUI can be downloaded from http://www.ibm.com/support/docview.wss?rs=180&uid=swg24020448. For detailed instructions on how to install the IBM WebSphere Update Installer, see the WebSphere Update Installer documentation.
Apply the fix provided here to all Tivoli Federated Identity Manager environments that use the affected versions of IBM WebSphere Application Server as soon as possible. Select the fix that applies to your IBM WebSphere Application Server environment and reference the corresponding readme file for detailed iFix installation instructions.
This fix pack package contains:
This fix pack is distributed as an electronic download from the IBM Support Web Site.
Software requirements for IBM Tivoli Federated Identity Manager version 6.2.1 can be found here.
6.2.1-TIV-TFIM-FP0004
6.2.1-TIV-TFIM-FP0002
6.2.1-TIV-TFIM-FP0001
Federated Identity Manager consists of the following components that can be installed separately:
This fix pack applies only to the administration console, management service and runtime component, and Web services security management (first three components listed above). These three components must be at the same level. For example, if you install a fix pack for the management service and runtime component, you must install the corresponding fix packs for the administration console and WSSM components.
If all three components are not at the same fix pack level, they are not guaranteed to interoperate with each other as designed.
The following problems are corrected by this fix pack. For more information about the APARs listed here, see the Tivoli Federated Identity Manager support site.
CBACE0800E The required initialization property "com.ibm.cars.events.emitter.ICARSEmitterProperties.trustStore" is missing. in the trace log.Organization element with no OrganizationURL element.urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified name identifier for single sign on. By default, Tivoli Federated Identity Manager will treat a urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified name identifier as urn:oasis:names:tc:SAML:2.0:nameidformat:persistent name identifier unless the default name identifier is set to another type like emailAddress. The Single Logout operation incorrectly queries the alias service if the urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified name identifier is used and the default name identifier is set to emailAddress.javax.management.JMRuntimeException: ADMN0022E: Access is denied for the getPlatformVersion operation on Server MBean because of insufficient or empty credentials.Be aware of the following considerations before installing this fix pack:
Since Federated Identity Manager is a 32-bit application, its default path when installing on Windows Server 2008 changes from
C:\Program Files\IBM\FIM
to:
C:\Program Files (x86)\IBM\FIM
NOTE: This change to the installation path name also affects a 32-bit WebSphere Application Server on Windows Server 2008:
C:\Program Files\IBM\WebSphere
changes to:
C:\Program Files (x86)\IBM\WebSphere
C:\Program Files\IBM\WebSphere\UpdateInstaller\maintenance
for Windows or
/opt/IBM/WebSphere/UpdateInstaller/maintenance
for Unix/Linux
You must unzip the downloaded file before you attempt to apply the patch. The unzipped contents are one or more pak files. Each pak file corresponds to one or more product components. For example, a fix pack might contain two pak files: one for the administration console and management service and runtime components, and one for the WSSM component. The full list of product components is described in Fix pack structure.Use WebSphere Update Installer to apply the fixes of each pak file to the target component on the system that you are updating. Apply all of the pak files that are required by your installation to ensure that the software levels in your environment are identical for all of the components for which a pak file is supplied. The fixes are tested against all affected components; therefore, to minimize any possible issue that can arise from applying a partial fix, ensure the you apply the complete set of files. See Installing the fix pack for specific instructions on using Update installer to apply the fixes.
NOTE: Before installing this fix pack, ensure that you have reviewed the prerequisites in Before installing the fix pack.
To obtain the fix pack:
NOTE: For z/OS platform, please contact IBM Support to obtain the fix pack.
If security is enabled on the WebSphere Application Server
where Federated Identity Manager is installed, you must set
the appropriate password values in the fim.appservers.properties file before you can
apply the fix pack.
If security is not enabled, you can skip this step.
NOTE: If you add passwords to the fim.appservers.properties file, as described below,
specify the passwords using plain text. However, at the end of the fix pack
installation process these passwords are obfuscated and will no longer be available in
plain text format.
To specify security passwords, use the following procedure:
FIM_INSTALL_DIR/etc/fim.appservers.properties.was.security.enabled property is present in the
fim.appservers.properties file and is set to true then
you must add two password properties to the file:
was.admin.user.pwd property with a value of the administrator
login password for the WebSphere Application Server
where Federated Identity Management is deployedwas.truststore.pwd property with a value of the password for
the trust store used for client-side SSL authentication in that
WebSphere Application Serverwas.admin.user.pwd=was_admin_pwwas.truststore.pwd=truststore_pwewas.security.enabled property is present in the
fim.appservers.properties file and is set to true then
you must add two password properties to the file:
ewas.admin.user.pwd property with a value of the administrator
login password for the Embedded WebSphere Application Server
where Federated Identity Management is deployedewas.truststore.pwd property with a value of the password for
the trust store used for client-side SSL authentication in that Embedded
WebSphere Application Serverewas.admin.user.pwd=ewas_admin_pwewas.truststore.pwd=truststore_pwfim.appservers.properties fileC:\Program Files\IBM\WebSphere\UpdateInstaller\maintenance
for Windows or
/opt/IBM/WebSphere/UpdateInstaller/maintenance
for Unix/Linux
C:\Program Files\IBM\WebSphere\UpdateInstaller on
Windows systems, or in /opt/IBM/WebSphere/UpdateInstaller on UNIX-based systems).C:\Program Files\IBM\FIM on Windows systems, or
/opt/IBM/FIM on UNIX-based systems), then click Next.FIM_INSTALL_DIR/etc/version.propeties file with a text editor.
