2. OpenSSO 8.0 Update 2 Patch Releases
About OpenSSO 8.0 Update 2 Patch Releases
Bug 12286933: Dist Auth cannot receive session notifications
Bug 12427762: SAML attributes containing a | are not decoded in a SAML attribute
Bug 13361224: SecurID authentication support for WebSphere Application Server 6.1 on AIX 6.1
Known Issues in OpenSSO 8.0 Update 2 Patch 3
Bug 12308272: OpenSSO list-agents command fails with GlassFish v2.1.1 patch 9
Documentation Updates in OpenSSO 8.0 Update 2 Patch 3
Bug 12307986: OpenSSO client SDK caches URL policy decision with correct methods
Bug 12309423: Inconsistent session timeout behavior is fixed
What's New in OpenSSO 8.0 Update 2 Patch 2
CR 7016248: Validation of gotoOnFail URLs
CR 6993122: SAMLv2 implementation of NameIDPolicy interface without SPNameQualifier
Known Issues in OpenSSO 8.0 Update 2 Patch 2
CR 7017520: Missing property in Policy Service causes HTTP status code 500
Documentation Updates in OpenSSO 8.0 Update 2 Patch 2
CR 7013849: Documentation update: WS-Trust certificate must be the same on client and server
Known Issues in OpenSSO 8.0 Update 2 Patch 1
CR 6978018: Running OpenSSO 8.0 in GlassFish 2.1.x using LDAPS with JDK 1.6.x
CR 7002787: OpenSSO 8.0 Update 2 is not working with Active Directory Data Store
CR 6897101: After a login to a non-default realm, user experiences multiple logins after a timeout
CR 6983035: Remote console with OpenSSO server returns errors after a session timeout
3. Installing OpenSSO 8.0 Update 2
4. Using the Security Token Service
5. Using the Oracle OpenSSO Fedlet
6. Integrating the OpenSSO 8.0 Update 2 with Oracle Access Manager
OpenSSO 8.0 Update 2 patch 2 is available as patch ID 141655-05 on the My Oracle Support site.
CR 6978018: Running OpenSSO 8.0 in GlassFish 2.1.x using LDAPS with JDK 1.6.x
CR 7002787: OpenSSO 8.0 Update 2 is not working with Active Directory Data Store
CR 6897101: After a login to a non-default realm, user experiences multiple logins after a timeout
CR 6983035: Remote console with OpenSSO server returns errors after a session timeout
To run OpenSSO 8.0 in a GlassFish 2.1.x web container with an external directory server using LDAPS with JDK 1.6.x, set the NSS_USE_DECODED_CKA_EC_POINT environment variable to 1 before you start the GlassFish 2.1.x domain. For example:
NSS_USE_DECODED_CKA_EC_POINT=1 export NSS_USE_DECODED_CKA_EC_POINT glassfish-root/bin/asadmin start-domain glassfish-domain
This problem occurs for both OpenSSO 8.0 Update 2 and OpenSSO 8.0 Update 2 patch 1. If you create an Active Directory data store and then log in to the OpenSSO administration console using the Active Directory authentication module, OpenSSO returns the error message “User has no profile in this organization” to your browser.
Workaround. To use the Active Directory data store and authentication module with OpenSSO 8.0 Update 2 or OpenSSO 8.0 Update 2 patch 1, perform these steps:
Log in to the OpenSSO Administration Console.
Under the Active Directory data store configuration, make these changes:
For the LDAPv3 Plug-in Supported Types and Operations, change:
user=read,create,edit,delete
to
user=read,create,edit,delete,service
In Attribute Name Mapping, add the following attribute mappings:
iplanet-am-user-alias-list=objectGUID
employeeNumber=distinguishedName
mail=userPrincipalName
portalAddress=sAMAccountName
telephonenumber=displayName
uid=sAMAccountName
Click Save and log out of the console.
Restart the OpenSSO web container.
Previously, if a user entered valid credentials after an authentication module timeout occurred, the login screen for the second authentication module was presented and the user could enter an invalid password to get access to a protected resource.
Patch 1 fixes this CR; however, this fix works only with non-JAAS modules. If you write a custom authentication module, you must use non-JAAS modules.
If you log in to OpenSSO server from a remote console and a session timeout occurs, some console functions do not work properly. Also, errors are displayed if you click on various tabs in the console.
Workaround. After making changes from the remote console, log out from the remote console. To get rid of the errors, restart both OpenSSO server and the remote console.
If you are using a remote console and try to save Federation or SAML properties that need access to the certificate keystore, errors are returned. This problem occurs because the certificate keystore resides on the OpenSSO server, and the remote console does not have access to the keystore.
Workaround. Use either of these solutions, depending on your deployment:
If the keystore is directly accessible from the remote console through a mount point, specify the complete absolute path to the keystore.
Copy the keystore files from the OpenSSO server to the remote console. This solution, however, requires that if you make changes to the keystore files on the OpenSSO server, you must also update the keystore files on the remote console.
If you are using the sample in “Example 1–1 Code Sample: Post-Authentication Plug-In for First-Time Login” in the Sun OpenSSO Enterprise 8.0 Integration Guide, you must be running OpenSSO 8.0 Update 1 or later. Otherwise, the sample does not compile because the Java compiler cannot find the POST_PROCESS_LOGIN_SUCCESS_URL property, which was first available with OpenSSO 8.0 Update 1.