2. OpenSSO 8.0 Update 2 Patch Releases
About OpenSSO 8.0 Update 2 Patch Releases
Bug 12286933: Dist Auth cannot receive session notifications
Bug 12427762: SAML attributes containing a | are not decoded in a SAML attribute
Bug 13361224: SecurID authentication support for WebSphere Application Server 6.1 on AIX 6.1
Known Issues in OpenSSO 8.0 Update 2 Patch 3
Bug 12308272: OpenSSO list-agents command fails with GlassFish v2.1.1 patch 9
Documentation Updates in OpenSSO 8.0 Update 2 Patch 3
Bug 12307986: OpenSSO client SDK caches URL policy decision with correct methods
Bug 12309423: Inconsistent session timeout behavior is fixed
What's New in OpenSSO 8.0 Update 2 Patch 2
CR 7016248: Validation of gotoOnFail URLs
CR 6993122: SAMLv2 implementation of NameIDPolicy interface without SPNameQualifier
Known Issues in OpenSSO 8.0 Update 2 Patch 2
CR 7017520: Missing property in Policy Service causes HTTP status code 500
Documentation Updates in OpenSSO 8.0 Update 2 Patch 2
CR 7013849: Documentation update: WS-Trust certificate must be the same on client and server
Known Issues in OpenSSO 8.0 Update 2 Patch 1
CR 6978018: Running OpenSSO 8.0 in GlassFish 2.1.x using LDAPS with JDK 1.6.x
CR 7002787: OpenSSO 8.0 Update 2 is not working with Active Directory Data Store
CR 6897101: After a login to a non-default realm, user experiences multiple logins after a timeout
CR 6983035: Remote console with OpenSSO server returns errors after a session timeout
3. Installing OpenSSO 8.0 Update 2
4. Using the Security Token Service
5. Using the Oracle OpenSSO Fedlet
6. Integrating the OpenSSO 8.0 Update 2 with Oracle Access Manager
OpenSSO 8.0 Update 2 patch 4 is available as patch ID 141655-08 on the My Oracle Support site. Information about this patch includes:
Bug 12286933: Dist Auth cannot receive session notifications
Bug 12427762: SAML attributes containing a | are not decoded in a SAML attribute
Bug 13361224: SecurID authentication support for WebSphere Application Server 6.1 on AIX 6.1
In patch 4, the new com.sun.identity.client.notification.url property in the AMDistAuthConfig.properties file allows a Distributed Authentication UI (DAUI) deployment to receive session notifications. This property replaces the com.iplanet.am.notification.url property.
For a DAUI deployment, the com.sun.identity.client.notification.url property defines the URL where notifications will be received by the client application, in the following format:
protocol://host:port/distauth-uri/notificationservice
For a new DAUI deployment, no changes are required, because the new property is available by default in the AMDistAuthConfig.properties file. However, in the case of a DAUI deployment upgrade from an older version, you must reconfigure the DAUI deployment after upgrading and redeploying the Dist Auth WAR file, because the original AMDistAuthConfig.properties does not have this property.
Otherwise, if you do not reconfigure the DAUI deployment, this property must be manually added to the DistAuthConfig.properties file of the upgraded instance.
Redeploying the Dist Auth WAR file is required, but if you reconfigure, you do not have to add the property manually. If you don't reconfigure the DAUI deployment, you must manually add the property after redeploying.
In patch 4, the new com.sun.identity.saml.escapespecialchars property determines if the special characters "|" and "&" should be escaped during attribute mapping in a generated session after SAML SSO by a Service Provider.
By default com.sun.identity.saml.escapespecialchars is set to true, which specifies that the characters should be escaped.
If you do not want the special characters to be escaped (that is, you want the characters retained as they are now), set the property to false, as follows:
In the Oracle OpenSSO Admin Console, click Configuration > Servers and Sites > Server SP > Advanced > and then set the com.sun.identity.saml.escapespecialchars property to false.
For SecurID authentication to operate with IBM WebSphere Application Server 6.1 on the AIX 6.1 platform, the SecurID Java Authentication APIs must be updated. You must replace the existing SecurID Java Authentication API JAR files in the OpenSSO WAR file (opensso.war) with the latest RSA Authentication API for Java version 8.1.1.312.
Download the SecurID Java Authentication API JAR files from the RSA website:
These JAR files must replaced in the opensso.war file:
authapi.jar
cryptoj.jar
log4j-1.2.8.jar
To replace the JAR files in the opensso.war:
Create a staging directory.
Explode the opensso.war in the staging directory.
Copy the new SecurID JAR files to the staging-directory/opensso/WEB-INF/lib directory.
Recreate the opensso.war file from the staging directory.
Deploy the opensso.war.
Note: If the opensso.war is already deployed, first undeploy the existing opensso.war and then redeploy the updated opensso.war.
Restart the OpenSSO web container.
Configure the SecurID authentication module as described in the Oracle OpenSSO documentation in the following library:
Restart the OpenSSO web container