SAML v2 Plug-in for Federation Services Product Release

The following sections contain information regarding known issues, limitations, and accompanying workarounds noted at the time of the initial release of the SAML v2 Plug-in for Federation Services.

• SAML v2 Authentication Module is not Automatically Registered in Access Manager Legacy Mode

• Exception Thrown During Installation if Web Container Has Not Been Started

• Schema Loading Fails on Sun Java System Federation Manager

• Exception Thrown During Single Sign-on BEA WebLogic® Server

• saml2setup Doesn't Generate Metadata Against Federation Manager Running on Microsoft Active Directory

• saml2setup Installs Older Mobile Access Packages

SAML v2 Authentication Module is not Automatically Registered in Access Manager Legacy Mode

When installing the SAML v2 Plug-in for Federation Services on an instance of Access Manager in legacy mode, the SAMLv2 authentication module is not automatically enabled in the default organization.

Workaround: After installing the SAML v2 Plug-in for Federation Services on an instance of Access Manager in legacy mode, use the amadmin command line tool to load the following XML file in order to register the SAMLv2 authentication module.

<Requests>
<OrganizationRequests DN="<root_suffix>">
   <RegisterServices>
       <Service_Name>sunAMAuthSAML2Service</Service_Name>
   </RegisterServices>
</OrganizationRequests>
</Requests>

This step is necessary for service providers only.

(6431995)

Exception Thrown During Installation if Web Container Has Not Been Started

If the underlying web container running an instance of Access Manager or Federation Manager is not started, a harmless exception concerning the creation of the circle of trust is thrown during installation of the SAML v2 Plug-in for Federation Services. The circle of trust is successfully created in the data store (flat file or LDAP) despite this message and the SAML v2 Plug-in for Federation Services will work correctly after the web container has been started.

Workaround: None

(6371281)

Schema Loading Fails on Sun Java System Federation Manager

When installing the SAML v2 Plug-in for Federation Services on the Solaris^TM 8 Operating System (OS) and the Solaris 9 OS, set the LOAD_SCHEMA property in the saml2silent installation configuration properties file to false before running the saml2setup installer.

Workaround: After the SAML v2 Plug-in for Federation Services has been successfully installed, you must load the schema manually.

• On Sun Java System Directory Server, run the following two commands:

  /usr/bin/ldapmodify -h directory-host -p directory-port -a -D administratorDN -w administratorPW -f FederationManager-base/product-directory/saml2/ldif/saml2_sds_index.ldif

  /usr/bin/ldapmodify -h directory-host -p directory-port -D administratorDN -w administratorPW -f FederationManager-base/product-directory/saml2/ldif/saml2_sds_schema.ldif

• On Microsoft® Active Directory, run the following command:

  /usr/bin/ldapmodify -a -h directory-host -p directory-port -D administratorDN -w administratorPW -f FederationManager-base/product-directory/saml2/ldif/saml2_ad_schema.ldif

(6374746)

Exception Thrown During Single Sign-on BEA WebLogic® Server

During single sign-on (after a successful log in to the identity provider), an exception is thrown and written to the WebLogic Server logs. This is an issue related to the idpArtifactResolution.jsp.

Workaround: Remove or comment out the following lines in idpArtifactResolution.jsp:

out.clear();
out = pageContext.pushBody();

(6375283)

saml2setup Doesn't Generate Metadata Against Federation Manager Running on Microsoft Active Directory

By default, saml2setup uses amadmin as the administrator identifier to log in during installation. A deployment incorporating Federation Manager and Microsoft Active Directory requires a full distinguished name to be passed.

Workaround: After the SAML v2 Plug-in for Federation Services has been successfully installed, you can run saml2meta:

• To generate metadata for a hosted identity provider on Federation Manager:

  Federation Manager/SUNWam/saml2/bin/saml2meta/saml2meta template [-i staging-directory] -u full-DN-admin-user -w admin-user-password -d idp-metaAlias -e idp-entityID -m idpMeta.xml -x idpExtended.xml

• To generate metadata for a hosted service provider on Federation Manager:

  Federation Manager/SUNWam/saml2/bin/saml2meta/saml2meta template [-i staging-directory] -u full-DN-admin-user -w admin-user-password -d sp-metaAlias -e sp-entityID -m spMeta.xml -x spExtended.xml

(6377631)

saml2setup Installs Older Mobile Access Packages

saml2setup installs old versions of the SUNWamma and SUNWammae packages. Because of this the following lines in the web.xml file in Access Manager are commented out.

<filter>
	<filter-name>amlcontroller</filter-name>
	<filter-class>com.sun.mobile.filter.AMLController</filter-class>
</filter>

<filter-mapping>
	<filter-name>amlcontroller</filter-name>
	<url-pattern>/*</url-pattern>
</filter-mapping>

This is not an issue for Access Manager 7.1 or Federation Manager 7.0 installations.

Workaround: Before uncommenting the filter properties in web.xml, you need to download from Sunsolve and apply the following patches to upgrade your mobile access packages. (If newer patches have become available use them.) See the Access Manager procedure called Upgrade Access Manager mobile access software in the Sun Java Enterprise System 5 Upgrade Guide for UNIX for more information.

Afterwards, the lines can be uncommented and services.war can be redeployed.

(6377668)