The following list describes how to interpret the properties in the version.properties file:
itfim.build.version.rte-mgmtsvcs=versionitfim.build.version.mgmtcon=versionitfim.build.version.wsprov=versionitfim.build.version.wssm=versionitfim.build.version.fimpi=versionApply the fix packs to the product's components in the following order:
NOTE: If a domain is not created before application of Tivoli Federated Identity Manager fix pack, the fix pack installation completes successfully with a "Partially Successful" message.
NOTE: The WebSphere Update Installer allows you to select more than one pak file at a time for execution. Select only the pak files that correspond to the components that are installed on the system you are updating. If you accidentally install more pak files than are needed, you can separately uninstall any fix packs for components that are not installed on the target system.
After you install the fix pack, you must redeploy the Tivoli Federated Identity Manager runtime. This task is identical to the deployment task you completed after the initial installation of the management service and runtime components. In a WebSphere cluster environment, you must ensure that the new runtime component is deployed to each WebSphere node.
The initial deployment steps are described in Creating and deploying a new domain in the Installation and Configuration Guide. The specific instructions for deploying the runtime begin in step 16.
NOTES:
Use the following procedure to deploy the updated Federated Identity Manager runtime:
Example:
Runtime Information
----------------------------------------------
Current deployed version 6.2.1.6 [131017a]
NOTE: The number in the brackets [131017a] might be
different from this example.
Then, restart the ITFIMManagementService.
After you install the fix pack and redeploy the Tivoli Federated Identity Manager runtime you must re-publish the plug-ins to the runtime and reload the configuration.
Use the following procedure to re-publish the plug-ins:
If you want to return your installation to the state it was in prior to installing the fix pack, you can uninstall the fix pack.
For example, if you installed fix pack 6 onto a Federated Identity Manager 6.2.1.0 system, then after uninstalling fix pack 6 you will see the following:
Suite Name Version
----------------------------------------------------------
Tivoli Federated Identity Manager 6.2.1.0 [101018a]
For example:
Runtime Information
----------------------------------------------
Current deployed version 6.2.1.0 [101018a]
The following product documentation for Federated Identity Manager, Version 6.2.1, can be found on the IBM Tivoli Federated Identity Manager Information Center.
In the IBM Tivoli Federated Identity Manager Configuration Guide, under the section Customizing Runtime Properties > Custom Properties Reference > Custom Properties for SAML 2.0, a new custom property is added. This property is:
SAML20.CDC.RelayStateAllowedURLs_<FEDERATIONID>A comma-separated list of regular expressions. SAML 2.0 Identity Provider Discovery Profile common domain cookie reading and writing service of <FEDERATIONID> can redirect to a URL that matches any of the regular expressions.
Default value: SPS URL of the common domain cookie reading or writing service endpoint e.g. https://examplehost/FIM/sps/.*Value type: stringExample value: https://examplehost/JCT/protectedresource/.*,https://examplehost2/JCT2/protectedresource2/.*The following parameters are documented in the Command reference > manageItfimPartner > SAML partner response file reference section of the Tivoli Federated Identity Manager Administration Guide v6.2.2 and earlier:
These parameters are not relevant to the SAML partner response file and must be removed from this section.
The following parameters are relevant to the SAML federation response file and are documented in the Command reference > manageItfimFederation > SAML federation response file reference section:
In the IBM Tivoli Federated Manager 6.2.2 Configuration Guide, under the topic Deploying User Self Care->Configuring a Tivoli Access Manager adapter for WebSphere Federated Repository->Configuring a Tivoli Access Manager adapter->Procedure, it states:
3. Ensure that you have installed the Tivoli Access Manager 6.1.1 Java runtime component.
Tivoli Access Manager 6.1.1 Fixpack 1 or above contains fixes for the Java runtime component that are required if you want to use the Tivoli Access Manager adapter for WebSphere Federated Repository.
It should state:
3. Ensure that you have installed the Tivoli Access Manager Java runtime version 6.1.1 or above. If you have installed version 6.1.1, ensure that you have applied Fixpack 1 or above.
Some of the steps outlined in the TFIM 6.2.1 Configuration guide for enabling WAS cluster replication is incorrect.
Under section Federated Identity Manager > Previous versions > Version 6.2.1 > Configuring > Domain configuration, in the topic "Enabling replication in a WebSphere cluster", steps are 3 and 9a are wrong.
