Access Manager 4.4 includes new features, enhancements, improves usability, and resolves several previous issues.
Many of these improvements are made in direct response to suggestions from our customers. We thank you for your time and valuable input. We hope you continue to help us ensure our products meet all your needs. You can post feedback in the Access Manager forum on our community website that also includes product notifications, blogs, and product user groups.
For information about the previous release, see Access Manager 4.3 Service Pack 2 Release Notes.
For more information about this release and for the latest release notes, see the Documentation page. To download this product, see the Product page.
For information about Access Manager support lifecycle, see the Product Support Lifecycle page.
The following sections outline the key features and functions provided by this version, as well as issues resolved in this release:
This release introduces the following new features and enhancements:
OAuth Claims-Based Mechanism for Advanced Authentication Integration
Enhancement in Capability to Select Identity Providers for Authentication
Support for Restricting the X.509 Authentication to a Specific Certificate Authority
Support for Adding LDAP Replicas in the LDAP Data Source for Virtual Attribute
Access Manager 4.4 re-looks at the Consumer Identity and Access Management needs of customers and offers a solution that addresses a broad set of Business-to-Customer (B2C) use cases. B2C solution enables you to securely identify and engage with your customers while providing a seamless experience on any device, app, or service they are using.
Access Manager, in combination with Self Service Password Reset and Advanced Authentication products, delivers support for B2C use cases such as user on-boarding, account validation, customizable web logins, portal integration, device registration and management, preference, profile and privacy management. These are achieved through a broad set of APIs, customizable scripts (packaged as a convenient framework library) and built-in portal to support these use cases. Access Manager enables customers to set up end-consumer facing applications and portals, enabling better end-consumer interaction. Access Manager also provides tools to support privacy and security requirements outlined in regulations such as GDPR and PSD2.
Access Manager B2C features are delivered through a combined solution of Access Manager and Self Service Password Reset. Advanced Authentication is also required to support specific advanced authentication functions. The following is the list of Access Manager B2C features:
User-driven functionalities: To enable users to perform self-registration and manage their devices and applications without administrative intervention.
Better user experience: To enable seamless access to applications from anywhere and from any device.
Intelligent and secure authentication mechanism: To provide a secure access to users by using methods such as risk-based authentication, identity proofing-email verification, device fingerprinting, and multi-factor authentication.
Social authentication: To grant access based on users’ social media identity to reduce their overhead of managing multiple accounts and for just-in-time provisioning.
APIs: To enable better integration with your applications, Access Manager provides APIs that enable programmatic interfaces to access administration and user data.
Scalability: To support a large number of identities and to provide always-available access.
Data privacy: To ensure privacy of users’ data by asking their consent and enabling them to select the information they want to share.
End user data control: To enable end users to view, manage, and delete their applications and devices. It also enables end users to manage their profile.
For more information, see Business to Consumer Access Management in the NetIQ Access Manager 4.4 Administration Guide.
The Mobile SDK for iOS provides simple APIs that enable developers to allow their native mobile apps perform OAuth and OpenID Connect protocol flows with the providers and be integrated with Access Manager server achieving server-side SSO. It adheres to OAuth 2.0 best practices for native apps.
In addition, the SDK provides convenient methods to assist with common tasks in the flow, achieves native mobile app SSO, and basic device management.
You can download Mobile SDK 2.0 for iOS file from the Developer Documentation page.
Connector Studio enables you to develop customizable federation and SaaS single sign-on (SSO) application connectors. Application connectors significantly reduces the configuration steps required to enable federated SSO to SaaS and other federation enabled services.
For more information, see Using Custom Connectors in the Access Manager Applications Configuration Guide 4.4.
This release provides a connector for Microsoft Office 365 that allows you to create a federated connection between Access Manager and Microsoft Office 365 by using WS Federation and WS-Trust protocols. This connector allows role-based authorization to Office365 applications.
For more information, see Configuring the Applications for Office 365 Using WS Federation and WS-Trust in the Access Manager Applications Configuration Guide 4.4.
This release adds a number of new Basic SSO connectors in the Applications Catalog.
For the list of supported connectors, see Application Connector Catalog.
Creation and configuration of application connectors can now be done over a set of programmable REST APIs.
