SAML v2 Plug-in for Federation Services Patch 3 Release

The following sections contain information regarding known issues, limitations, and accompanying workarounds noted at the time of the release of the SAML v2 Plug-in for Federation Services Patch 3.

• Windows: Single Sign-On Failure Returns Page Not Found Error Instead of Single Sign On Failed

• Modify web.xml When Installing SAML v2 Plug-in for Federation Services Patch 3 on Access Manager 7.0 patch 5

• Enable XML Encryption for Access Manager or Federation Manager using the Bouncy Castle JAR

• Web Browser Artifact Profile Fails When SAML v2 Plug-in for Federation Services Patch 3 Installed on Federation Manager and WebSphere

• saml2meta Does Not Return Error When -m Option is Used for Extended Metadata

• saml2meta template Subcommand Throws Exception in Access Manager Single WAR Install

• saml2meta Throws Exception When Access Manager or Federation Manager is SSL Enabled

• SAML v2 Logout Fails After a Session Upgrade

• Extended Metadata Attribute Doesn't Work

• SSO With POST Binding Fails if User Has No Attributes

• Increase Directory Server Values When Installed on Federation Manager

Windows: Single Sign-On Failure Returns Page Not Found Error Instead of Single Sign On Failed

When single sign-on fails, a Page Not Found error is thrown rather than the Single Sign On Failed error thrown on Solaris versions of the software.

WORKAROUND: None

6574265

Modify web.xml When Installing SAML v2 Plug-in for Federation Services Patch 3 on Access Manager 7.0 patch 5

After installing the SAML v2 Plug-in for Federation Services Patch 3 on Access Manager 7.0 patch 5, the web.xml file has been unnecessarily modified. This will not allow you to access the server after deployment. Uncomment the following code in the web.xml file.

<!--
<filter>
   <filter-name>amlcontroller</filter-name>
   <filter-class>com.sun.mobile.filter.AMLController</filter-class>
</filter>
<filter-mapping>
   <filter-name>amlcontroller</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>
-->

WORKAROUND: The SAML v2 Plug-in for Federation Services will try to comment out this code again. To alleviate this from happening, edit the web.xml file in the staging directory AFTER installation is complete, and regenerate the WAR using the jar command.

Enable XML Encryption for Access Manager or Federation Manager using the Bouncy Castle JAR

If you want to enable the XML encryption feature and your web container is running JDK 1.4, or you are running IBM Websphere (JDK 1.4 and 1.5) as your web container, follow this procedure to use Bouncy Castle to generate a transport key.

The Bouncy Castle Crypto API is a Java implementation of cryptographic algorithms.

1. Download the Bouncy Castle provider from Bouncy Castle.

   For example, if using JDK 1.4, download the bcprov-jdk14-136.jar.

2. Copy the downloaded file to the jdk_root/jre/lib/ext directory.

3. OPTIONAL: If using the domestic version of the JDK, download the appropriate JCE Unlimited Strength Jurisdiction Policy Files from java.sun.com.

   ---

   Note –

   If using IBM WebSphere, go to http://www.ibm.com to download additional required files.

   ---

4. OPTIONAL: Copy the downloaded US_export_policy.jar and local_policy.jar files to the jdk_root/jre/lib/security directory.

5. Edit the jdk_root/jre/lib/security/java.security file to add Bouncy Castle as one of the providers.

   For example, security.provider.6=org.bouncycastle.jce.provider.BouncyCastleProvider

6. Set the com.sun.identity.jss.donotInstallAtHighestPriority property in the AMConfig.properties file to true.

7. Restart the web container.

6344530

Web Browser Artifact Profile Fails When SAML v2 Plug-in for Federation Services Patch 3 Installed on Federation Manager and WebSphere

When Federation Manager is deployed in WebSphere Application Server, federation using the Web Browser Artifact Profile fails when the service provider attempts to send an artifact back to the identity provider.

