Documentation updates for known limitations

You can view the known software limitations, problems, and workarounds on the IBM® Security Access Manager Support site.

The Support site describes not only the limitations and problems that exist when the product is released, but also any additional items that are found after product release. As limitations and problems are discovered and resolved, the IBM Software Support team updates the online knowledge base. By searching the knowledge base, you can find workarounds or solutions to problems that you experience.

Also, check the Troubleshooting topics.

Known limitations for Security Access Manager

Tooltips display issue
Tooltips might not display if you use the keyboard (for example, the Tab key) to navigate to a field. Tooltips are displayed properly when you use a mouse to navigate to the field.
Creating PIP resource when the server connection for database and LDAP is not available returns the wrong response.
For example, when you use the following command:

curl -k -b whatigot -s -S --ciphers "DES-CBC3-SHA" -X "POST" -H "Accept:application/json" -H "Content-Type: application/json" --data-binary "{\"name\":\"tldap1234\",\"description\":\"\"\"attributes\":[{\"name\":\"trusteer.pinpoint.csid\",\"selector\":\"wrongtestLdap\"}]\"type\":\"LDAP\",\"predefined\":false,\"properties\":[{\"datatype\":\"String\",\"readOnly\":false,\"sensitive\":false,\"value\":\"objectclass=abc\",\"key\":\"searchBaseDN\"},{\"datatype\":\"String\",\"readOnly\":false,\"sensitive\":false,\"value\":\"cn=*\",\"key\":\"searchFilter\"},{\"datatype\":\"String\",\"readOnly\":false,\"sensitive\":false,\"value\":\"0cdebb0c-49d9-4179-a47a-52f759a4ff57\",\"key\":\"dataSource\"}]}" --user admin:admin -D whatigot "https://{appliance_host}/iam/access/v8/pips/"

The expected response is as follows:

HTTP/1.1 400 Bad Request

But the actual response is as follows:

HTTP/1.1 201 Created
The error message "illegal character" when you modify an SSO rule is always displayed in English.
The error message "illegal character" is always displayed in English no matter which locale your browser uses.
Audit events cannot be sent to the remote syslog server if certain information is not provided.
If you choose to send the audit events to a remote machine, you must specify the correct details on the Audit Configuration page for host, port, protocol, and certificates. Otherwise, the audit events cannot be sent to the remote machine.
Attribute sources that are being used by a federation or partner is deletable.
Users can accidentally delete attribute sources that are in use by a federation or partner. Such operation causes errors to the federation. You must ensure that an attribute source is not in use before you delete it.
Federation Module: The email address name ID format requires a mapping rule
If you use an email address name ID format in a SAML 2.0 federation, you must set the type of STS Universal User attribute, whose name is "name", to: 
"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"

You can accomplish this by using a mapping rule. Following is an example:

// Get the current principal name.
var principalName = stsuu.getPrincipalName();
// Set the type of principal name attribute "name" to
//"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress".
stsuu.addPrincipalAttribute(new Attribute("name", 
"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", principalName));
Refresh tokens are issued to a partner even if the federation partner does not support the grant "refresh_token".

When an authorization code flow is performed, the bearer token that is issued by the OpenID Connect Provider will include a refresh_token, as long as the "refresh_token" grant is enabled on that OpenID Connect Provider. This does not take into account whether the partner has the permission to perform a refresh_token grant. As a result, a Relying Party might be in a situation where it has a refresh_token that is not usable with its client credentials.

Unexpected error seen in the OpenID Connect ffdc log during the runtime flow
Errors similar to the following example might be present in the ffdc log:

[9/25/15 17:29:52:706 AEST] 00000031 id= com.ibm.ws.logging.internal.impl.IncidentImpl I FFDC1015I: An FFDC Incident has been created: "com.ibm.ws.security.registry.EntryNotFoundException: testuser does not exist com.ibm.ws.security.authentication.jaas.modules.TokenLoginModule 84" at ffdc_15.09.25_17.29.52.0.log

This error does not impact the runtime behavior and can be ignored.

Personal certificates are not included in the list of selections when you choose certificates to use for encryption or signature validation with the SAML 2.0 partner management GUI
If you use the local management interface to choose certificates to be used for encryption or signature validation, only signer certificates are available for selection. Personal certificates are not included in the list of selections. A work-around is to use the REST API for such operations.
The upgrade from Security Access Manager 8.0, 8.0.0.1, and 8.0.0.2 does not correctly migrate the authentication module policies for Security Access Manager for Mobile.

The work-around is to create the default set of authentication policies with the local management interface or REST API.

The following link creates a customized query of the live Support knowledge base for items specific to IBM® Security Access Manager, Version 9.0, and its fix packs.

IBM Security Access Manager technical documents

You can also create your own search query on the IBM Support Portal. For example:

  1. Go to the IBM Support Portal:http://www.ibm.com/support/entry/portal/support
  2. In the "Search support and downloads" field, enter: Access Manager.
Parent topic: Product overview