I am working on configuring Web SSO using SAML2 on WebSphere Application Server with PingFederate as IDP.
What I have done is,
I can see that a SAML response is sent from IDP to WebSphere and the server sends a successful response but I cannot figure out why users cannot be redirected to the Target URL. I have set the debug level to fine and cannot find any error. Additionally, the error URL also does not work.
After I add an "&TARGET=TARGETURL" behind the SSO link it can redirect the user to the "TARGETURL" after the SAML SSO however the relay state should be handled by SP rather than IDP.
I wonder did I make some mistakes or miss some configurations that caused this issue.
Also, I uploaded part of trace log which should be the part that it receive SAML response from the IDP.
[21-9-21 15:38:53:460 EDT] 000000d9 EJSWebCollabo > preInvoke Entry
[21-9-21 15:38:53:460 EDT] 000000d9 EJSWebCollabo < preInvoke Exit
<null>
[21-9-21 15:38:53:460 EDT] 000000d9 EJSWebCollabo > preInvoke Entry
com.ibm.ws.webcontainer.srt.SRTServletRequest@99083b5f
com.ibm.ws.webcontainer.srt.SRTServletResponse@f46dafbe
samlsps
default_host
IBMWebSphereSamlACSListenerServlet
true
[21-9-21 15:38:53:461 EDT] 000000d9 EJSWebCollabo 3 Http Header names and values:
Host=[localhost:9443]
Connection=[keep-alive]
Content-Length=[3361]
Cache-Control=[max-age=0]
sec-ch-ua=["Google Chrome";v="93", " Not;A Brand";v="99", "Chromium";v="93"]
sec-ch-ua-mobile=[?0]
sec-ch-ua-platform=["Windows"]
Upgrade-Insecure-Requests=[1]
Origin=[https://localhost:9031]
Content-Type=[application/x-www-form-urlencoded]
User-Agent=[Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36]
Accept=[text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9]
Sec-Fetch-Site=[same-site]
Sec-Fetch-Mode=[navigate]
Sec-Fetch-Dest=[document]
Referer=[https://localhost:9031/]
Accept-Encoding=[gzip, deflate, br]
Accept-Language=[en-US,en;q=0.9,zh-TW;q=0.8,zh;q=0.7,zh-CN;q=0.6]
Cookie=[PF=slGINjz4m5kSL7gpbfdUlA]
[21-9-21 15:38:53:461 EDT] 000000d9 EJSWebCollabo 3 Request Context Path=/samlsps, Servlet Path=, Path Info=/acs
[21-9-21 15:38:53:461 EDT] 000000d9 WebSecurityCo > <init> Entry
<null>
<null>
<null>
[21-9-21 15:38:53:461 EDT] 000000d9 WebSecurityCo < <init> Exit
com.ibm.ws.security.web.WebSecurityContext@936c75b7
[21-9-21 15:38:53:461 EDT] 000000d9 WebCollaborat > SetUnauthenticatedSubjectIfNeeded Entry
[21-9-21 15:38:53:461 EDT] 000000d9 WebCollaborat 3 Invoked and received Subject are null, setting it anonymous/unauthenticated.
[21-9-21 15:38:53:461 EDT] 000000d9 WebCollaborat < SetUnauthenticatedSubjectIfNeeded:true Exit
[21-9-21 15:38:53:461 EDT] 000000d9 WebCollaborat 3 com.ibm.ws.security.web.WebCollaborator.WebComponentMetaData attribute is set.