WORKAROUND: You must override WebSphere's default SOAP factory by doing the following:

1. Edit WebSphere's server.xml file (located in WebSphere-base/WebSphere/AppServer/config/cells/cell-name/nodes/node-name/servers/server-instance/) by replacing

   <jvmEntries xmi:id="JavaVirtualMachine_1" classpath="" 
   bootClasspath="" verboseModeClass="false" verboseModeGarbageCollection="false" 
   verboseModeJNI="false" runHProf="false" hprofArguments="" 
   debugMode="false" debugArgs="-Djava.compiler=NONE -Xdebug -Xnoagent 
   -Xrunjdwp:transport=dt_socket,server=y,suspend=n, address=7777" 
   genericJvmArguments="">

   with

   <jvmEntries xmi:id="JavaVirtualMachine_1" verboseModeClass="false" 
   verboseModeGarbageCollection="false" verboseModeJNI="false" 
   initialHeapSize="256" maximumHeapSize="256" runHProf="false" 
   hprofArguments="" debugMode="false" debugArgs="-Djava.compiler=NONE 
   -Xdebug -Xnoagent 
   -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=7777" 
   genericJvmArguments="-Dcom.iplanet.am.serverMode=true">
   <classpath>/usr/share/lib/saaj-api.jar:/usr/share/
   lib/saaj-impl.jar</classpath>

   ---

   Note –

   The cell-name, node-name, and server-instance variables identify the name of the cell, node, and server in which Federation Manager is deployed.

   ---

2. Restart the WebSphere instance.

6320498

saml2meta Does Not Return Error When -m Option is Used for Extended Metadata

When the -m option is used with the saml2meta command line interface to import extended metadata, it does not return an error message even though the -m option should be used for standard metadata imports only.

WORKAROUND: None. See The saml2meta Command-line Reference in Sun Java System SAML v2 Plug-in for Federation Services User’s Guide for correct usage and syntax.

6559482

saml2meta template Subcommand Throws Exception in Access Manager Single WAR Install

When the SAML v2 Plug-in for Federation Services is installed on an instance of Access Manager that was installed using the single WAR, saml2meta throws a MissingResourceException when using the template subcommand with the certificate alias option.

WORKAROUND: Edit saml2meta by appending war_staging_dir/WEB_INF/classes to the value of the AM_DIRS variable.

6563751

saml2meta Throws Exception When Access Manager or Federation Manager is SSL Enabled

When the Access Manager or Federation Manager server is SSL enabled, saml2meta throws a java.lang.NoClassDefFoundError exception.

WORKAROUND: Edit saml2meta by doing the following:

1. Remove the ${BOOTCLASSPATHOPTION} option when running the java command for com.sun.identity.saml2.meta.SAML2Meta (line 123).

2. Add the following properties when running the java command for com.sun.identity.saml2.meta.SAML2Meta (line 123).

   • -Djavax.net.ssl.trustStore=full path for the key store file

   • -Djavax.net.ssl.trustStoreType=JKS where JKS is a Java key store file containing the certificate authority certificates of the SSL certificate for the server's web container.

SAML v2 Logout Fails After a Session Upgrade

SAML v2 Logout fails after a session upgrade.

WORKAROUND: None

6563739

Extended Metadata Attribute Doesn't Work

The wantLogoutResponseSigned attribute in the extended metadata configuration file doesn't work.

WORKAROUND: None

6559732

SSO With POST Binding Fails if User Has No Attributes

SSO with POST binding fails if wantAttributeEncrypted is on but the identity provider user doesn't have any attributes.

WORKAROUND: Include at least one attribute if wantAttributeEncrypted is on.

6563280

Increase Directory Server Values When Installed on Federation Manager

After installing the SAML v2 Plug-in for Federation Services on an instance of Federation Manager running on Directory Server, increase the value of nsslapd-sizelimit to, for example 4000, and set nsslapd-lookthroughlimit to unlimited; for example -1. This will avoid hitting the Directory Server search and size limit.