This section describes known issues and workarounds, if available, at the time of release. It includes information for the following:
After uninstalling the SAML v2 Plug-in for Federation Services, you must manually remove the base_dir\saml2 directory to complete the process.
The following sections contain information regarding known issues, limitations, and accompanying workarounds noted at the time of the release of the SAML v2 Plug-in for Federation Services Patch 3.
Windows: Single Sign-On Failure Returns Page Not Found Error Instead of Single Sign On Failed
Enable XML Encryption for Access Manager or Federation Manager using the Bouncy Castle JAR
saml2meta Does Not Return Error When -m Option is Used for Extended Metadata
saml2meta template Subcommand Throws Exception in Access Manager Single WAR Install
saml2meta Throws Exception When Access Manager or Federation Manager is SSL Enabled
Increase Directory Server Values When Installed on Federation Manager
When single sign-on fails, a Page Not Found error is thrown rather than the Single Sign On Failed error thrown on Solaris versions of the software.
WORKAROUND: None
6574265
After installing the SAML v2 Plug-in for Federation Services Patch 3 on Access Manager 7.0 patch 5, the web.xml file has been unnecessarily modified. This will not allow you to access the server after deployment. Uncomment the following code in the web.xml file.
<!-- <filter> <filter-name>amlcontroller</filter-name> <filter-class>com.sun.mobile.filter.AMLController</filter-class> </filter> <filter-mapping> <filter-name>amlcontroller</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> -->
WORKAROUND: The SAML v2 Plug-in for Federation Services will try to comment out this code again. To alleviate this from happening, edit the web.xml file in the staging directory AFTER installation is complete, and regenerate the WAR using the jar command.
If you want to enable the XML encryption feature and your web container is running JDK 1.4, or you are running IBM Websphere (JDK 1.4 and 1.5) as your web container, follow this procedure to use Bouncy Castle to generate a transport key.
The Bouncy Castle Crypto API is a Java implementation of cryptographic algorithms.
Download the Bouncy Castle provider from Bouncy Castle.
For example, if using JDK 1.4, download the bcprov-jdk14-136.jar.
Copy the downloaded file to the jdk_root/jre/lib/ext directory.
OPTIONAL: If using the domestic version of the JDK, download the appropriate JCE Unlimited Strength Jurisdiction Policy Files from java.sun.com.
If using IBM WebSphere, go to http://www.ibm.com to download additional required files.
OPTIONAL: Copy the downloaded US_export_policy.jar and local_policy.jar files to the jdk_root/jre/lib/security directory.
Edit the jdk_root/jre/lib/security/java.security file to add Bouncy Castle as one of the providers.
For example, security.provider.6=org.bouncycastle.jce.provider.BouncyCastleProvider
Set the com.sun.identity.jss.donotInstallAtHighestPriority property in the AMConfig.properties file to true.
Restart the web container.
6344530
When Federation Manager is deployed in WebSphere Application Server, federation using the Web Browser Artifact Profile fails when the service provider attempts to send an artifact back to the identity provider.
WORKAROUND: You must override WebSphere's default SOAP factory by doing the following:
Edit WebSphere's server.xml file (located in WebSphere-base/WebSphere/AppServer/config/cells/cell-name/nodes/node-name/servers/server-instance/) by replacing
<jvmEntries xmi:id="JavaVirtualMachine_1" classpath="" bootClasspath="" verboseModeClass="false" verboseModeGarbageCollection="false" verboseModeJNI="false" runHProf="false" hprofArguments="" debugMode="false" debugArgs="-Djava.compiler=NONE -Xdebug -Xnoagent -Xrunjdwp:transport=dt_socket,server=y,suspend=n, address=7777" genericJvmArguments="">
with
<jvmEntries xmi:id="JavaVirtualMachine_1" verboseModeClass="false" verboseModeGarbageCollection="false" verboseModeJNI="false" initialHeapSize="256" maximumHeapSize="256" runHProf="false" hprofArguments="" debugMode="false" debugArgs="-Djava.compiler=NONE -Xdebug -Xnoagent -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=7777" genericJvmArguments="-Dcom.iplanet.am.serverMode=true"> <classpath>/usr/share/lib/saaj-api.jar:/usr/share/ lib/saaj-impl.jar</classpath>
The cell-name, node-name, and server-instance variables identify the name of the cell, node, and server in which Federation Manager is deployed.
Restart the WebSphere instance.
6320498
When the -m option is used with the saml2meta command line interface to import extended metadata, it does not return an error message even though the -m option should be used for standard metadata imports only.
WORKAROUND: None. See The saml2meta Command-line Reference in Sun Java System SAML v2 Plug-in for Federation Services User’s Guide for correct usage and syntax.
6559482
When the SAML v2 Plug-in for Federation Services is installed on an instance of Access Manager that was installed using the single WAR, saml2meta throws a MissingResourceException when using the template subcommand with the certificate alias option.
WORKAROUND: Edit saml2meta by appending war_staging_dir/WEB_INF/classes to the value of the AM_DIRS variable.
6563751
When the Access Manager or Federation Manager server is SSL enabled, saml2meta throws a java.lang.NoClassDefFoundError exception.
WORKAROUND: Edit saml2meta by doing the following:
Remove the ${BOOTCLASSPATHOPTION} option when running the java command for com.sun.identity.saml2.meta.SAML2Meta (line 123).
Add the following properties when running the java command for com.sun.identity.saml2.meta.SAML2Meta (line 123).
