test

Sun Java System SAML v2 Plug-in for Federation Services Release Notes

Known Issues and Limitations

This section describes known issues and workarounds, if available, at the time of release. It includes information for the following:

Uninstalling the SAML v2 Plug-in for Federation Services

After uninstalling the SAML v2 Plug-in for Federation Services, you must manually remove the base_dir\saml2 directory to complete the process.

SAML v2 Plug-in for Federation Services Patch 3 Release

The following sections contain information regarding known issues, limitations, and accompanying workarounds noted at the time of the release of the SAML v2 Plug-in for Federation Services Patch 3.

Windows: Single Sign-On Failure Returns Page Not Found Error Instead of Single Sign On Failed

When single sign-on fails, a Page Not Found error is thrown rather than the Single Sign On Failed error thrown on Solaris versions of the software.

WORKAROUND: None

6574265

Modify web.xml When Installing SAML v2 Plug-in for Federation Services Patch 3 on Access Manager 7.0 patch 5

After installing the SAML v2 Plug-in for Federation Services Patch 3 on Access Manager 7.0 patch 5, the web.xml file has been unnecessarily modified. This will not allow you to access the server after deployment. Uncomment the following code in the web.xml file.

<!--
<filter>
   <filter-name>amlcontroller</filter-name>
   <filter-class>com.sun.mobile.filter.AMLController</filter-class>
</filter>
<filter-mapping>
   <filter-name>amlcontroller</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>
-->

WORKAROUND: The SAML v2 Plug-in for Federation Services will try to comment out this code again. To alleviate this from happening, edit the web.xml file in the staging directory AFTER installation is complete, and regenerate the WAR using the jar command.

Enable XML Encryption for Access Manager or Federation Manager using the Bouncy Castle JAR

If you want to enable the XML encryption feature and your web container is running JDK 1.4, or you are running IBM Websphere (JDK 1.4 and 1.5) as your web container, follow this procedure to use Bouncy Castle to generate a transport key.

Note –

The Bouncy Castle Crypto API is a Java implementation of cryptographic algorithms.

  1. Download the Bouncy Castle provider from Bouncy Castle.

    For example, if using JDK 1.4, download the bcprov-jdk14-136.jar.

  2. Copy the downloaded file to the jdk_root/jre/lib/ext directory.

  3. OPTIONAL: If using the domestic version of the JDK, download the appropriate JCE Unlimited Strength Jurisdiction Policy Files from java.sun.com.

    Note –

    If using IBM WebSphere, go to http://www.ibm.com to download additional required files.

  4. OPTIONAL: Copy the downloaded US_export_policy.jar and local_policy.jar files to the jdk_root/jre/lib/security directory.

  5. Edit the jdk_root/jre/lib/security/java.security file to add Bouncy Castle as one of the providers.

    For example, security.provider.6=org.bouncycastle.jce.provider.BouncyCastleProvider

  6. Set the com.sun.identity.jss.donotInstallAtHighestPriority property in the AMConfig.properties file to true.

  7. Restart the web container.

6344530

Web Browser Artifact Profile Fails When SAML v2 Plug-in for Federation Services Patch 3 Installed on Federation Manager and WebSphere

When Federation Manager is deployed in WebSphere Application Server, federation using the Web Browser Artifact Profile fails when the service provider attempts to send an artifact back to the identity provider.

WORKAROUND: You must override WebSphere's default SOAP factory by doing the following:

  1. Edit WebSphere's server.xml file (located in WebSphere-base/WebSphere/AppServer/config/cells/cell-name/nodes/node-name/servers/server-instance/) by replacing

    <jvmEntries xmi:id="JavaVirtualMachine_1" classpath="" 
bootClasspath="" verboseModeClass="false" verboseModeGarbageCollection="false" 
verboseModeJNI="false" runHProf="false" hprofArguments="" 
debugMode="false" debugArgs="-Djava.compiler=NONE -Xdebug -Xnoagent 
-Xrunjdwp:transport=dt_socket,server=y,suspend=n, address=7777" 
genericJvmArguments="">

    with

    <jvmEntries xmi:id="JavaVirtualMachine_1" verboseModeClass="false" 
verboseModeGarbageCollection="false" verboseModeJNI="false" 
initialHeapSize="256" maximumHeapSize="256" runHProf="false" 
hprofArguments="" debugMode="false" debugArgs="-Djava.compiler=NONE 
-Xdebug -Xnoagent 
-Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=7777" 
genericJvmArguments="-Dcom.iplanet.am.serverMode=true">
<classpath>/usr/share/lib/saaj-api.jar:/usr/share/
lib/saaj-impl.jar</classpath>
    Note –

    The cell-name, node-name, and server-instance variables identify the name of the cell, node, and server in which Federation Manager is deployed.

  2. Restart the WebSphere instance.

6320498

saml2meta Does Not Return Error When -m Option is Used for Extended Metadata

When the -m option is used with the saml2meta command line interface to import extended metadata, it does not return an error message even though the -m option should be used for standard metadata imports only.

WORKAROUND: None. See The saml2meta Command-line Reference in Sun Java System SAML v2 Plug-in for Federation Services User’s Guide for correct usage and syntax.

6559482

saml2meta template Subcommand Throws Exception in Access Manager Single WAR Install

When the SAML v2 Plug-in for Federation Services is installed on an instance of Access Manager that was installed using the single WAR, saml2meta throws a MissingResourceException when using the template subcommand with the certificate alias option.

WORKAROUND: Edit saml2meta by appending war_staging_dir/WEB_INF/classes to the value of the AM_DIRS variable.

