IBM Support

PI24503: A SAML TOKEN CANNOT BE SENT IN A RESPONSE MESSAGE.

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • Customer wants to send a signed SAML token as part of a
    JAX-WS response message.  When the policy and bindings are
    configured to do so, no error occurs, but the response message
    does not contain a SAML token.
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  IBM WebSphere Application Server            *
    *                  developers of WS-Security enabled JAX-WS    *
    *                  applications and SAML                       *
    ****************************************************************
    * PROBLEM DESCRIPTION: If a JAX-WS WS-Security policy          *
    *                      includes a SAML response token, the     *
    *                      response message does not contain a     *
    *                      SAML token.                             *
    ****************************************************************
    * RECOMMENDATION:  Install a fix pack that contains this       *
    *                  APAR.                                       *
    ****************************************************************
    When a JAX-WS WS-Security policy is configured to include a
    SAML token in the response message, the response message will
    not contain the SAML token.
    No errors will occur on the provider, but the client will
    generate an error because the required SAML token is not in
    the response message.
    

Problem conclusion

  • Originally, the JAX-WS WS-Security runtime was not designed to
    return SAML tokens in response messages.  Scenarios have been
    found where one or more SAML tokens are required in response
    messages.
    
    The JAX-WS WS-Security runtime is updated so that it can send
    SAML Bearer and Sender-Vouches tokens in response messages.  A
    SAML Holder-of-Key token cannot be sent in a response message.
    
    The fix for this APAR is currently targeted for inclusion in
    fix packs 8.0.0.11 and 8.5.5.5.  Please refer to the
    Recommended Updates page for delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    
    Keywords: IBMWL3WSS, WSSEC, SAMLWSSEC
    

Temporary fix

Comments

APAR Information

  • APAR number

    PI24503

  • Reported component name

    WEBSPHERE APP S

  • Reported component ID

    5724J0800

  • Reported release

    850

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2014-08-22

  • Closed date

    2014-12-04

  • Last modified date

    2015-09-24

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBSPHERE APP S

  • Fixed component ID

    5724J0800

Applicable component levels

  • R800 PSY

       UP

  • R850 PSY

       UP

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.5","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
28 April 2022