| CA |
2.0 System Requirements
2.1 Minimum JDK/JRE Version for SiteMinder 6.0 SP 5/6.x QMR 5
3.0 Installation Considerations
3.1 Version Compatibility
3.2 Components Required for eTelligent Rules
3.3 Components Required for Federation Security Services
3.4 Installation Requirements for the Policy Server Option Pack
3.5 Installation Requirements for the Web Agent Option Pack
3.5.1 Repair ServletExec's CLASSPATH for the Web Agent Option Pack (Windows)
3.6 Environment Variables Added and Modified by the Policy Server Option Pack
3.7 Environment Variables Added by the Web Agent Option Pack
4.0 Installation Instructions for the Policy Server Option Pack
4.1 Policy Server Option Pack GUI and Console Mode Installation
4.2 (Optional) Import Federation Data After Option Pack Installation
5.0 Policy Server Option Pack Unattended Mode Installation
5.1 Prepare an Unattended Installation
5.2 Run the Unattended Installation Program
5.3 Stop an Unattended Installation in Progress
6.0 Policy Server Option Pack Uninstallation
7.0 Web Agent Option Pack Installation
7.1 Web Agent Option Pack GUI and Console Mode Installation
8.0 Web Agent Option Pack Unattended Mode Installation
8.1 Prepare an Unattended Installation
8.2 Run an Unattended Installation
8.3 Stop an Unattended Installation in Progress
9.0 Web Agent Option Pack Uninstallation
9.1 Uninstall the Web Agent Option Pack from Windows Systems
9.2 Uninstall the Web Agent Option Pack from UNIX Systems
10.0 Upgrade the Policy Server Option Pack
10.1 Version Compatibility for Upgrades
10.2 Preserve the smkeydatabase.properties File Before an Upgrade
10.3 Upgrade Procedure for the Policy Server Option Pack
10.4 Upgrade Procedure for the Web Agent Option Pack
11.0 Defects Fixed for Option Packs 6.x QMR 5 and 6.0 SP 5
11.1 Fixes that Apply to Both Option Packs
11.1.1 SiteMinder Rejects Assertion if <NameIdentifier> Element is Embedded in the <SubjectConfirmation> Value (51696)
11.2 Fixes for the Web Agent 6.x QMR 5 Option Pack
11.2.1 User Not Authorized Before Redirection to the Target Resource (46918)
11.2.2 Assertions Did Not Support Multi-byte Characters (47360)
11.2.3 SAML 2.0 SSO Service Doing IP Checking When the Option Is Not Enabled (53983)
11.2.4 Service Provider using SAML 2.0 artifact scheme Fails when It Sits Behind a Proxy Server (54391)
11.2.5 Web Agent Option Pack Log Shows Incorrect Product Update Version (54584)
11.2.6 Web Agent Option Pack on Apache 2.x/Linux Fails to Load When the Web Server Starts (54795)
11.2.7 Target Query String is Not Included in SAML 1.x and 2.0 IsProtected Call (55418)
11.2.8 Ampersand (&) Missing Between SAMLART and RelayState Query Parameters (55479)
11.2.9 Identity Provider Discovery Redirect is Failing When an AuthNRequest Initiates Authentication (55678)
11.3 Fixes for the Policy Server v6.0 SP 5 Option Pack
11.3.1 SAML 2.0 Exchanges Are Failing When Assertion Consumer Service URL Contains Port Number (47252)
11.3.2 AuthenticationInstant Attribute Value Set Incorrectly (48584)
11.3.3 SmPolicySrv Process Crashing on UNIX When Trying to View FederationWSCustomUser Directory (48846)
11.3.4 SAML Authentication Scheme Needs Optional <dsig:KeyInfo> Attribute (44815)
11.3.5 Multiple User Stores Defined by IP Address are Not Searched Properly During Authentication (52772)
11.3.6 When SAML 2.0 Authentication is Configured with the Single Use Policy Feature, the Policy Server Fails (53113)
11.3.7 Require Signed AuthnRequests Option Fails on Solaris-based Identity Provider (53693)
11.3.8 Signature Processing for SAML Post Profile Fails When TransactionMinder is Installed (54217)
11.3.9 Sample Class Missing from SDK Installation (54230)
11.3.10 Policy Server Fails When Several Failover Servers Exist for SAML 1.1 POST Authentication (54624)
11.3.11 Apply Button Deletes the XPATH query for XML Body Variable (54839)
11.3.12 SAML 2.0 Authentication Scheme with Server Redirect Mode Set Ignores Assertion Attributes with a Certain Name Formats (54517)
11.3.13 SiteMinder Fails to Process a Third-party Assertion with Multi-valued Attributes (54562)
11.3.14 Unattended Upgrade of the Policy Server Option Pack on Windows 2003 Causes a System Reboot (55548)
12.0 Defects Fixed for Option Pack 6.x QMR 4 and 6.0 SP 4
12.1 Fixes that Apply to Both Option Packs
12.1.1 SiteMinder 6.0 SP 3/6.x QMR 3 SAML 1.x Consumer Cannot Consume Assertions from a Producer of a Previous SiteMinder Version (45279)
12.1.2 Relative URL Cannot Be Specified as the Target for Server Redirect Mode (41967)
12.2 Fixes for Web Agent 6.x QMR 4 Option Pack
12.2.1 SAML 1.x Assertion Not Returned if Affiliate Name has Mixed or Upper Case Letters (44705)