The current steps are:
The TFIM cluster does not appear in the "replication domain" options.
The steps should be:
Configuration example: WSFed.IDP.RSTR.Excluded.Elements = Forwardable,Delegatable,Status,Renewing
Configuration example: WSFed.IDP.RSTR.Excluded.Elements%<FEDERATIONID> = Forwardable,Delegatable,Status,Renewing
Example for a federation with the ID https://idp/sps/fed/wsf:
SAML20.IDP.UnsolicitedSSO.WSFed.IDP.RSTR.Excluded.Elements%https://idp/sps/fed/wsf = Forwardable,Delegatable,Status,Renewing
Configuration example: WSFed.IDP.RSTR.Excluded.Elements%<FEDERATIONID>%<PARTNERID>= Forwardable,Delegatable,Status,Renewing
Example for a federation with the ID https://idp/sps/fed/wsf and its partner with the ID https://sp/sps/fed/wsf
WSFed.IDP.RSTR.Excluded.Elementsg%https://idp/sps/fed/wsf%https://sp/sps/fed/wsf = Forwardable,Delegatable,Status,Renewing
<FEDERATIONID> represents the Provider ID of the federation and <PARTNERID> represents the Provider ID of the partner. You can obtain the Provider ID of the federation from the Federation Properties page in the console while the Provider ID of the partner can be obtained from the Partner Properties page in the console.
In the IBM Tivoli Federated Manager 6.2.1 Installation Guide, under the topic Appendix A. Upgrading to version 6.2.1->Upgrading LDAP, it states:
Other parameters are available to pass to this tool:
-reverse performs a reverse migration.-deleteAbandonedEntries deletes any entries that refer to a DN that no longer exists. This process occurs before the migration step.-Z enables the SSL connection to the LDAP server.For the -reverse parameter, it should state:
-reverse performs a reverse migration. This does not delete entries added during migration. It ensures that the entries are compatible with versions of Tivoli Federated Identity Manager Version before 6.2.1.2 new parameters are now available to pass to this tool:
-userAttr specifies the attribute that the alias service uses to denote the user identifier.-force performs migration for all entries including those that have previously been migrated.In the IBM Tivoli Federated Manager 6.2.1 Configuration Guide, under the topic Configuring security token service->Configuring Active Directory and WebSphere for constrained delegation, it states:
6. On the domain controller, add the tfimdeleguser user to the Domain administrative group.
To verify:
a. Select Active Directory Users and Computer
b. For the domain, click Users and click Domain Admins
c. Select the Members tab. Verify that the tfimdeleguser is listed as a group member.
It should state:
6. On the machine hosting the WebSphere node agent running the Tivoli Federated Identity Manager runtime, add the tfimdeleguser user to the Local administrative group.
To verify:
a. Select Start > Programs > Administrative Tools > Computer Management.
b. Open Local Users and groups.
c. Open groups.
d. Right-click on the local group Administrators.
e. Select Properties.
f. Verify that the tfimdeleguser is listed as a group member.
Note: For a cluster environment, this step must be repeated on all machines hosting a node member of WebSphere cluster running the Tivoli Federated Identity Manager runtime.
There was an error in the command value used for installing the Tivoli Federated Identity Manager, version 6.2.1 Web Services Security Management feature.
Replace the installation command note in the following sections of the Tivoli Federated Identity Manager, version 6.2.1 Installation Guide:
with the following:
NOTE: The installation is designed so that the WebSphere® Application Server deployment can listen on localhost. If it does not listen on localhost, use the parameter websphereProperties.adminClientConnectorHost on the installation command to specify the host name. For example, on Linux:
./install_linux_x86.bin -W
websphereProperties.adminClientConnectorHost=<hostname>
Back to Contents
When you use the Tivoli® Federated Identity Manager console or command line to import a JavaScript mapping rule, an empty Security Token Service Universal User (STSUU) is used as an input to validate the JavaScript.
Validating the JavaScript using an empty STUU input can cause problems. Problems occur when the JavaScript rule throws exceptions on cases that do not occur in their real federation runtime flow, but occurs when the empty STSUU is passed to the rule during validation.
If the JavaScript mapping rule throws an exception during validation, the Tivoli Federated Identity Manager console rejects it as bad syntax and does not load it.
When you use the Tivoli Federated Identity Manager console or command line to import a JavaScript mapping rule, the software runs basic JavaScript validation. The JavaScript validation process prevents the upload of a mapping rule with an invalid syntax.
When the Tivoli Federated Identity Manager console or command line validates the mapping rule, no real request exists. The variables are then populated with empty objects.