[21-9-21 15:38:53:461 EDT] 000000d9 EJSWebCollabo 3 WebComponentMetaData
com.ibm.ws.webcontainer.metadata.WebComponentMetaDataImpl@476b7334[WebSphereSamlSP#WebSphereSamlSPWeb.war#IBMWebSphereSamlACSListenerServlet]
[21-9-21 15:38:53:461 EDT] 000000d9 EJSWebCollabo 3 preInvoke pushing app name WebSphereSamlSP
[21-9-21 15:38:53:461 EDT] 000000d9 WebSecurityCo 3 Setting pushed security to "true" for: com.ibm.ws.security.web.WebSecurityContext@936c75b7
[21-9-21 15:38:53:461 EDT] 000000d9 EJSWebCollabo 3 preInvoke
app_name=WebSphereSamlSP isAdminApp=false isAppSecurityOn=false
[21-9-21 15:38:53:461 EDT] 000000d9 EJSWebCollabo 3 preInvoke
Skip authorization for non-system apps when app security is disabled.
[21-9-21 15:38:53:461 EDT] 000000d9 IBMWebSphereS > handleRedirect Entry
[21-9-21 15:38:53:464 EDT] 000000d9 IBMWebSphereS 3 samlres[not null]
[21-9-21 15:38:53:464 EDT] 000000d9 IBMWebSphereS 3 target[null]
[21-9-21 15:38:53:464 EDT] 000000d9 IBMWebSphereS 3 RelayState[null]
[21-9-21 15:38:53:464 EDT] 000000d9 IBMWebSphereS > getTarget(relayStateUri[null],decodeURL[true] Entry
[21-9-21 15:38:53:464 EDT] 000000d9 IBMWebSphereS 3 The RelayState is not a URL. target URL.
[21-9-21 15:38:53:467 EDT] 000000d9 IBMWebSphereS < handleRedirect Exit
[21-9-21 15:38:53:467 EDT] 000000d9 EJSWebCollabo > postInvoke Entry
com.ibm.ws.security.web.WebSecurityContext@936c75b7
[21-9-21 15:38:53:467 EDT] 000000d9 EJSWebCollabo 3 Resetting invoked: null and received: nullsubjects
[21-9-21 15:38:53:468 EDT] 000000d9 WebSecurityCo 3 Getting pushed security value "true" for: com.ibm.ws.security.web.WebSecurityContext@936c75b7
[21-9-21 15:38:53:468 EDT] 000000d9 EJSWebCollabo 3 postInvoke popped resource WebSphereSamlSP of type Application
[21-9-21 15:38:53:468 EDT] 000000d9 EJSWebCollabo < postInvoke Exit
[21-9-21 15:38:53:468 EDT] 000000d9 EJSWebCollabo > postInvoke Entry
<null>
[21-9-21 15:38:53:468 EDT] 000000d9 EJSWebCollabo < postInvoke Exit
After I enabled the app security, I will be redirected to the login.errorUrl. In the log I can see that WebSphere received SAML response but somehow it cannot handle it. I think I have uploaded signer certificate on the WebSphere and set "trustAnysigner" to "true". Here is some part of the log:
[21-9-22 15:05:07:971 EDT] 000000c0 ACSTrustAssoc 3 Sending redirect
[21-9-22 15:05:07:972 EDT] 000000c0 ACSTrustAssoc < createTAIErrorResult Exit
[21-9-22 15:05:07:972 EDT] 000000c0 ACSTrustAssoc 3 SAMLResponse could not be verified. Auto Re-login.