12.2.2 Web Server Appends Invalid Character as Part of SAML Response Body (47535)
12.3 Fixes for Policy Server 6.0 SP 4 Option Pack
12.3.1 100 Character Limit for User and DN Attributes Included in an Assertion (46237)
12.3.2 Policy Server Option Pack Variables are Not Accessible in Mixed Mode (44395)
12.3.3 Affiliate Domain Objects Are Not Retrieved and Displayed Correctly (45693)
12.3.4 Error Occurs Using SMKeytool to List Microsoft Client Certificates (47337)
13.0 Defects Fixed for Option Packs 6.x QMR 3 and 6.0 SP 3
13.1 Fixes for Web Agent 6.x QMR 3 Option Pack
13.1.1 SAML Credential Collector Redirects Users to Incorrect Targets (40123)
13.1.2 FWS Attribute Data is Not Propagated (41770)
13.1.3 Server Certificates with a Key Usage Extension Rejected by SAML Assertion Retrieval Component (42663)
13.2 Fixes for Policy Server 6.0 SP3 Option Pack
13.2.1 SAML POST Authentication Scheme GUI Requires ISSUER URL to Start with HTTP (42578)
14.0 Defects Fixed for Option Packs 6.x QMR 2 and 6.0 SP 2
14.1 Fix that Applies for Both Option Packs
14.1.1 SAML ID Values Do Not Conform with XML Scheme (34371)
14.2 Fixes for Web Agent v6.x QMR 2 Option Pack
14.2.1 Assertions with Multiple HTTP Status Headers Are Not Consumed (34218)
14.2.2 HTTP Response Body with Extra Characters Prevents SiteMinder from Consuming Assertions (30799)
14.2.3 Back-channel Cert-based Authentication Fails on IIS 5.0 (30929)
14.2.4 Federation Web Services Ignores CookieDomain and CookieDomainScope Settings (38373)
14.2.5 Federation Web Services Creates SMSESSION Cookie with Missing Data for Secure Proxy Agent (38419)
15.0 Known Issues
15.1 Web Agent Protecting Federation Web Services Must Trust Default Security Zone (56704)
15.2 Policy Server Installed on Japanese OS Platform Cannot Display Affiliate Domain Objects After Upgrade to 6.0 SP 4 or higher
15.3 Single Logout Services Log Errors if ODBC/SQLError Component Enabled (41324)
15.4 Incompatible SiteMinder Releases for Federation Security Services (44790)
17.0 Documentation
17.1 Integrated Documentation
The Policy Server and the Web Agent have separate Option Packs. The Option Packs install different features, as indicated by the following list:
This option, which is separately-licensed from SiteMinder, supports:
The SAML Affiliate Agent is a SAML consumer; however, it is not part of the SiteMinder stack. If you are using the SAML Affiliate Agent in your network, the Federation Web Services application functions to get the assertion back to the Agent.
You can use eTelligent Rules by installing only the Policy Server Option Pack. To use POST variables, you must also install the Web Agent Option Pack.
For a list of supported platforms:
Some platforms supported in previous releases may no longer be supported.
SiteMinder requires the use of JDK/JRE 1.5.0_01 or later, but note the following caveats:
This issue is a result of a Sun Microsystems bug. Refer to Sun bug number 6399321.
The following sections contain helpful information regarding Option Pack installation.
The Policy Server v6.0 SP 5 Option Pack and the Web Agent v6.x QMR 5 Option Pack are compatible only with each other and will run only on the corresponding 6.0 SP 5 Policy Server and 6.x QMR 5 Web Agent respectively.
For details on using the Option Packs in a mixed mode environment, that is, an environment with SiteMinder 5.x and 6.x systems, see the CA eTrust SiteMinder Upgrade Guide.
This is a site license; you need one license for each Policy Server. Contact your CA account manager to obtain a license.
This Policy Server must have a JRE, which is used by the Option Pack. For the specific JRE version, see the SiteMinder 6.0 Platform Matrix on the Technical Support site.
To use the Policy Server Option Pack, upgrade the session server. For upgrade instructions, see the CA eTrust SiteMinder Upgrade Guide.
For supported platforms, see the SiteMinder 6.0 Platform Matrix at https://support.netegrity.com/.
Note: Be sure to apply the most current hot fixes for ServletExec. Without the hot fixes, Federation Web Services will not work with ServletExec. To obtain the hot fixes, go to the New Atlanta Communications web site.
Check the SiteMinder 6.0 Platform Support Matrix for the supported JDK version. The matrix is located on the Technical Support site.
The Web Agent v6.x QMR 5 is not required to install the Web Agent Option Pack; however, the Web Agent must be installed at run time to use Federation Security Services.
If you install the Web Agent Option Pack on a Windows system with ServletExec ISAPI and get an error message, such as Class not found when you access an existing servlet or .jsp, verify that the ServletExec classpath is correct.