Your mapping rule might use conditional statements. The conditional statements make sense during real runtime operations, but do not work properly when empty objects are passed to it during validation.
importPackage(Packages.com.tivoli.am.fim.trustserver.sts);
importPackage(Packages.com.tivoli.am.fim.trustserver.sts.uuser);
importPackage(Packages.com.tivoli.am.fim.trustserver.sts.utilities);
// Throw an STS exception if the STSUU does not contain an attribute I am expecting
var attrvalue = stsuu.getAttributeValueByName("myattr");
if (attrvalue == null) {
IDMappingExtUtils.throwSTSException('missing attribute');
As a workaround, create an empty-object-aware JavaScript rule to prevent it from throwing exceptions when it detects the empty STSUU.
Build a mechanism to detect the validation sequence into the rule itself and to not terminate with an exception if the rule is operating on empty objects.
The detection code varies depending on the assumptions you can make about request objects in your runtime flow. For example, an STSUU typically contains one or more attributes in the Principal, AttributeList , or ContextAttributes sections of the STSUU.
If it does not contain any attributes, it is an empty STSUU.
importPackage(Packages.com.tivoli.am.fim.trustserver.sts);
importPackage(Packages.com.tivoli.am.fim.trustserver.sts.uuser);
importPackage(Packages.com.tivoli.am.fim.trustserver.sts.utilities);
var isEmptySTSUU = (
(stsuu.getPrincipalAttributeContainer().getNumberOfAttributes() == 0) &&
(stsuu.getAttributeContainer().getNumberOfAttributes() == 0) &&
(stsuu.getContextAttributesAttributeContainer().getNumberOfAttributes() == 0));
if (!isEmptySTSUU) {
// rest of your normal runtime mapping rule logic goes here
.......
}Configuration example: SAML20.IDP.UnsolicitedSSO.RelayState.URLEncoding = true
Configuration example: SAML20.IDP.UnsolicitedSSO.RelayState.URLEncoding_<FEDERATIONID> = true
Example for a federation with the ID https://idp/sps/fed/saml20:
SAML20.IDP.UnsolicitedSSO.RelayState.URLEncoding_https://idp/sps/fed/saml20 = true
Configuration example: SAML20.IDP.UnsolicitedSSO.RelayState.URLEncoding_<FEDERATIONID>_<PARTNERID>= true
Example for a federation with the ID https://idp/sps/fed/saml20 and its partner with the ID https://sp/sps/fed/saml20
SAML20.IDP.UnsolicitedSSO.RelayState.URLEncoding_https://idp/sps/fed/saml20_https://sp/sps/fed/saml20 = true
Default value: True
<FEDERATIONID> represents the Provider ID of the federation and <PARTNERID> represents the Provider ID of the partner. You can obtain the Provider ID of the federation from the Federation Properties page in the console while the Provider ID of the partner can be obtained from the Partner Properties page in the console.
When at least one of the settings is false, add the macro @TOKEN:RelayState@ to the list of comma-separated list of tokens in the runtime custom property SPS.PageFactory.HtmlEscapedTokens. Add the macro so that the RelayState is HTML-escaped in the authentication response.
Configuration example:
SAML20.SP.UnsolicitedSSO.RelayState.URLEncoding = true
Configuration example: SAML20.SP.UnsolicitedSSO.RelayState.URLEncoding_<FEDERATIONID> = true
Example for a federation with the ID https://sp/sps/fed/saml20:
SAML20.SP.UnsolicitedSSO.RelayState.URLEncoding_https://sp/sps/fed/saml20 = true
Configuration example: SAML20.SP.UnsolicitedSSO.RelayState.URLEncoding_<FEDERATIONID>_<PARTNERID>= true
Example for a federation with the ID https://sp/sps/fed/saml20 and its partner with the ID https://idp/sps/fed/saml20:
SAML20.SP.UnsolicitedSSO.RelayState.URLEncoding_https://sp/sps/fed/saml20_https://idp/sps/fed/saml20 = true
Default value: True
<FEDERATIONID> represents the Provider ID of the federation and <PARTNERID> represents the Provider ID of the partner. You can obtain the Provider ID of the federation from the Federation Properties page in the console while the Provider ID of the partner can be obtained from the Partner Properties page in the console.
The Tivoli Federated Identity Manager User Self Care (USC) feature sends a user enrollment validation email to complete the user enrollment process.
A link is included in the email that users must access to complete the enrollment process. The USC code indexes the outstanding user enrollment in the cache using a nonce value. The nonce value is added to the validation URL as a query string parameter.
The current USC only returns the nonce as part of the validation URL.
In some scenarios, you must access the nonce value without it being part of the validation URL.
To provide this flexibility, you can enable the USC email validation code to include two macros that you can use to generate the email content:
The SAML STS Modules validates that the token provided on the STS request is the correct type. The STS obtains the input token from either the Base element of the RequestSecurityToken message or from the WS-Security headers included on the SOAP envelope.
If multiple security headers are included on the SOAP envelop, Tivoli Federated Identity Manager selects the very first one that it finds even if the STS module configured to consume the token can handle the token type retrieved.
