PM99786: POOR DIAGNOSTICS WHEN SAML TOKEN VALIDATION FAILS

Fixes are available

APAR status

Closed as program error.

Error description

When a SAML token is expired, the validation of the token will
fail.  The information required to determine the cause of the
failure is not provided in the returned error:

com.ibm.websphere.wssecurity.wssapi.WSSException: CWSML6010E:
Invalid SAML assertion.

Local fix

Problem summary

****************************************************************
* USERS AFFECTED:  IBM WebSphere Application Server users of   *
*                  WS-Security enabled JAX-WS applications     *
*                  and SAML or SAML Web Single Sign On         *
****************************************************************
* PROBLEM DESCRIPTION: When a SAML token fails validation      *
*                      for schema or time-based issues, the    *
*                      information needed to fix the error     *
*                      is not returned.                        *
****************************************************************
* RECOMMENDATION:  Install a fix pack that contains this       *
*                  APAR.                                       *
****************************************************************
When validation of a SAML token fails because of schema or
time-based issues, there is not enough information in the
returned exception to determine the cause of the error.  Trace
also shows to be inadequate in many cases.  Most of the errors
return:
com.ibm.websphere.wssecurity.wssapi.WSSException: CWSML6010E:
Invalid SAML assertion.

Problem conclusion

The SAML code is updated to return more user-friendly errors
for schema and time-based errors.  27 new messages were added
to accomodate the new error handling. The CWSML6010E will
remain the same, but messages like the following examples will
be appended to it:

CWSML7001E: The NotOnOrAfter condition is out of range. The
NotOnOrAfter setting in the assertion is [{0}]. The current
time is [{1}]. The current clock skew setting is {2} minutes.

CWSML7013E: The [AttributeStatement] element does not contain
either [Subject] or [Attribute] sub-elements.  This condition
is not allowed.

CWSML7016E: The SAML 1.1 assertion being processed contains no
[ConfirmationMethod] elements.  At least one
[ConfirmationMethod] element must be present in the SAML
assertion to be processed successfully.

If using the
com.ibm.websphere.wssecurity.wssapi.token.SAMLTokenFactory.newSA
MLToken API, the new errors will appear on
e.getCause().getMessage() .

==============
Additionally, new validations are put in place to ensure that
the SAML assertion is validated properly.  Most of the
updates are included because the original assertion
validation is incorrect.  One update in the SAML 1.1
processing is included because of WebSphere WS-Security
requirements for proper operation.

SAML 2.0 Updates:
=================

If a SAML 2.0 assertion is missing the Version attribute, the
following error will occur:
 //CWSML7003E: The Version attribute on the Assertion element
is missing or empty.

If a SAML 2.0 assertion has incorrect value for the Version
attribute, an error will occur.  An example
of an error when an incorrect Version value is encountered is:
 //CWSML7019E: The value for the Version attribute is not
supported. The Version attribute value in the assertion is
[1.1].  The value for the Version attribute in a SAML 2.0
assertion must be [2.0].

For a SAML 2.0 assertion, the NotBefore and NotOnOrAfter
attributes on the SubjectConfirmationData element are now
being validated.  Examples of the errors when the
SubjectConfirmationData is out of range are:
 //CWSML7020E: The [NotBefore] condition on the
[SubjectConfirmationData] element is out of range. The
NotBefore setting in the SubjectConfirmationData is
[2014-04-09T23:40:23.617Z]. The current time is
[2014-04-09T23:30:23.617Z]. The current clock skew setting is 3
minutes
 //CWSML7021E: The [NotOnOrAfter] condition on the
[SubjectConfirmationData] element is out of range. The
NotOnOrAfter setting in the SubjectConfirmationData is
[2014-04-09T23:44:23.617Z]. The current time is
[2014-04-09T23:47:25.458Z]. The current clock skew setting is
3 minutes

For a SAML 2.0 assertion, the Method attribute on the
SubjectConfirmation element is now being validated instead of
just making sure it exists.  An example of an error when an
incorrect value is encountered is:
 //CWSML7008E: The value [invalid:value] for the [Method]
attribute on the [SubjectConfirmation] element in the SAML
assertion is not valid.  The valid values are
[urn:oasis:names:tc:SAML:2.0:cm:bearer,
urn:oasis:names:tc:SAML:2.0:cm:sender-vouches,
urn:oasis:names:tc:SAML:2.0:cm:holder-of-key].

SAML 1.1 Updates:
=================

In order for the WebSphere SAML token validator to operate
properly with a SAML 1.1 assertion, a confirmation method is
required.  The confirmation method comes from the
ConfirmationMethod sub-selement of the SubjectConfirmation
element.  According to the SAML 1.1 schema, the
SubjectConfirmation element is not required.  So, although the
schema does not require a SubjectConfirmation element be
present in a SAML 1.1 assertion, the runtime will require a
ConfirmationMethod element, which in turn requires the
SubjectConfirmation element.

If a SAML 1.1 assertion does not contain at least one
ComfirmationMethod, the following error will occur:
 //CWSML7016E: The SAML 1.1 assertion being processed contains
no [ConfirmationMethod] elements.  At least one
[ConfirmationMethod] element must be present in the SAML
assertion to be processed successfully.

If a SAML 1.1 assertion does not contain an
AuthenticationInstant attribute on the
AuthenticationStatement, the following error will occur:
 //CWSML7006E: The [AuthenticationInstant] attribute on the
[AuthenticationStatement] element is missing or empty.  This
condition is not allowed.

For a SAML 1.1 assertion, the ConfirmationMethod element is
now being validated.  An example of an error when an incorrect
value is encountered is:
 //CWSML7009E: The value [invalid:value] for the
[ConfirmationMethod] sub-element of [SubjectConfirmation] in
the SAML assertion is not valid.  The valid values are
[urn:oasis:names:tc:SAML:1.0:cm:bearer,
urn:oasis:names:tc:SAML:1.0:cm:sender-vouches,
urn:oasis:names:tc:SAML:1.0:cm:holder-of-key].

For a SAML 1.1 assertion, the NameID and Subject elements in
the AuthenticationStatement are now being validated if they
exist.


The fix for this APAR is currently targeted for inclusion in
fix pack 7.0.0.33, 8.0.0.9, and 8.5.5.2.  Please refer to the
Recommended Updates page for delivery information:
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980

Temporary fix

Comments

APAR Information

APAR number
PM99786
Reported component name
WEBS APP SERV N
Reported component ID
5724H8800
Reported release
700
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2013-10-23
Closed date
2014-01-15
Last modified date
2014-04-25

APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name
WEBS APP SERV N
Fixed component ID
5724H8800

Applicable component levels

R700 PSY
UP
R800 PSY
UP
R850 PSY
UP

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.0","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
28 April 2022

Tips

PM99786: POOR DIAGNOSTICS WHEN SAML TOKEN VALIDATION FAILS

Fixes are available

Subscribe

APAR status

Closed as program error.

Error description

Local fix

Problem summary

Problem conclusion

Temporary fix

Comments

APAR Information

APAR number

Reported component name

Reported component ID

Reported release

Status

PE

HIPER

Special Attention

Submitted date

Closed date

Last modified date

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name

Fixed component ID

Applicable component levels

R700 PSY

R800 PSY

R850 PSY

Document Information

Share your feedback

Need support?