Fix (APAR): PI34548 Status: Fix Release: 8.5.5.6 Operating System: AIX,HP-UX,IBM i,Linux,Solaris,Windows,z/OS Supersedes Fixes: CMVC Defect: xxxxxx Byte size of APAR: 294029 Date: 2015-07-23 Abstract: url fragments may be removed when requests are processed by the saml web SSO tai Description/symptom of problem: PI34548 resolves the following problem: ERROR DESCRIPTION: When a request containing GET parameters in the URL is processed by the SAML web single sign-on (SSO) trust association interceptor (TAI) and requires a redirect to an identity provider (IdP) login page, the parameters from the request will be lost by the time the browser successfully authenticates with WebSphere. LOCAL FIX: N/A PROBLEM SUMMARY USERS AFFECTED: IBM WebSphere Application Server users of SAML web single sign-on PROBLEM DESCRIPTION: GET parameters in a SAML Web SSO request may be deleted by the ACSTrustAssociationInterceptor. RECOMMENDATION: Install a fix pack that contains this APAR. When a user requests a web page that has URL fragments, if the user is not authenticated and needs to be authenticated via the SAML web single sign-on TAI, the fragment may be lost after the user is authenticated. For example: A user requests https://example.com/home?lang=en-us#!/somePage The user is not authenticated, so the authentication process occurs. After authentication, instead of https://example.com/home?lang=en-us#!/somePage, https://example.com/home is displayed. PROBLEM CONCLUSION: The SAML TAI preserves the requested URL before redirecting the user to the identity provider (IdP). However, the fragment is not part of request URL. Because of this, the fragment is lost after the user is authenticated. The SAML TAI is updated to use a javascript to reset the orginal requested web page after the user is authenticated. The following SAML TAI custom properties are added: redirectToIdPonServerSide sso_.sp.redirectToIdPonServerSide Valid values are true and false. The default value is true. redirectToIdPonServerSide applies to all service providers (SPs) and sso_.sp.redirectToIdPonServerSide applies to a specific SP. When either of these values are set to false for the active SP, the TAI will do a client-side redirect. The fix for this APAR is currently targeted for inclusion in fix pack 7.0.0.39, 8.0.0.11 and 8.5.5.7. Please refer to the Recommended Updates page for delivery information: http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980 Directions to apply fix: Fix applies to Editions: Release 8.5 _x_ Application Server (Express or BASE) _x_ Network Deployment (ND) __ Liberty Core __ Edge Components __ Developer Install Fix to all WebSphere installations unless special instructions are included below. Special Instructions: None NOTE: The user must: * Logged in with the same authority level when unpacking a fix, fix pack or refresh pack. * Be at V1.4.3 or newer of the Installation Manager. Certain iFixes may require a newer version of the Installation Manager and the Installation Manager will inform you during the installation process if a newer version is required. The IBM Knowledge Center can provide details, if needed, on the use of the Installation Manager to apply the iFixes. http://publib.boulder.ibm.com/infocenter/install/v1r4/index.jsp. Shutdown WebSphere Application Server before applying the iFixes. Restart WebSphere Application Server after applying the iFixes. Directions to remove fix: The IBM Knowledge Center can provide details, if needed, on the use of the Installation Manager to remove the iFixes. http://publib.boulder.ibm.com/infocenter/install/v1r4/index.jsp. Shutdown WebSphere Application Server before removing the iFixes. Restart WebSphere Application Server after removing the iFixes. Directions to re-apply fix: 1) Shutdown WebSphere Application Server. 2) Follow the Fix instructions to apply the fix. 3) Restart WebSphere Application Server. Additional Information: