Known issues and limitations
Known Issues
-
If the following error is raised in the server.log, perform the steps listed to resolve the issue:
ERROR [SystemErr] oracle.security.am.common.nap.ObMessageChannelImpldoSSLHandShake SEVERE: SSL handshake error sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on disabled signature algorithm: MD5withRSA
Steps to resolve:
-
Edit
<JAVA_HOME>/jre/lib/security/java.security
. -
Remove the value
MD5
from the property:jdk.certpath.disabledAlgorithms
. -
Remove the value
MD5withRSA
from the property:jdk.tls.disabledAlgorithms
. -
Save the file and restart PingFederate.
-
Known Limitations
-
The PingFederate instance, acting as the Service Provider Server and implementing the OAM Integration Kit, must be in the same domain as the OAM Access Server.
-
The OAM Access Server may return additional values not specified in the IdP adapter’s extended contract. For instance, for an LDAP lookup, the OAM Access Server may send a userDN. In order to perform attribute masking on these additional values, you must add the fields to the extended adapter contract, then and mask the attribute there.
-
The OAM adapters are designed for Single Sign-On only. Single Log-Out is not supported in this release.
-
Any attribute being mapped to SAML_SUBJECT, such as userId, will not be masked in the server.log file even if it is marked as such. This is because SAML standard already provides facilities for ensuring privacy and confidentiality of the SAML_SUBJECT, and can never be masked by PingFederate.
-
Failing to run the configureAccessGate or similar utility in the OAM SDK will result in an error saying that OBACCESS_INSTALL_DIR has not been set. Refer to your OAM SDK documentation for more information.
-
Placing the authn_pingfed.dll in the wrong directory will result in the same OBACCESS_INSTALL_DIR error. Be sure to copy authn_pingfed.dll plug-in to the Access Server lib path, not the Access Server SDK lib path.
-
The authn_pingfed.dll packaged with the kit has been tested against OAM 6.1 (NetPoint COREid 6.1).
-
Any attributes returned by an OAM Action will always be masked in the server.log file as they are being gathered by the adapter.
-
Due to the difficulty and complexity of setting up a OAM environment, limited configuration elements were tested with regard to this installation. Please consult your OAM Access Server User Manuals for details on configuring these products.