If your classpath is correct and you still get the error, you may need to repair your classpath.pref file, as follows:
http://myserver.myorg.org/servlet/admin
If you are using Windows 2000, stop the IIS Admin services, then start the World Wide Web Publishing service without manually starting the IIS Admin service.
On Windows 2000, if this procedure does not fix the classpath:
The installation of the Policy Server Option Pack adds and modifies the following environment variables:
The installation of the Web Agent Option Pack sets the following environment variables:
The Policy Server Option Pack can be installed using one of the following modes:
To install the Policy Server Option Pack, go to one of the following sections:
The installation instructions that follow reflect the GUI mode prompts. For UNIX systems, you can install the Policy Server Option Pack using Console mode by executing the Option Pack binary file with the -i console command argument. The command line installation prompts are similar to the GUI mode prompts.
Before you install the Policy Server Option Pack, be sure of the following:
To install the Policy Server Option Pack:
You can also download the software from the Technical Support site. Go to the folder for your operating system and download the installation file.
Solaris: nete-ps-opack-6.0-sp5-sol.bin
Rhel: nete-ps-opack-6.0-sp5-rhel30.bin
HP-UX: nete-ps-opack-6.0-sp5-hp.bin
chmod +x nete-ps-opack-6.0-sp5-sol.bin
Windows: Double-click nete-ps-opack-6.0-sp5-win32.exe
UNIX: At the command prompt, enter:
where <operating_system> can be rhel30, hp, sol.
For example, to run the installation in GUI mode on a Solaris platform enter:
./nete-ps-opack-6.0-sp5-sol.bin
The installation program starts and prepares the files.
The installation displays the License Agreement.
If you do not accept the terms, you cannot continue with the installation.
The program installs the Option Pack files then displays the Install Complete dialog box.
To reinstall the Policy Server Option Pack, repeat this procedure.
You must import the ampolicy.smdiff file to see the Option Pack policy objects in the Policy Server User Interface.
If you did not import the ampolicy.smdif file during the Policy Server Option Pack installation, you can do this after the installation by entering the smobjimport command, where the arguments have the following meanings:
| Argument | Meaning |
|---|---|
| siteminder_home | Installed location of the Policy Server |
| admin_name | SiteMinder administrator's user name |
| admin_pw | SiteMinder administrator's password |
| -f | Overrides duplicate objects. |
| -v | Enables verbose mode. |
| -l | Creates a log file. |
| -c | Indicates that the smdif input file contains unencrypted data. |
Windows Systems Example for Importing ampolicy.smdif
smobjimport -i<siteminder_home>\db\smdif\ampolicy.smdif -d<admin_name>
-w<admin_pw> -f -v -l -c
On Windows systems, if an argument contains spaces, use double quotes around the entire argument. For example:
smobjimport -i"C:\Program Files\netegrity\siteminder\db\smdif\ampolicy.smdif"
-dsiteminder -wpassword -f -v -l -c
UNIX Systems Example for Importing ampolicy.smdif
smobjimport -i<siteminder_home>/db/smdif/ampolicy.smdif -d<admin_name>
-w<admin_pw> -f -v -l -c
For example:
smobjimport -i/export/smuser/siteminder/db/smdif/ampolicy.smdif -dsiteminder
-wpassword -f -v -l -c
After you have installed the Policy Server Option Pack on one system, you can automate other installations using the Policy Server Option Pack's unattended installation feature. An unattended installation lets you install or uninstall the Policy Server Option Pack without any user interaction.
Unattended installation uses the nete-ps-opack-installer.properties file to propagate the Policy Server Option Pack installation setup across all Policy Servers in your network. In this properties file, you define a set of installation parameters, then copy the file and the Policy Server Option Pack executable file to any web server in your network. After you copy the files to the web server, run an unattended installation.
The nete-ps-opack-installer.properties file is installed in the following location:
<siteminder_home>/install_config_info/nete-ps-opack-installer.properties
The default parameter values reflect the information you entered during the initial Option Pack installation.
Note: The nete-ps-opack-installer.properties file is case-sensitive. The parameter names must be all upper-case and their values are case-sensitive.
The following table lists parameters in the nete-ps-opack-installer.properties file.
| Parameter | Meaning |
|---|---|
| DEFAULT_IMPORT_CHOICE | Indicates whether affiliate policy objects are imported automatically during installation or imported manually after installation. Select true to allow an automatic import or false to do a manual import. The value must be entered in lower-case text. |
| DEFAULT_ADMIN_USER | Identifies the SiteMinder administrator defined at the Policy Server. Enter a user name in lower-case text |
| DEFAULT_ADMIN_PW | Identifies the SiteMinder administrator's password in clear text. To modify the password, uncomment this line and enter the password in clear text. It cannot be encrypted. You cannot modify the encrypted password in the ENCRYPTED_ADMIN_PW parameter |
| ENCRYPTED_ADMIN_PW | Encrypted SiteMinder administrator's password entered during the initial installation of the Option Pack. |
| DEFAULT_SMKEYDB_CHOICE | Indicates whether an smkeydatabase is created during installation or after installation. Select true to allow an automatic creation. Select false not to create the database. The value must be entered in lower-case text. |
| DEFAULT_SMKEYDB_PW | Identifies the smkeydatabase password in clear text. To modify the password, uncomment this line and enter the password in clear text. It cannot be encrypted. You cannot modify the encrypted password in the ENCRYPTED SMKEYDB_PW parameter |
| ENCRYPTED SMKEYDB_PW | Encrypted password for the smkeydatabase entered during the initial installation of the Option Pack. |
| DEFAULT_SMKEYDB_IMPORT_CHOICE | Indicates whether the CA default certificates are imported into the database during installation. Select true to allow the certificates to be imported. Select false not to import the certificates. The value must be entered in lower-case text. |
To install the nete-ps-opack-installer.properties file:
You should have completed an initial Policy Server Option Pack installation and, if necessary, modified the nete-ps-opack-installer.properties file. Now you can use the file to run subsequent Policy Server Option Pack installations.