[21-9-22 15:05:07:972 EDT] 000000c0 ACSTrustAssoc < invokeTAIbeforeSSO:null Exit
[21-9-22 15:05:07:972 EDT] 000000c0 ACSTrustAssoc < negotiateValidateandEstablishTrust returns [not null] Exit
[21-9-22 15:05:07:972 EDT] 000000c0 TAIWrapper < negotiateAndValidateEstablishedTrust(): status code = 403 Exit
[21-9-22 15:05:07:972 EDT] 000000c0 WebAuthentica < Exiting with TAI_CHALLENGE Exit
[21-9-22 15:05:07:972 EDT] 000000c0 WebAuthentica 3 result status is 5
[21-9-22 15:05:07:972 EDT] 000000c0 WebAuthentica < authenticate Exit
AuthenticationResult.TAI_CHALLENGE
[21-9-22 15:05:07:972 EDT] 000000c0 WebCollaborat 3 isAuthenticate is false
[21-9-22 15:05:07:972 EDT] 000000c0 WebRequestImp > getAppVHost Entry
[21-9-22 15:05:07:972 EDT] 000000c0 WebRequestImp < getAppVHost Exit
appVHost=default_host
isVHostAndContextRootSet=true
[21-9-22 15:05:07:972 EDT] 000000c0 WebCollaborat > validSecAttrs Entry
default_host:samlsps
/acs
POST
false
WebSphereSamlSP
com.ibm.ws.webcontainer.srt.SRTServletRequest@5ae9cdc7
default_host
false
[21-9-22 15:05:07:972 EDT] 000000c0 WebAppCache > getWebAccessContext Entry
WebSphereSamlSP
default_host:samlsps
false
[21-9-22 15:05:07:972 EDT] 000000c0 WebAppCache 3 Okay, I found the entry for [WebSphereSamlSP:default_host:samlsps]
[21-9-22 15:05:07:972 EDT] 000000c0 WebAppCache < getWebAccessContext Exit
[21-9-22 15:05:07:973 EDT] 000000c0 WebAccessCont > WebAccessContext with ServletMap Entry
[21-9-22 15:05:07:973 EDT] 000000c0 WebAccessCont < WebAccessContext with ServletMap Exit
[21-9-22 15:05:07:973 EDT] 000000c0 WebConstraint > getConstraints: Entry
/acs
POST
[21-9-22 15:05:07:973 EDT] 000000c0 WebConstraint 3 webConstraintsTable.length = 1
[21-9-22 15:05:07:973 EDT] 000000c0 WebResourceCo > isStandardHTTPMethod Entry
POST
[21-9-22 15:05:07:973 EDT] 000000c0 WebResourceCo < isStandardHTTPMethod Exit
true
[21-9-22 15:05:07:973 EDT] 000000c0 WebConstraint 3 Looking at webResourceCollectionConstraints with URL patterns:
[21-9-22 15:05:07:973 EDT] 000000c0 WebConstraint 3 url: /*
[21-9-22 15:05:07:973 EDT] 000000c0 WebResourceCo > matches Entry
/acs
POST
true
[21-9-22 15:05:07:973 EDT] 000000c0 WebResourceCo 3 .... check if in http methods list
[21-9-22 15:05:07:973 EDT] 000000c0 WebResourceCo 3 memberOfList, methodName: POST methodList[0]: GET
[21-9-22 15:05:07:973 EDT] 000000c0 WebResourceCo 3 memberOfList, methodName: POST methodList[1]: PUT
[21-9-22 15:05:07:973 EDT] 000000c0 WebResourceCo 3 memberOfList, methodName: POST methodList[2]: HEAD
[21-9-22 15:05:07:973 EDT] 000000c0 WebResourceCo 3 memberOfList, methodName: POST methodList[3]: TRACE
[21-9-22 15:05:07:973 EDT] 000000c0 WebResourceCo 3 memberOfList, methodName: POST methodList[4]: POST
[21-9-22 15:05:07:973 EDT] 000000c0 WebResourceCo 3 methodName is in methodList, returning true
[21-9-22 15:05:07:973 EDT] 000000c0 WebResourceCo > isStandardHTTPMethod Entry
POST
[21-9-22 15:05:07:973 EDT] 000000c0 WebResourceCo < isStandardHTTPMethod Exit
true
[21-9-22 15:05:07:973 EDT] 000000c0 WebResourceCo 3 .... check if in http omission methods list
