The following sections contain information regarding known issues, limitations, and accompanying workarounds noted at the time of the initial release of the SAML v2 Plug-in for Federation Services.
SAML v2 Authentication Module is not Automatically Registered in Access Manager Legacy Mode
Exception Thrown During Installation if Web Container Has Not Been Started
When installing the SAML v2 Plug-in for Federation Services on an instance of Access Manager in legacy mode, the SAMLv2 authentication module is not automatically enabled in the default organization.
Workaround: After installing the SAML v2 Plug-in for Federation Services on an instance of Access Manager in legacy mode, use the amadmin command line tool to load the following XML file in order to register the SAMLv2 authentication module.
<Requests> <OrganizationRequests DN="<root_suffix>"> <RegisterServices> <Service_Name>sunAMAuthSAML2Service</Service_Name> </RegisterServices> </OrganizationRequests> </Requests>
This step is necessary for service providers only.
(6431995)
If the underlying web container running an instance of Access Manager or Federation Manager is not started, a harmless exception concerning the creation of the circle of trust is thrown during installation of the SAML v2 Plug-in for Federation Services. The circle of trust is successfully created in the data store (flat file or LDAP) despite this message and the SAML v2 Plug-in for Federation Services will work correctly after the web container has been started.
Workaround: None
(6371281)
When installing the SAML v2 Plug-in for Federation Services on the SolarisTM 8 Operating System (OS) and the Solaris 9 OS, set the LOAD_SCHEMA property in the saml2silent installation configuration properties file to false before running the saml2setup installer.
Workaround: After the SAML v2 Plug-in for Federation Services has been successfully installed, you must load the schema manually.
On Sun Java System Directory Server, run the following two commands:
/usr/bin/ldapmodify -h directory-host -p directory-port -a -D administratorDN -w administratorPW -f FederationManager-base/product-directory/saml2/ldif/saml2_sds_index.ldif
/usr/bin/ldapmodify -h directory-host -p directory-port -D administratorDN -w administratorPW -f FederationManager-base/product-directory/saml2/ldif/saml2_sds_schema.ldif
On Microsoft® Active Directory, run the following command:
/usr/bin/ldapmodify -a -h directory-host -p directory-port -D administratorDN -w administratorPW -f FederationManager-base/product-directory/saml2/ldif/saml2_ad_schema.ldif
(6374746)
During single sign-on (after a successful log in to the identity provider), an exception is thrown and written to the WebLogic Server logs. This is an issue related to the idpArtifactResolution.jsp.
Workaround: Remove or comment out the following lines in idpArtifactResolution.jsp:
out.clear(); out = pageContext.pushBody();
(6375283)
By default, saml2setup uses amadmin as the administrator identifier to log in during installation. A deployment incorporating Federation Manager and Microsoft Active Directory requires a full distinguished name to be passed.
Workaround: After the SAML v2 Plug-in for Federation Services has been successfully installed, you can run saml2meta:
To generate metadata for a hosted identity provider on Federation Manager:
Federation Manager/SUNWam/saml2/bin/saml2meta/saml2meta template [-i staging-directory] -u full-DN-admin-user -w admin-user-password -d idp-metaAlias -e idp-entityID -m idpMeta.xml -x idpExtended.xml
To generate metadata for a hosted service provider on Federation Manager:
Federation Manager/SUNWam/saml2/bin/saml2meta/saml2meta template [-i staging-directory] -u full-DN-admin-user -w admin-user-password -d sp-metaAlias -e sp-entityID -m spMeta.xml -x spExtended.xml
(6377631)
saml2setup installs old versions of the SUNWamma and SUNWammae packages. Because of this the following lines in the web.xml file in Access Manager are commented out.
<filter> <filter-name>amlcontroller</filter-name> <filter-class>com.sun.mobile.filter.AMLController</filter-class> </filter> <filter-mapping> <filter-name>amlcontroller</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
This is not an issue for Access Manager 7.1 or Federation Manager 7.0 installations.
Workaround: Before uncommenting the filter properties in web.xml, you need to download from Sunsolve and apply the following patches to upgrade your mobile access packages. (If newer patches have become available use them.) See the Access Manager procedure called Upgrade Access Manager mobile access software in the Sun Java Enterprise System 5 Upgrade Guide for UNIX for more information.
Table 1–6 Mobile Access Packages
Description |
Software |
---|---|
Solaris Patch ID |
|
Linux Patch ID |
119532-01 contains
|
Afterwards, the lines can be uncommented and services.war can be redeployed.
(6377668)