To run an unattended installation:
<siteminder_executable> -f <properties_file> -i silent
Assuming that you run the installation from the directory where the executable and properties file are located, the command is:
Windows:
nete-ps-opack-6.0-sp5-win32.exe -f nete-ps-opack-installer.properties -i silent
Note: If you are not running the command from the location where the files reside, specify the complete path to these files. If there are spaces in the path to the directory, enclose the entire path between quotation marks.
UNIX (Solaris example):
./nete-ps-opack-6.0-sp5-sol.bin -f nete-ps-opack-installer.properties -i silent
The status dialog box opens and shows the unattended installation in process.
To stop the installation manually, follow the instructions for your platform:
Windows: Open the Windows Task Manager and stop the nete-ps-opack-6.0-sp5-win32.exe and ps_install.exe processes.
UNIX: Type Ctrl+C.
Uninstalling the Policy Server automatically removes the Policy Server Option Pack.
To uninstall the Policy Server, see the CA eTrust SiteMinder Policy Server Installation Guide.
The Web Agent Option Pack can be installed on a Web server running ServletExec or an application server (WebLogic, WebSphere, or JBoss).
There are several installation modes:
To install the Web Agent Option Pack, go to one of the following sections:
The installation instructions that follow reflect the GUI mode installation prompts. For UNIX systems, you can install the Web Agent Option Pack using console mode by executing the Option Pack binary file with the -i console command argument. The command line installation prompts are similar to the GUI mode prompts.
Important! If you are installing the Web Agent Option Pack on a Windows system immediately after installing the Web Agent, reboot your machine first.
To install the Web Agent Option Pack:
You can also download the software from the Technical Support site. Go to the folder for your operating system and download the installation file.
Windows: win32
UNIX: solaris, aix, hpux, linux (for Linux 2.1), rhel30 (for Linux 3.0)
Windows: Skip to Step 6.
UNIX: Copy the appropriate binary file to a local directory; then, navigate to that directory:
chmod +x nete-wa-opack-6qmr5-sol.bin
Windows: Double-click nete-wa-opack-6qmr5-win32.exe
UNIX: At the command prompt, enter one of the following commands:
./nete-wa-opack-6qmr5-<operating_system>.bin
./nete-wa-opack-6qmr5-<operating_system>.bin -i console
For example, to run the GUI mode on an AIX platform, enter ./nete-wa-opack-6qmr5-aix.bin
Note: The Web Agent Option Pack can be installed as a stand-alone product. If the installer cannot find a Web Agent, it asks if you want to continue or cancel. If you continue, the installer asks for an installation path and installs the Option Pack in the location you specify.
The installation displays the License Agreement.
If you do not accept the terms, the installation will not continue.
You will get a message indicating when the installation is complete.
To reinstall the Option Pack, repeat this procedure.
After you have installed the Web Agent Option Pack on one system, you can automate installations on other web or application servers using the Web Agent Option Pack's unattended installation feature. An unattended installation lets you install or uninstall the Web Agent Option Pack without any user interaction.
Unattended installation uses the nete-wa-opack-installer.properties file to propagate the Option Pack installation set-up across all servers in your network. In this properties file, you define installation parameters, then copy the file and the Web Agent Option Pack executable file to any applicable server in your network. After the files are copied, you can run an unattended installation.
The nete-wa-opack-installer.properties file is installed in the following location: <web_agent_opack_home>/install_config_info
The default parameter and path in the file reflect the information you entered during the initial Option Pack installation.
To install the nete-wa-opack-installer.properties file:
Prior to running an unattended installation, you should have:
You can now use the nete-wa-opack-installer.properties file to run subsequent Web Agent Option Pack installations.
Note: You can run an unattended installation to reinstall the Web Agent on the same system where you initially performed an installation in GUI or console mode.
To run an unattended installation:
or
UNIX: nete-wa-opack-6qmr5-<operating_system>.bin
from the SiteMinder DVD or from your system.
<agent_executable> -f <properties_file> -i silent
Assuming that you run the installation from the directory where the executable and properties file are located, the command syntax is shown in the following examples:
Windows example:
nete-wa-opack-6qmr5-win32.exe -f nete-wa-opack-installer.properties -i silent
Note: If you are not at the location where the executable and properties file reside, specify the full path to these files. If there are spaces in the directory paths, enclose the entire path with quotation marks.