To enable the SAML STS modules to notify the STS of the expected token type so that the correct token is retrieved from the SOAP envelop headers, enable the following custom property:
sts.multiple.tokens.security.header.enabled=true
Back to Contents
The Tivoli Federated Identity Manager Security Trust Service (STS) chain does not support the RequestType and KeyType elements on the RequestSecurityTokenResponse message.
The RequestType value must be set to the value received on the request. The KeyType must be set to one of the values supported by WS-Trust based on an attribute on the STSUU structure.
To enable the ability to set the KeyType use the following sample xsl fragment:
<xsl:template match="//stsuuser:ContextAttributes">
<stsuuser:ContextAttributes>
<!-- Add the key type to the Request Security Token Response generated by the SAML module -->
<stsuuser:Attribute
name="RequestSecurityTokenResponse.KeyType"
type="urn:ibm:names:ITFIM:5.1:accessmanager">
<stsuuser:Value>http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey</stsuuser:Value>
</stsuuser:Attribute>
</stsuuser:ContextAttributes>
</xsl:template>
The new property RequestSecurityTokenResponse.KeyType
allows the administrator to set the KeyType
on theRequestSecurityTokenResponse.
In this scenario, the KeyType is set to: http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey.
For more information about other valid values, see the WS-Trust specification from the OASIS Website.
Back to ContentsThe Tivoli Federated Identity Manager Kerberos STS module relies on the Java Security Kerberos Token Profile. The Kerberos Token Profile provides protection for the reuse of kerberos token. The feature is disabled by default.
To enable the feature, the customer must set the following runtime custom property:
kerberos.one.time.use.enabled = true
Regardless of the setting provided, the Kerberos Token Profile code will enforce one-time use if
the APReq token context replay detection flag is set. A system property of "com.ibm.security.ktp.replayDetection" has been added to disable the replay detection. For example, -Dcom.ibm.security.ktp.replayDetection=off
will force the KerberosTokenConsumer not to perform the replay detection.
The Trust Service custom property must add the new custom property.
Default value: True
In the IBM Tivoli Federated Identity Manager Configuration Guide, under the section Customizing an Authentication Login Form for Single Sign On, under the sub-section Supported Macros for Customizing an Authentication Login Form, the following new row is added into Table 2 (Supported SAML Protocol Macros) as the third row:
Macro |
Query String Parameter Name |
Description |
|---|---|---|
%SPRELAYSTATE% |
SPRelayState |
Supported for SAML 2.0 only |
In the IBM Tivoli Federated Identity Manager Web Service Security Management Configuration Guide, under the section Configuring WebSphere Application Server, the fifth step to configure WebSphere Application Server is changed into:
5. Associating shared library
You must associate the shared library with web service provider and requester applications before the shared library can be used by these applications.
In the IBM Tivoli Federated Identity Manager Web Service Security Management Configuration Guide, under the section Configuring WebSphere Application Server, a new sub-section that describes methods to associate the shared library with web service applications is added right after the section Configuring for a Cluster Environment. The content of this sub-section is:
Associating shared library
You must associate the shared library with web service provider and requester applications before the shared library can be used by these applications. Use any of the following methods:
1. Associating shared library with an application.
2. Associating shared library with a server.
Under the above sub-section Associating Shared Library, a new sub-sub-section that describes the method to associate the shared library with a web service application is added as the first sub-sub-section. The content of this sub-sub-section is:
Associating shared library with an application
This method associates the shared library with a specified application. All the applications that use the shared library must follow this procedure:
1. Start the WebSphere® Application Server administrative console and log in, if necessary.
Note: Ensure that you are using the administrative console associated with the application server where the Web services security management component is installed.
2. Click Applications > Enterprise Applications > application_name > Shared library references in the console navigation tree to access the Shared library references page.
3. On the Shared library references page, select an application or module that you want to associate with the shared library.
4. Click Reference shared libraries.
5. On the Shared Library Mapping page, select the ITFIM_WSSM shared library in the Available list, click >> to add them to the Selected list, and click OK.
6. On the Shared library references page, click OK.
7. Save the changes to the configuration.
In the IBM Tivoli Federated Identity Manager Web Service Security Management Configuration Guide, under the section Configuring WebSphere Application Server, the sub-section Configuring the Class Loader is moved under the above sub-section Associating Shared Library as the second sub-sub-section. Furthermore, the content of this sub-sub-section is changed into:
Associating shared library with a server
This method associates the shared library with a specified server. The shared library is associated with all the applications in the server.
NOTE: Do not use this method if Federated Single Sign On is configured in the same WebSphere Application Server.
1. Start the WebSphere® Application Server administrative console and log in, if necessary.
Note: Ensure that you are using the administrative console associated with the application server where the Web services security management component is installed.
2. Click Servers > Application Servers and select the server associated with your application, such as server1.
3. In the Server Infrastructure pane, expand the Java and Process Management container, and click Class loader.
4. Click New.
5. Do not make any changes. Click Apply.
6. In the Additional Properties pane, click Shared Library references.
7. Click Add to specify a shared library.
8. In the Library name field, select the ITFIM_WSSM shared library previously defined, and click OK.
9. In the Messages pane at the top of the Application Servers window, click Save to commit your changes.
The kerberos STS module can enforce one time use of Kerberos tokens. The functionality is disabled by default and is only available to standalone WebSphere environments. No cluster support is provided at this time.
