Release Notes › Product Limitations

Product Limitations

SAML 2.0 Features that Cannot Be Used with the Simple URL Session Scheme

The following features do not work when the simple_url session scheme is configured for the SPS:

• Allow/Create Feature

  As part of a single sign-on request, a Service Provider may request a particular user attribute to be included the assertion; however, the value of the required attribute may not be available in the user record at the Identity Provider.

  If the Service Provider's request includes the Allow/Create attribute and the Identity Provider is configured to create a new identifier, the Policy Server at the Identity Provider will generate a unique value as part of the NameID. This value is then included in the assertion that is sent back to the Service Provider.

  When using the SPS, the SAML 2.0 Allow/Create functionality fails with the simple_url session scheme on Service Provider side. However, the Allow/Create feature does work with the default session scheme.

• Single Logout

  The SAML 2.0 single logout feature is not supported when the SPS is configured to use simple_url session scheme. However, single logout does work with the default session scheme.

• Use of the SiteMinder sample_application.jsp file for IdP-initiated SSO

  SiteMinder supports the use of a custom web application to supply user attributes to the SiteMinder Single Sign-on service. The SiteMinder-provided sample web application, sample_application.jsp, cannot be used if a simple_url session scheme is configured for the SPS at the Identity Provider.

For more information about these SAML 2.0 features, see the CA SiteMinder Federation Security Services Guide.

POST Preservation Issue with Transfer-Encoding Header

The SPS has a limitation for post preservation support with Transfer-Encoding chunked header.

For chunked data to be sent from the SPS to a protected resource, the user should be authenticated and have an established session. The SPS does not challenge a user for credentials in response to a request where chunked data is sent via a POST.

When using proxy filters for accessing the request or response data, the request or response is no longer sent in a chunked format. The entire request or response body is buffered within SPS and sent in a non-chunked or content-length based format.

Large File Handling Limitation

The SPS handling of large files is limited by system resources, memory, and JVM.

If pre-filters or post-filters access a request or response body, the SPS does not use large file-handling block size. The SPS buffers the entire request or response body.

Filter and Group Filter Name Restrictions

The following limitations affect group filters or filters definitions:

• Group filters should be defined using valid and existing filter names, otherwise the SPS may not process the request.
• The groupfilter name should be unique. If one or more groupfilters share the same name, the last groupfilter will overwrite the other groupfilters.

The groupfilter names and filter names should be different. You cannot use the same names for group filter names and filter names. If the filter names and groupfilter names are the same, the results may be unpredictable.

SPS Federation and Security Zones

A Secure Proxy Server that is deployed as a federation gateway cannot support SSO security zones when using multiple virtual hosts.