Solaris example:
./nete-wa-opack-6qmr5-sol.bin -f nete-wa-opack-installer.properties -i silent
The status dialog box displays, which shows the unattended installation in process.
When the installation is complete, you return to the command prompt.
To stop the installation manually, follow the instructions for your platform:
Windows: Open the Windows Task Manager and stop the nete-wa-opack-6qmr5-win32.exe and wa_option_pack.exe processes.
UNIX: Type Ctrl+C.
The instructions for uninstalling the Web Agent Option Pack are different for Windows and UNIX platforms.
To uninstall the Web Agent Option Pack:
The control panel opens.
The program displays a dialog box confirming the uninstallation.
The Option Pack is removed.
The uninstallation instructions that follow reflect the GUI mode prompts. For UNIX systems, you can uninstall the Option Pack using Console mode by executing the Option Pack binary file with the -i console command argument. The command line installation prompts are similar to GUI mode prompts.
To uninstall the Web Agent Option Pack
PATH=/<jdk_home>/bin:${PATH}
export PATH
where <jdk_home> is the location of the JDK
This avoids an error message that the Java virtual machine could not be found.
/opt/netegrity/webagent/
GUI mode: ./nete-wa-opack-uninstall.sh
Console mode: ./nete-wa-opack-uninstall.sh -i console
The Web Agent Option Pack is now removed from your system.
Different features require different versions of the Policy Server and its Option Pack, as follows:
The Policy Server Option Pack v6.0 SP 5 is compatible only with Policy Server v6.0 SP 5. You can upgrade the Option Pack from a previous version, but you must also upgrade the Policy Server.
Important! When you upgrade, the upgrade program automatically creates back-up configuration files and overwrites the existing configuration files.
When reinstalling the Policy Server Option Pack as part of an upgrade, the smkeydatabase.properties file gets replaced with a new properties file that has some revised settings from the existing file. Also, the EncryptedPassword from the existing file is not preserved.
To ensure the smkeydatabase. properties file uses the correct EncryptedPassword value, the value from the old file needs to be placed into the new file.
To ensure the smkeydatabase.properties file is upgraded properly
To upgrade the Policy Server Option Pack to v6.0 SP 5
For instructions, see CA eTrust SiteMinder Policy Server Installation Guide.
The installation program will also run as an upgrade. For instructions, go to one of these sections in this readme:
The Web Agent v6.x QMR 5 Option Pack is compatible only with Web Agent v6.x QMR 5. You can upgrade from any previous version of the Web Agent Option Pack to v6.x QMR 5, but you must also upgrade the Web Agent.
Important! When you upgrade, the upgrade program automatically creates back-up configuration files and overwrites the existing configuration files.
To upgrade the Web Agent Option Pack to v6.x QMR 5:
For instructions, see the CA eTrust SiteMinder Web Agent Installation Guide.
The installation program will also run as upgrade. For instructions, go to one of the upgrade sections in this readme.
The following sections list defects fixed for both Option Packs.
The following sections list fixed defects that apply to the Web Agent and Policy Server Option Packs.
Problem: SiteMinder rejects a SAML assertion if the <NameIdentifier> element is put in the XML assertion within the <SubjectConfirmation> value.
Resolution: The search for the <NameIdentifier> has been restricted to only the immediate next child level so this is no longer a problem.
The following sections list defects fixed for the Web Agent Option Pack.
Problem: If you configure a SAML authentication scheme and select Server Redirect as the mode by which the user is redirected to the target resource, the authentication scheme fails to check if the authenticated user is also authorized before redirecting the user to the target resource.
Resolution: To fix this problem, the administrator must define realms, rules, and policies to protect target resources. In Server Redirect mode, the target URL is defined with respect to the context of the FWS servlet that consumes the assertion and not the root of the hosting web or application server. Specifically, realm definitions must start with /affwebservices in the resource filter of the realm.
Problem: SiteMinder did not support multi-byte characters in assertions.
Resolution: A SiteMinder SAML producer can now create appropriate SAML assertions containing UTF-8 strings. SiteMinder SAML consumers are now able to consume SAML assertions containing UTF-8 strings.
Problem: The SAML 2.0 Single Sign-on Service was performing IP checking even though the IP checking feature was not configured.
Resolution: IP checking is no longer performed unless the feature is configured.
Problem: The Service Provider configured to use a SAML 2.0 artifact authentication scheme fails when the Service Provider sits behind a proxy server.
Resolution: This is no longer an issue.
Problem: In the AffWebServices log, the Web Agent Option Pack was showing the incorrect product update version.
Resolution: This is no longer a problem.
Problem: The SAML Affiliate Agent installed on an Apache 2.0 server running Linux fails to load when the Apache web server starts up.
Resolution: The Web Server and Agent start up with no problem.
Problem: When a SAML 1.x Consumer and SAML 2.0 Service Provider makes an IsProtected call, they do not not include the target query string.
Resolution: The target query string is now included in the call.
Problem: The SAML 2.0 redirection to an Assertion Consumer URL is missing an ampersand (&) between the SAMLART and RelayState query parameters.
Resolution: The ampersand character is no longer missing.
