Fix (APAR):  PI47842

Status:  Fix

Release:  8.0.0.11

Operating System:  AIX,HP-UX,IBM i,Linux,Solaris,Windows,z/OS

Supersedes Fixes:  

CMVC Defect:  xxxxxx

Byte size of APAR:  280268

Date: 2015-09-04

Abstract:  when doing idp-initiated sso, if a relaystate isn't in the samlresponse, the authentication will fail

Description/symptom of problem:  
PI47842 resolves the following problem:

ERROR DESCRIPTION:                                              
When a SAMLResponse is received from an IdP in a traditional    
IdP-initiated SSO scenario, the SAMLResponse will fail to       
validate due to the absence of a RelayState parameter           

LOCAL FIX:                                                      
Configure IdP to set a RelayState parameter                     

PROBLEM SUMMARY

USERS AFFECTED:
 IBM WebSphere Application Server
administrators of SAML Web Single Sign-On

PROBLEM DESCRIPTION:
IdP-initiated SAML SSO fails when no
RelayState in SAMLResponse

RECOMMENDATION:
 Install a interim fix or fix pack that
contains this APAR.

In the SAML Web Single Sign-On (SSO) Trust Association
Interceptor (TAI), if a SAMLResponse that does not contain a
RelayState parameter is received from an identity provider
(IdP), the authentication will fail.
This error only occurs in WebSphere Application Server v8.0,
fixpack 8.0.0.11 and v8.5, fixpack 8.5.5.7.  This error does
not occur in WebSphere Application Server v7.

PROBLEM CONCLUSION:                                             
The SAML Web SSO TAI is updated so that an error does not       
occur when a SAMLResponse that does not contain a RelayState    
is received from an IdP.                                        
                                                                
The fix for this APAR is currently targeted for inclusion in    
fix packs 8.0.0.12 and 8.5.5.8.  Please refer to the            
Recommended Updates page for delivery information:              
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980   


Directions to apply fix:  Fix applies to Editions:
Release 8.0
_X_ Application Server (Express or BASE)
_X_ Network Deployment (ND)
__ Edge Components
__ Developer

Install Fix to all WebSphere installations unless special instructions are included below.

Special Instructions: None

NOTE:
The user must:
* Logged in with the same authority level when unpacking a fix, fix pack or refresh pack.
* Be at V1.4.3 or newer of the Installation Manager. Certain iFixes may require a newer version of the Installation Manager and the Installation Manager will inform you during the installation process if a newer version is required.

The IBM Knowledge Center can provide details, if needed, on the use of the Installation Manager to apply the iFixes.
http://publib.boulder.ibm.com/infocenter/install/v1r4/index.jsp.  Shutdown WebSphere Application Server before applying the iFixes.  Restart WebSphere Application Server after applying the iFixes.

Directions to remove fix:  

The IBM Knowledge Center can provide details, if needed, on the use of the Installation Manager to remove the iFixes.
http://publib.boulder.ibm.com/infocenter/install/v1r4/index.jsp.  Shutdown WebSphere Application Server before removing the iFixes.  Restart WebSphere Application Server after removing the iFixes.

Directions to re-apply fix:  
1) Shutdown WebSphere Application Server.

2) Follow the Fix instructions to apply the fix.

3) Restart WebSphere Application Server.



Additional Information: