Previous Topic: Operating System SupportNext Topic: Known Issues for Legacy and Partnership Federation


Defects Fixed in 12.5

This section contains the following topics:

Web Agent Option Pack creates an invalid assertion (111451/160502)

Incorrect Agent Configuration Object Note in Web Agent Option Pack Guide (171005)

Query String Redirection for Delegated Authentication is Only for Testing (165475)

Tomcat 6 Reference Removed from Documentation (159125)

Prerequisite for ODBC User Directory Setup for Federation (157633)

Information Missing for the smfedexport Command Options (155515)

Protection Against XML Signature Wrapping Attacks (168098)

Web Agent Option Pack creates an invalid assertion (111451/160502)

Symptom:

Web Agent Option Pack creates an assertion with an expired smsession cookie.

Solution:

STAR Issue: 21843717-01

Incorrect Agent Configuration Object Note in Web Agent Option Pack Guide (171005)

Symptom:

The Web Agent Option Pack Guide contained the following incorrect note:

"Note: The Agent Configuration Object referenced in this WebAgent.conf file must be a new object that you create. Do not specify the object in use by the Web Agent installed in your environment."

Solution:

This note has been removed from the guide.

STAR issue: 21419266-1

Query String Redirection for Delegated Authentication is Only for Testing (165475)

Symptom:

Query string redirection method for delegated authentication was not documented as an option only for test environments.

Solution:

The Partnership Federation Guide now says that if you configure the delegated authentication feature for single sign-on, do not use the query string method in a production environment. The query string redirection method is only for a testing environment as a proof of concept.

STAR issue: 21183744;1

Tomcat 6 Reference Removed from Documentation (159125)

Symptom:

The Web Agent Option Pack Guide referenced Tomcat 6 in error.

Solution:

The section that is titled "Modify the Tomcat catalina.properties File (Tomcat 6.0.18 or higher)" has been removed from the Web Agent Option Pack Guide. Tomcat 6 is no longer supported as an application server.

STAR issue: 21093204-01

Prerequisite for ODBC User Directory Setup for Federation (157633)

Symptom:

The federation documentation must clarify that an ODBC user directory for a SAML-related configuration requires a properly defined SQL query scheme.

Solution:

The following note has been added to the User Directory chapter in the Legacy Federation Guide and the Partnership Federation Guide.

Note: To use an ODBC database for your federated configuration, set up the SQL query scheme and valid SQL queries before selecting an ODBC database as a user directory.

STAR issue: 21043182

Information Missing for the smfedexport Command Options (155515)

Symptom:

No detailed information exists about the usage of the smfedexport command options, such as –pubkey,-sign and –signingcertalias.

Solution:

The Legacy Federation Guide has clearer explanations of the smfedexport command options.

STAR issue: 20969179-01

Protection Against XML Signature Wrapping Attacks (168098)

A malicious user can commit an XML signature wrapping attack by changing the content of a document without invalidating the signature. By default, software controls for the Policy Server and Web Agent Option Pack are set to defend against signature wrapping attacks. However, a third-party product can issue an XML document in a way that does not conform to XML specifications. As a result, the default signature checks can result in a signature verification failure.

Signature verification failures occur for the following reasons:

If a federation transaction fails, examine the smtracedefault.log file and the fwstrace.log file for a signature verification failure. These errors can indicate that the received XML document is not conforming to XML standards. As a workaround, you can disable the default Policy Server and Web Agent protection against signature wrapping attacks.

Important! If you disable the protection against signature vulnerabilities, determine another way to protect against these attacks.

To disable the XML signature wrapping checks:

  1. Navigate to the xsw.properties file. The file exists in different locations for the Policy Server and the Web Agent.
  2. Change the following xsw.properties settings to true:
  3. Save the file.

STAR issue: 21321479;1