Problem: The Identity Provider Discovery redirect is failing when using an AuthNRequest to initiate SAML 2.0 authentication.
Resolution: This is no longer a problem.
The following sections list defects fixed for the Policy Server Option Pack.
Problem: On Windows platforms, SAML 2.0 transactions are failing when a valid port is appended to the Assertion Consumer Service URL.
Resolution: You can now have a valid port appended to the Assertion Consumer Service.
Problem: The SAML assertion's AuthenticationInstant attribute was not being set to the time the user authenticated at the Identity Provider.
Resolution: The AuthenticationInstant attribute is now set to the correct time.
Problem: On UNIX platforms, the smpolicysrv process is crashing when a SiteMinder administrator tries to view users in the FederationWSCustomUser directory.
Resolution: This is no longer a problem.
Problem: The SAML authentication scheme requires that signed SAML 1.1 assertions contain the optional <dsig:KeyInfo> attribute when trying to consume the assertion.
Resolution: SiteMinder no longer requires the optional attribute.
Problem: Multiple user stores identified by IP addresses are not searched properly during SAML authentication.
Resolution: This is no longer a problem.
Problem: On Solaris, when the Policy Server is acting as a Service Provider, it was crashing when a SAML 2.0 authentication scheme was configured with the Enforce Single Use Policy option enabled.
Resolution: One of the parameters being passed from the SAML authentication scheme to the logging mechanism was NULL causing the crash. The SAML authentication scheme has been modified to ensure that it does not pass the null argument.
Problem: If you configure a SAML Service Provider and check the Require Signed AuthnRequests option, the requests are failing.
Resolution: The requests are no longer failing.
Problem: When the Policy Server Option Pack and TransactionMinder are installed and configured together, signing functionality does not work.
Resolution: Signature processing is now successful regardless of whether or not TransactionMinder is installed with the Policy Server Option Pack or not.
Problem: The sample class directory, sdk/samples/authextensionsaml20 is missing from the 6.0 SDK installation.
Resolution: The directory is now part of the SDK kit.
Problem: The Policy Server was failing during a SAML 1.1 Post authentication process when a user directory had a large number of failover servers configured.
Resolution: The Policy Server no longer fails. The number of failover servers allowed has been increased.
Problem: Clicking the Apply button at the bottom of the XML Body Variable Editor in the Policy Server User Interface removes the XPATH query when the variable is configured using the Advanced Query option on the Advanced tab.
Resolution: This is no longer an issue.
Problem: When an assertion contains attributes with a Name Format of unspecified or url, the Service Provider at the consumer ignores the assertion attributes if the SAML 2.0 authentication scheme is configured the Server Redirect mode. Specifically, the following attributes are ignored:
It only sets attributes with a name format of urn:oasis:names:tc:SAML:2.0:attrname-format:basic.
Resolution: The unspecified and url attributes are no longer ignored in Server Redirect mode.
Problem: When a third-party generates a SAML assertion with an attribute that has multiple values from the user store, the Policy Server is not processing the assertion correctly.
Resolution: The Policy Server can now process assertions from third-parties with multiple values.
Problem: When upgrading the Policy Server Option Pack in unattended mode, the Windows 2003 system was rebooting.
Resolution: This is no longer occuring.
The following sections list defects fixed for the Web Agent and Policy Server Option Packs.
The following sections list defects fixed for both Option Packs.
Problem: A SAML 1.x consumer running SiteMinder 6.0 SP 3/6.x QMR 3 or later is unable to consume SAML assertions generated by a producer of an earlier version of SiteMinder.
Resolution: This is no longer an issue.
Problem: When configuring the Server Redirect Mode for a SAML authentication scheme, you cannot specify a relative URL for the TARGET parameter.
Resolution: You can now specify a relative URL.
The following sections list defects fixed for the Web Agent Option Pack.
Problem: Federation Web Services fails to return an assertion using the SAML 1.x artifact profile if the affiliate name is specified using mixed or upper case characters at the producer or consumer sites.
Resolution: The affiliate name is no longer case sensitive.
Problem: SiteMinder appears to generate assertions with invalid characters appended to the SAML response body.
Resolution: The invalid characters are appended by web servers or network devices between SiteMinder and the assertion consumer. If SiteMinder is also acting as the consumer, SiteMinder removes the extra characters before parsing the XML body.
The following sections list defects fixed for the Policy Server Option Pack.
Problem: When you specify an Affiliate-HTTP-Cookie-Variable at the producer/Identity Provider to be included in an assertion sent to a consumer/Service Provider, there is a 100 character limit for a User Attribute or a DN Attribute. This limit does not occur when you configure a Static attribute.
Resolution: The character limit has been extended to 1000 characters.
Problem: Policy Server Option Pack variables are not accessible from a SiteMinder Policy Server User Interface when the system is running in mixed mode (a 6.x Policy Server running against a 5.x policy store).
Resolution: In mixed mode, the Option Pack variables are now properly accessed without error.
Problem: The affiliate objects are not retrieved and displayed correctly in the Policy Server User Interface.
Resolution: Affiliate domain objects are now correctly retrieved and displayed in the Policy Server User Interface.