-Djavax.net.ssl.trustStore=full path for the key store file
-Djavax.net.ssl.trustStoreType=JKS where JKS is a Java key store file containing the certificate authority certificates of the SSL certificate for the server's web container.
SAML v2 Logout fails after a session upgrade.
WORKAROUND: None
6563739
The wantLogoutResponseSigned attribute in the extended metadata configuration file doesn't work.
WORKAROUND: None
6559732
SSO with POST binding fails if wantAttributeEncrypted is on but the identity provider user doesn't have any attributes.
WORKAROUND: Include at least one attribute if wantAttributeEncrypted is on.
6563280
After installing the SAML v2 Plug-in for Federation Services on an instance of Federation Manager running on Directory Server, increase the value of nsslapd-sizelimit to, for example 4000, and set nsslapd-lookthroughlimit to unlimited; for example -1. This will avoid hitting the Directory Server search and size limit.
The following sections contain information regarding known issues, limitations, and accompanying workarounds noted at the time of the initial release of the SAML v2 Plug-in for Federation Services.
SAML v2 Authentication Module is not Automatically Registered in Access Manager Legacy Mode
Exception Thrown During Installation if Web Container Has Not Been Started
When installing the SAML v2 Plug-in for Federation Services on an instance of Access Manager in legacy mode, the SAMLv2 authentication module is not automatically enabled in the default organization.
Workaround: After installing the SAML v2 Plug-in for Federation Services on an instance of Access Manager in legacy mode, use the amadmin command line tool to load the following XML file in order to register the SAMLv2 authentication module.
<Requests> <OrganizationRequests DN="<root_suffix>"> <RegisterServices> <Service_Name>sunAMAuthSAML2Service</Service_Name> </RegisterServices> </OrganizationRequests> </Requests>
This step is necessary for service providers only.
(6431995)
If the underlying web container running an instance of Access Manager or Federation Manager is not started, a harmless exception concerning the creation of the circle of trust is thrown during installation of the SAML v2 Plug-in for Federation Services. The circle of trust is successfully created in the data store (flat file or LDAP) despite this message and the SAML v2 Plug-in for Federation Services will work correctly after the web container has been started.
Workaround: None
(6371281)
When installing the SAML v2 Plug-in for Federation Services on the SolarisTM 8 Operating System (OS) and the Solaris 9 OS, set the LOAD_SCHEMA property in the saml2silent installation configuration properties file to false before running the saml2setup installer.
Workaround: After the SAML v2 Plug-in for Federation Services has been successfully installed, you must load the schema manually.
On Sun Java System Directory Server, run the following two commands:
/usr/bin/ldapmodify -h directory-host -p directory-port -a -D administratorDN -w administratorPW -f FederationManager-base/product-directory/saml2/ldif/saml2_sds_index.ldif
/usr/bin/ldapmodify -h directory-host -p directory-port -D administratorDN -w administratorPW -f FederationManager-base/product-directory/saml2/ldif/saml2_sds_schema.ldif
On Microsoft® Active Directory, run the following command:
/usr/bin/ldapmodify -a -h directory-host -p directory-port -D administratorDN -w administratorPW -f FederationManager-base/product-directory/saml2/ldif/saml2_ad_schema.ldif
(6374746)
During single sign-on (after a successful log in to the identity provider), an exception is thrown and written to the WebLogic Server logs. This is an issue related to the idpArtifactResolution.jsp.
Workaround: Remove or comment out the following lines in idpArtifactResolution.jsp:
out.clear(); out = pageContext.pushBody();
(6375283)
By default, saml2setup uses amadmin as the administrator identifier to log in during installation. A deployment incorporating Federation Manager and Microsoft Active Directory requires a full distinguished name to be passed.
Workaround: After the SAML v2 Plug-in for Federation Services has been successfully installed, you can run saml2meta:
To generate metadata for a hosted identity provider on Federation Manager:
Federation Manager/SUNWam/saml2/bin/saml2meta/saml2meta template [-i staging-directory] -u full-DN-admin-user -w admin-user-password -d idp-metaAlias -e idp-entityID -m idpMeta.xml -x idpExtended.xml
To generate metadata for a hosted service provider on Federation Manager:
Federation Manager/SUNWam/saml2/bin/saml2meta/saml2meta template [-i staging-directory] -u full-DN-admin-user -w admin-user-password -d sp-metaAlias -e sp-entityID -m spMeta.xml -x spExtended.xml
(6377631)
saml2setup installs old versions of the SUNWamma and SUNWammae packages. Because of this the following lines in the web.xml file in Access Manager are commented out.
<filter> <filter-name>amlcontroller</filter-name> <filter-class>com.sun.mobile.filter.AMLController</filter-class> </filter> <filter-mapping> <filter-name>amlcontroller</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
This is not an issue for Access Manager 7.1 or Federation Manager 7.0 installations.
Workaround: Before uncommenting the filter properties in web.xml, you need to download from Sunsolve and apply the following patches to upgrade your mobile access packages. (If newer patches have become available use them.) See the Access Manager procedure called Upgrade Access Manager mobile access software in the Sun Java Enterprise System 5 Upgrade Guide for UNIX for more information.
Table 1–6 Mobile Access Packages
Description |
Software |
---|---|
Solaris Patch ID |
|
Linux Patch ID |
119532-01 contains
|
Afterwards, the lines can be uncommented and services.war can be redeployed.
(6377668)