To enable this support set the following custom property:
kerberos.one.time.use.enabled = true
Once enabled, the Tivoli Federated Identity Manager Kerberos STS Module enforces a one time use of Kerberos tokens during validation. Once validated, any subsequent validation call for the same Kerberos token will fail.
Back to ContentsThe Point of Contact implementations shipped by Tivoli Federated Identity Manager rely on some state information populated on the HTTP session object.
In some instances, the customers improperly setup their Tivoli Federated Identity Manager environments where the HTTP session information is not accessible by the TFIM code. This is primarily caused by:
When the HTTP session information is not accessible, the error FBTSPS061E occurs when the browser is redirected to /wssoi for authentication during a single sign-on flow.
The fix for this APAR is to add traces that includes some of the above debug pointers to help troubleshooters identity the cause of the issue.
Back to ContentsThe IvCred STS Module has been enabled to consume and validate ivcred tokens that corresponds to an unauthenticated user. The modification done as part of this fix will allow for two modes of operation.
For behavior #1 (Default), the STS module generates an error if a token received corresponds to an unauthenticated user. The error is the following:
FBTSTS015E The IV-Cred binary token is invalid or not present.
For Behavior #2 the IvCred STS Module can be configured to map the unauthenticated user token to a special user account that can be configured. The user account selected must be considered as a low entitlements or guest account.
The IVCRED STS module adds an unauthenticated user name to the universal user structure.
To enable behavior #2 add the following custom property:
ivcred.unauthenticated.user.name=myusername
where myusername is the user name value to use for mapping.
The following additional properties can also be provided to describe the user account to map to when using behavior #2:
ivcred.unauthenticated.user.registry.id
ivcred.unauthenticated.user.uuid
ivcred.unauthenticated.user.registry.id to include the registry id of the account and ivcred.unauthenticated.user.uuid to indicate the unique id for the user account.
In the IBM Tivoli Federated Identity Manager Configuration Guide, under the section Customizing Runtime Properties > Custom Properties Reference > Custom Property for the Trust Service, the following new custom property is added:
STS.validateMappingRulesSpecifies whether the mapping rule is validated when it is imported using the console or the command line interface. If the STS.validateMappingRules parameter is specified, and the value is equal to the string "false", ignoring the case, then the mapping rule is not validated. Otherwise, the mapping rule is validated.
Value type: booleanExample value: falseIn the IBM Tivoli Federated Identity Manager Configuration Guide, under the section Customizing Runtime Properties > Custom Properties Reference > Custom Property for Transport Security Protocol, the list of supported protocols is updated. The following sentence:
where the value of PROTOCOL can be any of the following values: SSL_TLS, SSL, SSLv2, SSLv3, TLS or TLSv1.
is updated into:
where PROTOCOL refers to one of the protocols supported by the Java Secure Socket Extension used by the underlying WebSphere Application Server. Examples: SSL, TLS, and SSL_TLS. NOTE: The protocol examples might not necessarily be supported.
In the IBM Tivoli Federated Identity Manager Configuration Guide, under the topic Sample identity mapping rules for SAML
federations > Mapping a local identity to a SAML 2.0 token using an alias, the following entry is added to Table 21. STSUUSER entries used to generate a SAML token (using an alias):
[STSUU Element] Attribute: AudienceRestriction
[SAML Token Information] The audience of the audience restriction condition.
[Required] Optional
Under the same topic, it states:
3. Populating the attribute statement of the assertion with the attributes in the AttributeList in the In-STSUU. This information becomes custom information in the token. There can be some custom attributes required by applications that will make use of information to be transmitted between federation partners.
It should state:
3. Setting the audience of the audience restriction condition to the value of the STSUU element "AudienceRestriction". If this STSUU element is not present, the audience is set to the Provider ID of the federation partner.
4. Populating the attribute statement of the assertion with the attributes in the AttributeList in the In-STSUU. This information becomes custom information in the token. There can be some custom attributes required by applications that makes use of information to be transmitted between federation partners
In the IBM Tivoli Federated Manager Administration Guide, under the topic Managing Modules > Modifying trust service chain properties > About this task, the following note is added:
NOTE: Do not modify the built-in SSO trust chains. To know why this is not an architecturally good approach, see the article on Complex Federation Identity and Attribute Mapping for Tivoli Federated Identity Manager from the IBM community blogs.
In the IBM Tivoli Federated Manager Administration Guide, under the topic Managing Modules > Modifying chain module properties > About this task, the following note is added:
NOTE: Do not modify the built-in SSO trust chains. To know why this is not an architecturally good approach, see the article on Complex Federation Identity and Attribute Mapping for Tivoli Federated Idenity Manager from the IBM community blogs.