The contents of any affiliate domain that were created on a version of the Policy Server running on a Japanese OS prior to 6.0 SP1 will not be displayed as a result of an upgrade to 6.0 SP 4. This is a known limitation of the product.
Problem: When you try to list Microsoft client certificates using SiteMinder's SMKeytool utility a "No Certificates available.Exception: 15" message is generated. The Microsoft certificates are imported, but they cannot be viewed or used properly with POST profile at the consumer/Service Provider.
Certificates that are created by a Sun Java Systems/Sun ONE Certificate Authority and Open SSL do not have the same issue.
Resolution: This is no longer a problem.
The following sections list defects fixed for the Web Agent and Policy Server Option Packs.
The following sections list defects fixed for the Web Agent Option Pack.
Problem: For SAML 1.x communication, the SAML credential collector redirects users to target destinations that are outside of the credential collector's own cookie domain.
Resolution: The SAML credential collector now only redirects within its cookie domain.
Problem: The Federation Web Services (FWS) application does not propagate user attribute data if it is specified in a generic format in the SAML assertion.
Resolution: Attribute data may be propagated to target applications. In 302 - cookie data redirect mode, Federation Web Services issues a cookie for each generic attribute in a SAML assertion. In server side redirect mode, Federation Web Services passes a HashMap to the target application. The HashMap contains entries for each generic attribute in a SAML assertion; the name of the request attribute is Netegrity.AttributeInfo.
For the following assertion sample, SiteMinder can set attribute values for FristName and LastName:
<saml:AttributeStatement>
.
.
.
<saml:Attribute AttributeName="FirstName" AttributeNamespace="AttributeNS">
<saml:AttributeValue>JOHN</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute AttributeName="LastName" AttributeNamespace="AttributeNS">
<saml:AttributeValue>SMITH</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
Problem: The Web Agent Option Pack expects the SSL server certificate to have digital signature extension set. The SSL standard specifies that digital signature key extension is optional for server certificates.
Resolution: This problem has been fixed.
The following sections list defects fixed for the Policy Server Option Pack.
Problem: The SAML Post Authentication Scheme GUI Properties require the ISSUER URL to begin with http. The GUI will not let you enter an ISSUER URL that does not begin with http.
Resolution: The label on SAML POST authentication scheme was changed from "Issuer URL" to "Issuer". Edit constraints were changed so that Issuer to was no longer required to start with http to reflect the fact that issuer is not a URL according to the SAML specification.
The following sections list defects fixed for both Option Packs.
The following sections list defects fixed for the Web Agent and Policy Server Option Packs.
Problem: Assertions contain SAML ID values that do not conform with the XML schema type NCName.
Resolution: The values now conform.
The following sections list defects fixed for the Web Agent Option Pack.
Problem: SiteMinder fails to consume SAML assertions if multiple HTTP status headers are found. Also, Federation Web Services fails to connect with WebLogic Application Server over SSL.
Resolution: These issues are no longer a problem.
Problem: SiteMinder fails to consume SAML assertions if the HTTP response body includes extra characters. Also, SiteMinder produces SOAP request messages with single quote instead of double quote characters, which cannot be consumed by some SAML consumers.
Resolution: Federation Web Services has been modified so that SiteMinder consumes SAML assertions with extra characters and produces SAML assertions with double quotes.
Problem: Because of a known limitation, the IIS 5.0 Web Agent does not handle in-line client certificates over an SSL connection. When Federation Web Services (FWS) is installed and configured to consume assertions and the customer requires certificate authentication for back-channel requests to the SAML credential collector, the Web Agent is unable to protect FWS.
Resolution: Use the IIS 5.0 Web server to do client certificate authentication. FWS has been modified to obtain the client certificate from the HTTP request on IIS 5.0. This solution requires that the client certificate's subject DN value contain the affiliate name in the CN attribute field.
Problem: The Federation Web Services application ignores the CookieDomain and CookieDomainScope Web Agent parameters, which causes single sign-on to fail in certain configurations.
Resolution: Federation Web Services now uses these configuration parameters.
Problem: The Federation Web Services application generates an SMSESSION cookie that lacks the data required for interoperability with the Secure Proxy Agent.
Resolution: The SMSESSION cookie generated by Federation Web Services now contains the necessary data for the Secure Proxy Agent.
The following sections describe know issues for the Policy Server and Web Agent Option Packs.
If you are using Federation Security Services in an environment with SiteMinder security zones, you must configure the Web Agent that is protecting the Federation Web Services application to trust the default security zone, called SM. Therefore, include the default security zone SM when configuring the SSOTrustedZone parameter for this Web Agent.
The contents of any affiliate domain objects that were created on a version of the Policy Server running on a Japanese OS prior to 6.0 SP1 will not be displayed as a result of an upgrade to 6.0 SP 4.