6563751

saml2meta Throws Exception When Access Manager or Federation Manager is SSL Enabled

When the Access Manager or Federation Manager server is SSL enabled, saml2meta throws a java.lang.NoClassDefFoundError exception.

WORKAROUND: Edit saml2meta by doing the following:

  1. Remove the ${BOOTCLASSPATHOPTION} option when running the java command for com.sun.identity.saml2.meta.SAML2Meta (line 123).

  2. Add the following properties when running the java command for com.sun.identity.saml2.meta.SAML2Meta (line 123).

    • -Djavax.net.ssl.trustStore=full path for the key store file

    • -Djavax.net.ssl.trustStoreType=JKS where JKS is a Java key store file containing the certificate authority certificates of the SSL certificate for the server's web container.

SAML v2 Logout Fails After a Session Upgrade

SAML v2 Logout fails after a session upgrade.

WORKAROUND: None

6563739

Extended Metadata Attribute Doesn't Work

The wantLogoutResponseSigned attribute in the extended metadata configuration file doesn't work.

WORKAROUND: None

6559732

SSO With POST Binding Fails if User Has No Attributes

SSO with POST binding fails if wantAttributeEncrypted is on but the identity provider user doesn't have any attributes.

WORKAROUND: Include at least one attribute if wantAttributeEncrypted is on.

6563280

Increase Directory Server Values When Installed on Federation Manager

After installing the SAML v2 Plug-in for Federation Services on an instance of Federation Manager running on Directory Server, increase the value of nsslapd-sizelimit to, for example 4000, and set nsslapd-lookthroughlimit to unlimited; for example -1. This will avoid hitting the Directory Server search and size limit.

SAML v2 Plug-in for Federation Services Product Release

The following sections contain information regarding known issues, limitations, and accompanying workarounds noted at the time of the initial release of the SAML v2 Plug-in for Federation Services.

SAML v2 Authentication Module is not Automatically Registered in Access Manager Legacy Mode

When installing the SAML v2 Plug-in for Federation Services on an instance of Access Manager in legacy mode, the SAMLv2 authentication module is not automatically enabled in the default organization.

Workaround: After installing the SAML v2 Plug-in for Federation Services on an instance of Access Manager in legacy mode, use the amadmin command line tool to load the following XML file in order to register the SAMLv2 authentication module.

<Requests>
<OrganizationRequests DN="<root_suffix>">
   <RegisterServices>
       <Service_Name>sunAMAuthSAML2Service</Service_Name>
   </RegisterServices>
</OrganizationRequests>
</Requests>

This step is necessary for service providers only.

(6431995)

Exception Thrown During Installation if Web Container Has Not Been Started

If the underlying web container running an instance of Access Manager or Federation Manager is not started, a harmless exception concerning the creation of the circle of trust is thrown during installation of the SAML v2 Plug-in for Federation Services. The circle of trust is successfully created in the data store (flat file or LDAP) despite this message and the SAML v2 Plug-in for Federation Services will work correctly after the web container has been started.

Workaround: None

(6371281)

Schema Loading Fails on Sun Java System Federation Manager

When installing the SAML v2 Plug-in for Federation Services on the SolarisTM 8 Operating System (OS) and the Solaris 9 OS, set the LOAD_SCHEMA property in the saml2silent installation configuration properties file to false before running the saml2setup installer.

Workaround: After the SAML v2 Plug-in for Federation Services has been successfully installed, you must load the schema manually.

(6374746)

Exception Thrown During Single Sign-on BEA WebLogic® Server

During single sign-on (after a successful log in to the identity provider), an exception is thrown and written to the WebLogic Server logs. This is an issue related to the idpArtifactResolution.jsp.

Workaround: Remove or comment out the following lines in idpArtifactResolution.jsp:

out.clear();
out = pageContext.pushBody();

(6375283)

saml2setup Doesn't Generate Metadata Against Federation Manager Running on Microsoft Active Directory

By default, saml2setup uses amadmin as the administrator identifier to log in during installation. A deployment incorporating Federation Manager and Microsoft Active Directory requires a full distinguished name to be passed.

Workaround: After the SAML v2 Plug-in for Federation Services has been successfully installed, you can run saml2meta:

(6377631)

saml2setup Installs Older Mobile Access Packages

saml2setup installs old versions of the SUNWamma and SUNWammae packages. Because of this the following lines in the web.xml file in Access Manager are commented out.

<filter>
	<filter-name>amlcontroller</filter-name>
	<filter-class>com.sun.mobile.filter.AMLController</filter-class>
</filter>

<filter-mapping>
	<filter-name>amlcontroller</filter-name>
	<url-pattern>/*</url-pattern>
</filter-mapping>
Note –

This is not an issue for Access Manager 7.1 or Federation Manager 7.0 installations.

Workaround: Before uncommenting the filter properties in web.xml, you need to download from Sunsolve and apply the following patches to upgrade your mobile access packages. (If newer patches have become available use them.) See the Access Manager procedure called Upgrade Access Manager mobile access software in the Sun Java Enterprise System 5 Upgrade Guide for UNIX for more information.

Table 1–6 Mobile Access Packages

Description 

Software 

Solaris Patch ID 

  • 119530-01 (SPARC)

  • 119531-01 (x86)

Linux Patch ID 

119532-01 contains 

  • sun-identity-mobileaccess-6.2-25.i386.rpm

  • sun-identity-mobileaccess-config-6.2-25.i386.rpm

Afterwards, the lines can be uncommented and services.war can be redeployed.

(6377668)