In the IBM Tivoli Federated Manager Configuration Guide, under the topic SAML 2.0->Profiles->Web browser single sign-on->Message initiation, it states:
The message flow can be initiated from the identity provider or the service provider.
It should state:
The message flow can be initiated from the identity provider or the service provider. When the message flow is initiated from the identity provider, a RelayState parameter can be provided in the unsolicited response delivered by the identity provider to the service provider. This parameter will contain the URL encoded value of the Target element provided in the single sign-on service initial URL (identity provider).
In the IBM Tivoli Federated Manager Configuration Guide, under the topic URLs for initiating SAML single sign-on actions > SAML 2.0 profile initial URLs > Single sign-on service initial URL (identity provider) >
Syntax for initiating single sign-on at the identity provider states:
https://provider_hostname:port_number/sps/federation_name/saml20/logininitial?RequestBinding=RequestBindingType&&PartnerId=target_partner_provider_ID&NameIdFormat=NameIDFormatType&AllowCreate=[true|false]
It should state:
https://provider_hostname:port_number/sps/federation_name/saml20/logininitial?RequestBinding=RequestBindingType&PartnerId=target_partner_provider_ID&NameIdFormat=NameIDFormatType&AllowCreate=[true|false]&Target=target_application_location
Another element will also be added to Elements in the same topic
Target: This will be URL encoded and set as the value of the RelayState parameter provided in the unsolicited response delivered by the identity provider to the service provider. A Tivoli Federated Identity Manager Service Provider interprets this value as the URL of the application that a user can log in to using single sign-on.
Back to Contents
If a TDI configuration instance cannot be loaded by the TDI mapping module (for any reason), a NullPointerException exception was thrown. This APAR causes failures to be reported gracefully and adds more tracing capability to help determine the root cause of configuration instance loading issues.
Back to Contents
Attempts to use Oracle database for TFIM alias service displayed errors like:
com.ibm.ws.ejbpersistence.utilpm.PersistenceManagerException:
PMGR1012E: The current backend id DB2UDBNT_V8_1, does not match
the datasource connected to.
To fix this, you must perform additional steps after installing the Fix Pack (assume on UNIX-based system):
If you receive subsequent fixpacks, or anything that alters the deployed itfim.ear, you must do step 1 again.
Back to ContentsA new English-only message has been added to include more request information in the error log when a SAML artifact resolution failure occurs. This message will only be enabled if the following runtime custom property is set:
SAML.AllowDebugMessages=true
SAML 1.x artifact resolution error responses will now include the InResponseTo attribute if a correctly formatted request that is received contains a request ID.
Back to ContentsThis fix addresses a problem with validating SAML assertions that do not contain a NameID Format attribute.
Back to ContentsThis fix is needed for customers using Tivoli Federated Identity Manager 6.2.1 OpenID service provider federations with OpenID identity providers that only support HTML discovery.
Back to ContentsThis fix addresses a NullPointerException that can occur in the Tivoli Federated Identity Manager console if the XSLT mapping module is selected for a federation but no mapping rule is specified.
Back to ContentsIf the SAML metadata of your partner contains service URLs that begin with a non-zero index, Tivoli Federated Identity Manager will now preserve the index that was used for the URL as contained in the original partner's metadata.
Back to ContentsThis fix addresses a problem with reverse migration of TFIM alias service entries to pre-6.2.1 compatibility when the TAM LDAP DN of your user is more than one level below the suffix entry in LDAP.
Back to ContentsThis fix allows Tivoli Federated Identity Manager to receive SAML browser-POST messages for either SAML 1.x or SAML 2.0 even if the locale of the locale machine is not a UTF-8 compatible character set.
Back to ContentsThis fix corrects erroneous behaviour caused by invalid object caching in user session or distributed maps.
Back to ContentsFor SAML 2.0 service providers setups to enable the ProviderName on the AuthnRequest, set the following custom property:
SAML20.authn.request.provider.name.enabled = true
Tivoli Federated Identity Manager generates a NullPointerException when the SAMLResponse received from the identity provider contains a SAML Assertion that does not include a Issuer value.
Back to ContentsAfter the installation of the Tivoli Federated Identity Manager Management Console the fixpack install appears to complete but the console does not function correctly. This problem is not common but has occurred on some systems. Some of the symptoms are:
For SAML 2.0 identity provider scenarios, or other STS scenarios which issue SAML 2.0 assertions you can now override the Recipient attribute in SubjectConfirmationData for bearer subject confirmation method by setting an attribute in the ContextAttributes section of the STSUniversalUser in your mapping rule. An example of this attribute will look like:
SAML2.AlwaysValidateBearerSubjectConfirmationData = true
Tivoli Federated Identity Manager provides the option of running on a FIPS complaint environment. After FIPS is enabled, use the TLS SSL connection factory when running the tfimcfg.jar tool. Specify the -sslfactory TLS command parameter when running tfimcfg to configure the Tivoli Access Manager environment. For example:
java -jar tfimcfg.jar -action tamconfig -cfgfile /opt/pdweb/etc/webseald.conf -sslfactory TLS
The Tivoli Federated Identity Manager, by default, adds a clock skew of 60 seconds when validating the SAML assertion timestamps. To disable the 60 seconds by default, add the following custom property:
saml.use.legacy.clockskew.default = false
TFIM running on some of the latest version of the WebSphere Application Server might produce metadata that is not properly formatted for the SAML 2.0 single sign on profile. The EncryptionMethod element on the metadata will define a namespace prefix that has been already defined on the document.