If the ODBC/SQLError component is enabled in the Policy Server trace log, Single Logout Services may cause the following errors to be written to the trace log:
[13:42:44.0][CSmDbODBC.cpp:189][CSmDbConnectionODBC::MapResult][][][-1][[Microsoft][ODBC SQL Server Driver][SQL Server]Violation of PRIMARY KEY constraint 'PK__ss_sessionvar5__571DF1D5'. Cannot insert duplicate key in object 'ss_sessionvar5'.][][][] [13:42:44.0][CSmDbODBC.cpp:277][CSmDbConnectionODBC::MapResult][][Mapped Result: -1059 Error Message: "[Microsoft][ODBC SQL Server Driver][SQL Server]Violation of PRIMARY KEY constraint 'PK__ss_sessionvar5__571DF1D5'. Cannot insert duplicate key in object 'ss_sessionvar5'." SQL State: 23000.][][][][][] [13:42:44.0][CSmDbODBC.cpp:189][CSmDbConnectionODBC::MapResult][][][-1][[Microsoft][ODBC SQL Server Driver][SQL Server]The statement has been terminated.][][][] [13:42:44.0][CSmDbODBC.cpp:277][CSmDbConnectionODBC::MapResult][][Mapped Result: -1059 Error Message: "[Microsoft][ODBC SQL Server Driver][SQL Server]The statement has been terminated." SQL State: 01000.][][][][][] [13:42:44.0][CSmDbODBC.cpp:189][CSmDbConnectionODBC::MapResult][][][-1][][][][] [13:42:44.0][CSmDbODBC.cpp:277][CSmDbConnectionODBC::MapResult][][Mapped Result: -1059 Error Message: "" SQL State: .][][][][][]
This is normal and the data is ultimately written to the session server database.
SiteMinder versions 6.0 SP 3/6.x QMR 3 configured as a SAML 1.X consumer and the SAML Affiliate Agent 6.x QMR 3 are incompatible with SiteMinder versions 6.0 SP 2/v6.x QMR 2 and earlier configured as a SAML 1.X producer. The incompatibility is due to changes made in SiteMinder 6.0 SP 3/6.x QMR 3 to ensure conformance to the SAML specification based on the PingID certification tests.
An internationalized product is an English product that runs correctly on local language versions of the required operating system and required third-party products, and supports local language data for input and output. Internationalized products also support the ability to specify local language conventions for date, time, currency and number formats.
A translated product (sometimes referred to as a localized product) is an internationalized product that includes local language support for the product's user interface, online help and other documentation, as well as local language default settings for date, time, currency, and number formats.
In addition to the English release of this product, CA supports only those languages listed in the following table.
| Language | Internationalized | Translated |
|---|---|---|
| Brazilian-Portuguese | Yes | No |
| Chinese (Simplified) | Yes | No |
| Chinese (Traditional) | Yes | No |
| Czech | Yes | No |
| Danish | Yes | No |
| Dutch | Yes | No |
| Finnish | Yes | No |
| French | Yes | No |
| German | Yes | No |
| Greek | Yes | No |
| Hungarian | Yes | No |
| Italian | Yes | No |
| Japanese | Yes | No |
| Korean | Yes | No |
| Norwegian | Yes | No |
| Polish | Yes | No |
| Russian | Yes | No |
| Spanish | Yes | No |
| Swedish | Yes | No |
| Turkish | Yes | No |
Note: If you run the product in a language environment not listed in the table, you may experience problems.
The file names for the SiteMinder 6.0 SP 5/6.x QMR 5 guides are as follows:
| Guide Name | File Name |
|---|---|
| SiteMinder Release Summary | siteminder_release_enu.pdf |
| Developer's Reference for Java | siteminder_java_dev_enu.zip |
| Developer's Guide for Java | siteminder_java_dev_enu.pdf |
| Developer's Guide for C | siteminder_c_dev_enu.pdf |
| Federation Security Services Guide | siteminder_fs_config_enu.pdf |
| Policy Server Installation Guide | siteminder_ps_install_enu.pdf |
| Policy Design Guide | siteminder_ps_config_enu.pdf |
| Policy Server Management | siteminder_ps_sysmgmt_enu.pdf |
| Policy Server Readme | readme-policy-server.html |
| Policy Server, Web Agent Option Pack Readme | readme-option-packs.html |
| Scripting Guide for Perl | siteminder_perl_scripting_enu.pdf |
| SDK Overview | siteminder_sdk_overview_enu.pdf |
| SDK Readme | readme-sdk.html |
| SAML Affiliate Agent Guide | siteminder_saa_config_enu.pdf |
| SAML Affiliate Agent Readme | readme-saml-affiliate-agent.html |
| SiteMinder Upgrade Guide | siteminder_upgrade_enu.pdf |
| SiteMinder Integrated Documents | siteminder_integdocs_ref.enu.zip |
| Tier II Directory Configuration Guide | siteminder_dir_config_enu.pdf |
| Web Agent Guide | siteminder_wa_config_enu.pdf |
| Web Agent Installation Guide | siteminder_wa_install_enu.pdf |
| Web Agent Readme | readme-web-agent.html |
To view PDF files, you must download and install the Adobe Reader from the Adobe website if it is not already installed on your computer.
Updated guides will be available at the CA Technical Support site.
Integrated Documents lets you access all of the SiteMinder documentation from a central location. Viewing Integrated Documents requires an Internet browser.
Integrated Documents includes a:
For online technical assistance and a complete list of locations, primary service hours, and telephone numbers, contact Technical Support at http://ca.com/support.