[21-9-22 15:05:07:973 EDT] 000000c0 WebResourceCo 3 methodName is not in methodList, returning false
[21-9-22 15:05:07:973 EDT] 000000c0 WebResourceCo 3 -- Checking methods --
validateAllMethods: false existMethodsList :true memberOfMethodList :true isStandardHTTPMethod :true allowCustomHTTPMethods :true
existOmissionMethodsList :false memberOfOmissionMethodList :false
[21-9-22 15:05:07:973 EDT] 000000c0 WebResourceCo 3 .... check if in http methods list
[21-9-22 15:05:07:973 EDT] 000000c0 WebResourceCo 3 memberOfList, methodName: POST methodList[0]: GET
[21-9-22 15:05:07:973 EDT] 000000c0 WebResourceCo 3 memberOfList, methodName: POST methodList[1]: PUT
[21-9-22 15:05:07:973 EDT] 000000c0 WebResourceCo 3 memberOfList, methodName: POST methodList[2]: HEAD
[21-9-22 15:05:07:973 EDT] 000000c0 WebResourceCo 3 memberOfList, methodName: POST methodList[3]: TRACE
[21-9-22 15:05:07:973 EDT] 000000c0 WebResourceCo 3 memberOfList, methodName: POST methodList[4]: POST
[21-9-22 15:05:07:973 EDT] 000000c0 WebResourceCo 3 methodName is in methodList, returning true
[21-9-22 15:05:07:973 EDT] 000000c0 WebResourceCo 3 Checking URL: /*
[21-9-22 15:05:07:973 EDT] 000000c0 WebResourceCo < matches (PathName) : /* Exit
[21-9-22 15:05:07:973 EDT] 000000c0 WebConstraint < getConstraints not null Exit
[21-9-22 15:05:07:973 EDT] 000000c0 WebCollaborat > unprotectedSpecialURI Entry
webAppName[WebSphereSamlSPWeb]
isProtected[true]
realm[Default Realm]
challengeType[BASIC]
authMechanism[LTPA]
SSLEnabled[false]
SSOEnabled[true]
secureSSO[false]
defaultToBasic[false]
LTPACookieName[LtpaToken]
loginCookieName[null]
CookieSuffix[null]
/acs
POST
REQUEST
[21-9-22 15:05:07:973 EDT] 000000c0 WebCollaborat < unprotectedSpecialURI Exit
<null>
[21-9-22 15:05:07:973 EDT] 000000c0 WebCollaborat < validSecAttrs Exit
<null>
[21-9-22 15:05:07:973 EDT] 000000c0 WebCollaborat 3 List of required roles for uri /acs is:
[21-9-22 15:05:07:973 EDT] 000000c0 WebCollaborat 3 required role: WebSphereSamlAcsRole
[21-9-22 15:05:07:973 EDT] 000000c0 WebRequestImp > getAppContextRoot Entry
[21-9-22 15:05:07:973 EDT] 000000c0 WebRequestImp < getAppContextRoot Exit
appContextRoot=samlsps
isVHostAndContextRootSet=true
[21-9-22 15:05:07:973 EDT] 000000c0 WebRequestImp > getAppVHost Entry
[21-9-22 15:05:07:973 EDT] 000000c0 WebRequestImp < getAppVHost Exit
appVHost=default_host
isVHostAndContextRootSet=true
[21-9-22 15:05:07:973 EDT] 000000c0 WebCollaborat > isURIBoundByConstraint Entry
WebSphereSamlSP
samlsps
default_host
/acs
[21-9-22 15:05:07:973 EDT] 000000c0 WebAppCache > getWebAccessContext Entry
WebSphereSamlSP
default_host:samlsps
false
[21-9-22 15:05:07:973 EDT] 000000c0 WebAppCache 3 Okay, I found the entry for [WebSphereSamlSP:default_host:samlsps]
[21-9-22 15:05:07:973 EDT] 000000c0 WebAppCache < getWebAccessContext Exit
[21-9-22 15:05:07:973 EDT] 000000c0 WebAccessCont > WebAccessContext with ServletMap Entry
[21-9-22 15:05:07:973 EDT] 000000c0 WebAccessCont < WebAccessContext with ServletMap Exit
[21-9-22 15:05:07:973 EDT] 000000c0 WebConstraint > existsExactMatchURI Entry
/acs
