Release Notes › Federation Release Notes › Known Issues for Legacy and Partnership Federation

Known Issues for Legacy and Partnership Federation

Federation Does Not Support the Cookie Provider (172511)

SiteMinder Federation proudcts, which use the Web Agent Option Pack, do not support the use of the Cookie Provider for federated configurations.

Back Channel Processing Fails with Client Certificate Protection (168151, 168278, 169147, 168774, 169312)

Symptom:

Back channel processing fails when you use the client certificate option to protect the back channel. The failure impacts all profiles that use the back channel, including HTTP-Artifact single sign-on and SAML 2.0 Single Logout over SOAP.

Failures occur under the following conditions:

• A deployment with IIS web servers and any application server. The failure is the result of an IIS limitation. This problem applies to legacy and partnership federation.
• A certificate that is generated with the OpenSSL toolkit and the UTF-8 flag is set.
• Apache web servers running JBoss at the IdP, unless you make a configuration change to the httpd.ssl.conf file.

Solution:

The following solutions are available:

• Protect the back channel using the Basic option and ensure that all URLs are using the SSL protocol.
• Do not set the UTF-8 flag when generating a certificate with the OpenSSL toolkit.
• For Apache web servers running JBoss at the IdP, uncomment the following line in the Apache httpd.ssl.conf file:

  SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
  

  Note: The Apache solution applies only to partnership federation.

OCSPUpdater Does Not Support the SHA-224 Algorithm (150477,150474)

The OCSPUpdater used for federation certificate validity checking cannot sign OCSP requests using the SHA-224 algorithm. The updater can only sign with the SHA-256, SHA-384, and SHA-512 algorithms.

Java Virtual Machine Installation Error on Solaris can be Ignored (149886)

Symptom:

You are doing a console mode installation of a SiteMinder product on a Solaris platform. The following error message displays: "Unable to install the Java Virtual Machine included with this installer."

Solution:

Ignore this error message. The error is a third-party issue and it has no functional impact.

Web Agent Option Pack on JBOSS Requires Workaround (147357, 149394)

Symptom:

On the JBoss 5.1.2 server, system JARs are overriding application-specific JARs, such as those JARs for the Web Agent Option Pack.

Solution:

Prevent the Web Agent Option Pack XML API files from being overwritten by JBOSS system JARS.

Important! This workaround only applies to the supported version of JBOSS 5.1.2.

Add the following filter package in two places in the war-deployers-jboss-beans.xml file:

<property name="filteredPackages">javax.servlet,org.apache.commons.
logging,javax.xml.parsers,org.xml.sax,org.w3c.dom</property>

The filter package allows the use of the Web Agent Option Pack XML API files instead of the JBOSS system files.

Follow these steps:

1. Locate the war-deployers-jboss-beans.xml file located in the directory:

   /deployers/jbossweb.deployer/META-INF/

2. Find the following entry:

   <property name="filteredPackages">javax.servlet,org.apache.
   commons.logging</property> 
   

3. Change the entry to:

   <property name="filteredPackages">javax.servlet,org.apache.commons.
   logging,javax.xml.parsers,org.xml.sax,org.w3c.dom</property>
   

   This entry in the file is on one line.

4. Find the second instance of the entry in step 2 and replace it with the entry in step 3.

   Add the filter package in both places in the XML file.

5. Save the XML file.

Deploying Federation Web Services in JBOSS 5.1.x (150603)

Symptom:

A federation transaction is failing at the asserting party when the federation web services application is deployed on a JBOSS server, version 5.1.0 and higher. An error message indicates one of the following conditions:

• SiteMinder could not decrypt the SMSESSION cookie.
• An encryption exception occurred during session cookie creation.

Solution:

Deploy affwebservices.war file in an exploded folder under the jboss deploy directory.

Follow these steps:

1. Open a command window and navigate to the affwebservices directory, which is in the directory /webagent_option_pack/affwebservices/.
2. Create a WAR file by entering the command:

   jar cvf affwebservices.war *
   

3. Navigate to the directory JBOSS_home/server/default/deploy/

   JBOSS_home is the installed location of the JBOSS application server.

4. Under the deploy directory, create a directory named affwebservices.war.
5. Inside the affwebservices.war directory, extract the affwebservices.war file.

   Note: Be sure that the affwebservices.war file is not in the deploy directory.

6. Restart the application server.
7. After the server has restarted, access the JBOSS Administrative Console. The affwebservices.war file is displayed in the JBOSS console under Applications>WARs.
8. Test that the FWS application is working by opening a web browser and entering the following link:

   http://fqhn:port_number/affwebservices/assertionretriever 
   

   fqhn

   Represents the fully qualified host name and

   port_number

   Specifies the port number of the server where the Federation Web Services application is installed.

9. Execute a federated single sign-on transaction. A successful transaction confirms that SiteMinder federation is working properly.

SiteMinder Federation does not Support Directory Mapping (147993)

SiteMinder legacy and partnership federation do not support directory mapping. The user is tied to the directory they are initially authenticated against. If that directory is not present in the affiliate domain, the authorization fails.

SPS Federation Gateway in a Federation Deployment

You can install the r12.3 SiteMinder SPS Federation Gateway only in a legacy federation deployment. This release of the gateway is compatible with SiteMinder 12.5.

You cannot use the r12.3 gateway in a 12.5 partnership federation deployment.