Back to ContentsThe Tivoli Federated Identity Manager SAML 2.0 SPS Module allows the customer to specify a default name id format to use when one is not specified. At the Service Provider that value is use to determine the type of treatment that will be done to a unspecified name id format that is received on a SAML assertion.
By default TFIM treats an unspecified name id formats as persistent name id. The SAML 2.0 STS module processes the assertion name identifier with a unspecified name id format according to the value configured on the default name id format configuration selection.
Back to ContentsThis workaround ensures that Tivoli Federated Identity Manager Management Console portlet pages can be displayed when the Management Console is installed in WebSphere Application Server 7 Fix Pack 11.
Back to ContentsThis fix ensures that the WS-Trust v1.3 response returned for a STS chain with a TAMAuthorizationSTSModule, TAMAuthenticationSTSModule or AuthorizationSTSModule has only 1 status code that contains a URI value belonging to the WS-Trust v1.3 specification.
Back to ContentsStringIndexOutOfBoundException error is handled when invalid ValidationKeyIdentifier or EncryptionKeyIdentifier is specified in the create partner response file.
Back to ContentsTivoli Federated Identity Manager provides the option of running on a FIPS complaint environment. After FIPS is enabled, the TLS SSL connection factory needs to be used when running the tfimcfg.jar tool. Specify the -sslfactory TLS command parameter when running tfimcfg to configure the Tivoli Access Manager environment. For example:
java -jar tfimcfg.jar -action tamconfig -cfgfile /opt
/pdweb/etc/webseald.conf -sslfactory TLS
From the updated Tivoli Federated Identity Manager Configuration Guide, the steps are:
None.
Issue:
Patch installation fails when FIPS is enabled for WebSphere Application Server where Tivoli Federated Identity Management is deployed.Workaround:
Before installing the patch, disable FIPS for WebSphere Application Server where Tivoli Federated Identity Management is deployed.This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing
IBM Corporation
North Castle Drive
Armonk, NY 10504-1785
U.S.A.
For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to:
Intellectual Property Licensing
Legal and Intellectual Property Law
IBM Japan, Ltd.
1623-14, Shimotsuruma, Yamato-shi
Kanagawa 242-8502 Japan
The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law:
INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement might not apply to you.
This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice.
Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.
Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information that has been exchanged, should contact:
IBM Corporation
2Z4A/101
11400 Burnet Road
Austin, TX 78758
U.S.A.
Such information may be available, subject to appropriate terms and conditions, including in some cases, payment of a fee.
The licensed program described in this document and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement or any equivalent agreement between us.
Any performance data contained herein was determined in a controlled environment. Therefore, the results obtained in other operating environments may vary significantly. Some measurements may have been made on development-level systems and there is no guarantee that these measurements will be the same on generally available systems. Furthermore, some measurement may have been estimated through extrapolation. Actual results may vary. Users of this document should verify the applicable data for their specific environment.
Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.
All statements regarding IBM's future direction or intent are subject to change or withdrawal without notice, and represent goals and objectives only.
This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to the names and addresses used by an actual business enterprise is entirely coincidental.
IBM, the IBM logo, and ibm.com® are trademarks or registered trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at “Copyright and trademark information” at www.ibm.com/legal/copytrade.shtml.
Adobe®, Acrobat, PostScript® and all Adobe-based trademarks are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, other countries, or both.
IT Infrastructure Library® is a registered trademark of the Central Computer and Telecommunications Agency which is now part of the Office of Government Commerce.
Intel®, Intel logo, Intel Inside®, Intel Inside logo, Intel Centrino®, Intel Centrino logo, Celeron®, Intel Xeon®, Intel SpeedStep®, Itanium®, and Pentium® are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries.
Linux® is a trademark of Linus Torvalds in the United States, other countries, or both.
Microsoft, Windows, Windows NT®, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.
ITIL® is a registered trademark, and a registered community trademark of the Office of Government Commerce, and is registered in the U.S. Patent and Trademark Office.
UNIX® is a registered trademark of The Open Group in the United States and other countries.
Cell Broadband Engine™ and Cell/B.E. are trademarks of Sony Computer Entertainment, Inc., in the United States, other countries, or both and is used under license therefrom.
Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates.
Other company, product, and service names may be trademarks or service marks of others.
End of the IBM® Tivoli® Federated Identity Manager 6.2.1-TIV-TFIM-FP0006.README file.