Release Notes › Federation Release Notes › Defects Fixed in 12.51

Defects Fixed in 12.51

This section contains the following topics:

Incorrect Agent Configuration Object Note in Web Agent Option Pack Guide (171005)

Single Log Out after a ForceAuthN request results in Session Errors (153740)

System Error after a CA SiteMinder® Upgrade (154892)

Tomcat 6 Reference Removed from Documentation (159125)

Query String Redirection for Delegated Authentication is Only for Testing (165475)

Prerequisite for ODBC User Directory Setup for Federation (157633)

Information Missing for the smfedexport Command Options (155515)

Protection Against XML Signature Wrapping Attacks (168098)

Incorrect Agent Configuration Object Note in Web Agent Option Pack Guide (171005)

Symptom:

The Web Agent Option Pack Guide contained the following incorrect note:

"Note: The Agent Configuration Object referenced in this WebAgent.conf file must be a new object that you create. Do not specify the object in use by the Web Agent installed in your environment."

Solution:

This note has been removed from the guide.

STAR issue: 21419266-1

Single Log Out after a ForceAuthN request results in Session Errors (153740)

Symptom:

The Policy Server log reports session errors when the following conditions are met:

1. A user logs in to Service Provider 1.
2. A user logs in to Service Provider 2. The Service Provider send an authentication request with a ForceAuthN query parameter to the Identity Provider.
3. A user logs out from either Service Provider.

Solution:

The issue is fixed. Session errors are no longer reported.

STAR issue: 20122645–1

System Error after a CA SiteMinder® Upgrade (154892)

Symptom:

The customer is required to track all SLOs in the audit log. The customer setup an unprotected realm with an anonymous authentication scheme on /affwebservices/public/saml2slo. Before the upgrade to CA SiteMinder® R12 SP3 CR2, this setup worked.

Solution:

The problem has been corrected. The customer gets a successful logout page.

Star Issue: 20160464;1

Tomcat 6 Reference Removed from Documentation (159125)

Symptom:

The Web Agent Option Pack Guide referenced Tomcat 6 in error.

Solution:

The section that is titled "Modify the Tomcat catalina.properties File (Tomcat 6.0.18 or higher)" has been removed from the Web Agent Option Pack Guide. Tomcat 6 is no longer supported as an application server.

STAR issue: 21093204-01

Query String Redirection for Delegated Authentication is Only for Testing (165475)

Symptom:

Query string redirection method for delegated authentication was not documented as an option only for test environments.

Solution:

The Partnership Federation Guide now says that if you configure the delegated authentication feature for single sign-on, do not use the query string method in a production environment. The query string redirection method is only for a testing environment as a proof of concept.

STAR issue: 21183744;1

Prerequisite for ODBC User Directory Setup for Federation (157633)

Symptom:

The federation documentation must clarify that an ODBC user directory for a SAML-related configuration requires a properly defined SQL query scheme.

Solution:

The following note has been added to the User Directory chapter in the Legacy Federation Guide and the Partnership Federation Guide.

Note: To use an ODBC database for your federated configuration, set up the SQL query scheme and valid SQL queries before selecting an ODBC database as a user directory.

STAR issue: 21043182

Information Missing for the smfedexport Command Options (155515)

Symptom:

No detailed information exists about the usage of the smfedexport command options, such as –pubkey,-sign and –signingcertalias.

Solution:

The Legacy Federation Guide has clearer explanations of the smfedexport command options.

STAR issue: 20969179-01

Protection Against XML Signature Wrapping Attacks (168098)

A malicious user can commit an XML signature wrapping attack by changing the content of a document without invalidating the signature. By default, software controls for the Policy Server and Web Agent Option Pack are set to defend against signature wrapping attacks. However, a third-party product can issue an XML document in a way that does not conform to XML specifications. As a result, the default signature checks can result in a signature verification failure.

Signature verification failures occur for the following reasons:

• A duplicate ID element is in the XML document and the signature references this duplicate ID. Duplicate ID attributes are not permitted.
• The XML signature does not reference the expected parent element, and a signature wrapping vulnerability is logged.

If a federation transaction fails, examine the smtracedefault.log file and the fwstrace.log file for a signature verification failure. These errors can indicate that the received XML document is not conforming to XML standards. As a workaround, you can disable the default Policy Server and Web Agent protection against signature wrapping attacks.

Important! If you disable the protection against signature vulnerabilities, determine another way to protect against these attacks.

To disable the XML signature wrapping checks:

1. Navigate to the xsw.properties file. The file exists in different locations for the Policy Server and the Web Agent.
   • For error messages in the Policy Server smtracedefault.log file, go to siteminder_home/config/properties
   • For error messages in the Web Agent fwstrace.log, go to

     web_agent_option_pack_ home/affwebservices/web-INF/classes.

     Note: If the web agent option pack is installed on the same system as the web agent, the file resides in the web_agent_home directory.

2. Change the following xsw.properties settings to true:
   • DisableXSWCheck=true (Policy Server setting only)
   • DisableUniqueIDCheck=true (Policy Server and Web Agent Option Pack setting)

     Note: The value of the DisableUniqueIDCheck setting must be the same for the Policy Server and the Web Agent Option Pack.

3. Save the file.

STAR issue: 21321479;1