[21-9-22 15:05:07:973 EDT] 000000c0 WebConstraint 3 webConstraintsTable.length = 1
[21-9-22 15:05:07:973 EDT] 000000c0 WebConstraint < existsExactMatchURI : no match, returning false Exit
[21-9-22 15:05:07:973 EDT] 000000c0 WebCollaborat < isURIBoundByConstraint Exit
false
[21-9-22 15:05:07:973 EDT] 000000c0 WebCollaborat 3 isURIBound for uri: /acs: false
[21-9-22 15:05:07:973 EDT] 000000c0 WebCollaborat 3 securityConstraints for uri /acs are: com.ibm.ws.security.web.WebResourceCollectionConstraints@393f3b2b
[21-9-22 15:05:07:973 EDT] 000000c0 WebCollaborat 3 URI - /acs.POST is protected
[21-9-22 15:05:07:973 EDT] 000000c0 WebCollaborat 3 Saving previous subject null
[21-9-22 15:05:07:973 EDT] 000000c0 WebCollaborat > checkAuthStatus Entry
AuthenticationResult.TAI_CHALLENGE
webAppName[WebSphereSamlSPWeb]
isProtected[true]
realm[Default Realm]
challengeType[BASIC]
authMechanism[LTPA]
SSLEnabled[false]
SSOEnabled[true]
secureSSO[false]
defaultToBasic[false]
LTPACookieName[LtpaToken]
loginCookieName[null]
CookieSuffix[null]
[21-9-22 15:05:07:974 EDT] 000000c0 TAIChallengeR > TAIChallengeReply(403) Entry
[21-9-22 15:05:07:974 EDT] 000000c0 TAIChallengeR < TAIChallengeReply() Exit
[21-9-22 15:05:07:974 EDT] 000000c0 WebCollaborat 3 TAI authentication challenge - sending 403
[21-9-22 15:05:07:974 EDT] 000000c0 WebCollaborat < checkAuthStatus 3 Exit
com.ibm.ws.security.web.TAIChallengeReply@54049520
[21-9-22 15:05:07:974 EDT] 000000c0 WebCollaborat < authorize Exit
com.ibm.ws.security.web.TAIChallengeReply@54049520
[21-9-22 15:05:07:974 EDT] 000000c0 EJSWebCollabo > handleException Entry
com.ibm.ws.webcontainer.srt.SRTServletRequest@5ae9cdc7
com.ibm.ws.webcontainer.srt.SRTServletResponse@25d3a5e1
com.ibm.ws.security.web.WebSecurityException
at com.ibm.ws.security.web.EJSWebCollaborator.preInvoke(EJSWebCollaborator.java:451)
at com.ibm.ws.webcontainer.collaborator.WebAppSecurityCollaboratorImpl.preInvoke(WebAppSecurityCollaboratorImpl.java:230)
at com.ibm.wsspi.webcontainer.collaborator.CollaboratorHelper.preInvokeCollaborators(CollaboratorHelper.java:436)
at com.ibm.ws.webcontainer.filter.WebAppFilterManager.invokeFilters(WebAppFilterManager.java:1101)
at com.ibm.ws.webcontainer.webapp.WebApp.handleRequest(WebApp.java:4219)
at com.ibm.ws.webcontainer.webapp.WebAppImpl.handleRequest(WebAppImpl.java:2210)
at com.ibm.ws.webcontainer.webapp.WebGroup.handleRequest(WebGroup.java:304)
at com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:1030)
at com.ibm.ws.webcontainer.WSWebContainer.handleRequest(WSWebContainer.java:1817)
at com.ibm.ws.webcontainer.channel.WCChannelLink.ready(WCChannelLink.java:382)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleDiscrimination(HttpInboundLink.java:465)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleNewRequest(HttpInboundLink.java:532)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.processRequest(HttpInboundLink.java:318)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.ready(HttpInboundLink.java:289)
at com.ibm.ws.ssl.channel.impl.SSLConnectionLink.determineNextChannel(SSLConnectionLink.java:1187)
at com.ibm.ws.ssl.channel.impl.SSLConnectionLink.readyInboundPostHandshake(SSLConnectionLink.java:768)
at com.ibm.ws.ssl.channel.impl.SSLConnectionLink$MyHandshakeCompletedCallback.complete(SSLConnectionLink.java:464)
at com.ibm.ws.ssl.channel.impl.SSLUtils.handleHandshake(SSLUtils.java:1137)
at com.ibm.ws.ssl.channel.impl.SSLHandshakeIOCallback.complete(SSLHandshakeIOCallback.java:87)
at com.ibm.ws.tcp.channel.impl.AioReadCompletionListener.futureCompleted(AioReadCompletionListener.java:175)
at com.ibm.io.async.AbstractAsyncFuture.invokeCallback(AbstractAsyncFuture.java:217)
at com.ibm.io.async.AsyncChannelFuture.fireCompletionActions(AsyncChannelFuture.java:161)
at com.ibm.io.async.AsyncFuture.completed(AsyncFuture.java:138)
at com.ibm.io.async.ResultHandler.complete(ResultHandler.java:204)
at com.ibm.io.async.ResultHandler.runEventProcessingLoop(ResultHandler.java:775)
at com.ibm.io.async.ResultHandler$2.run(ResultHandler.java:905)
at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1909)
[21-9-22 15:05:07:976 EDT] 000000c0 EJSWebCollabo 3 Response is already committed
[21-9-22 15:05:07:976 EDT] 000000c0 EJSWebCollabo 3 com.ibm.websphere.security.allow.committed.response is false
[21-9-22 15:05:07:976 EDT] 000000c0 WebSecurityCo 3 Getting pushed security value "true" for: com.ibm.ws.security.web.WebSecurityContext@9d8e0360
[21-9-22 15:05:07:976 EDT] 000000c0 EJSWebCollabo 3 handleException popped resource WebSphereSamlSP of type Application
[21-9-22 15:05:07:976 EDT] 000000c0 WebSecurityCo 3 Getting pushed admin value "false" for: com.ibm.ws.security.web.WebSecurityContext@9d8e0360
[21-9-22 15:05:07:976 EDT] 000000c0 EJSWebCollabo < handleException Exit
[21-9-22 15:05:07:976 EDT] 000000c0 EJSWebCollabo > postInvoke Entry
com.ibm.ws.security.web.WebSecurityContext@9d8e0360
[21-9-22 15:05:07:976 EDT] 000000c0 EJSWebCollabo 3 Resetting invoked: null and received: nullsubjects
[21-9-22 15:05:07:976 EDT] 000000c0 WebSecurityCo 3 Getting pushed security value "true" for: com.ibm.ws.security.web.WebSecurityContext@9d8e0360
[21-9-22 15:05:07:976 EDT] 000000c0 EJSWebCollabo 3 postInvoke popped null resource
[21-9-22 15:05:07:976 EDT] 000000c0 EJSWebCollabo < postInvoke Exit
[21-9-22 15:05:07:976 EDT] 000000c0 EJSWebCollabo > postInvoke Entry
<null>
[21-9-22 15:05:07:976 EDT] 000000c0 EJSWebCollabo < postInvoke Exit
How is the targetUrl configured on the WAS side? There are three different ways that WAS can determine its targetUrl. In order of precedence:
The following trace specification will show details about how the targetUrl is being determined:
=info:com.ibm.ws.security.web.=all:com.ibm.ws.security.saml.=all:com.ibm.websphere.wssecurity.=all:com.ibm.ws.wssecurity.=all:com.ibm.ws.wssecurity.platform.audit.=off
If you have a trace with that specification please feel free to upload it here and I'd be happy to take a look as well.
Also just as a side-note, I would recommend updating to the latest WAS fixpack if possible. There have been some logging improvements to the SAML runtime that might be helpful for this type of situation.