This release provides the following enhancements for the MobileAccess App:
You can change the background color and images for the login screen, app landing, preference, and self-service pages.
Support for restricting accessing applications using jailbroken or rooted devices.
Extended Support for OAuth protocol with a number of new enhancements that offer better application interoperability, flexibility and improved security. The enhancements include:
A JSON Web Token is an easy-to-use compact format for developers. It is used for transmitting user information as JSON objects between authorization server (Identity Server) and resource server in a secure manner. This allows resource server to validate the access token without the need to send the token back to Access Manager for validation. A resource server can validate only if Access Manager encrypts the access token by using the resource server’s key. The data inside a JWT token is encoded and signed. Based on the requirement, you can configure a resource server in Access Manager to encrypt or not encrypt the access token.
For more information about encrypting access token, see Encrypting Access Token in the NetIQ Access Manager 4.4 Administration Guide.
You can now specify token time-out configuration for each client application during the client registration. When you are registering a client application, you can configure the token time-out under Token Timeout Configuration - Optional. If you do not configure the time for token time-out, Access manager considers the time-out configured in the OAuth Global Settings page. For more information about token time-out configuration, see Registering OAuth Client Applications in the NetIQ Access Manager 4.4 Administration Guide.
You can now use virtual attributes as scopes within access token. For information about using claims and virtual attributes in scope, see Configuring User Claims or Permission in Scope in the NetIQ Access Manager 4.4 Administration Guide.
When registering client applications, you can enable Use Persistent Cookie in Client Type. This allows single sign-on for a user who uses client applications on a desktop or a mobile. For more information about this option, see Registering OAuth Client Applications in the NetIQ Access Manager 4.4 Administration Guide.
Access Manager supports Proof Key for Code Exchange by OAuth Public Clients (PKCE) specification defined by RFC 7636. If client initiates PKCE flow, Access Manager will support PKCE.
For more information about PKCE, see API documentation.
TokenInfo Endpoint supports both GET and POST format. It provides additional details about the tokens that is defined in the token introspection RFC. For information about TokenInfo Endpoint, see Viewing Endpoint Details in the NetIQ Access Manager 4.4 Administration Guide.
An administrator can revoke the refresh token and its associated access token by sending the refresh token to Revocation Endpoint.
Access Manager follows RFC 7009 to revoke the refresh tokens by using REST APIs. For more information, see API documentation.
A new option, Always Issue New Refresh Token is introduced that can be selected during client registration. If this option is selected, Access Manager will issue new refresh tokens with the same time-out configuration whenever a refresh token is used for issuing an access token. This will help in changing the already issued binary refresh token to JWT refresh token. For information about this option, see Registering OAuth Client Applications in the NetIQ Access Manager 4.4 Administration Guide.
NOTE:You can revoke only JWT refresh tokens. For previously issued refresh tokens, you can use the Always Issue New Refresh Token option to exchange the previously issued binary tokens with new JWT refresh tokens.
Access Manager complies with RFC 7521 and RFC 7522 to support SAML 2 bearer profile with authorization grant flow. You can use a SAML 2 assertion to request an access token. Access Manager can validate the assertion and generate the access token, which can be used to access OAuth protected resources.
For more information about this enhancement, see Exchanging SAML 2 Assertions with Access Token in the NetIQ Access Manager 4.4 Administration Guide.
Access Manager provides the following SAML enhancements:
Access Manager now supports multiple instances of the same service provider on a single Identity Server cluster. Previously, an Identity Server cluster was able to support only a single instance of a given service provider. Now, Access Manager introduces a unique ID that you can use to differentiate between instances of the same service provider.
For more information about the unique ID, see Creating Different Instances of a SAML 2.0 Service Provider in an Identity Server Cluster in the NetIQ Access Manager 4.4 Administration Guide.
Access Manager minimizes service interruption by introducing the following:
Additional signing certificate: Access Manager now allows you to add a second signing certificate to a trusted service provider. The second certificate will have a longer expiry time and will have some overlapping validity interval. The secondary certificate functions as a fall-back option when the default signing certificate expires, minimizing the chances of a service interruption.
For more information, see Minimizing Service Interruption of SAML 2.0 Service Providers in the NetIQ Access Manager 4.4 Administration Guide.
Update the SAML 2 trusted provider configuration: After changing the settings of a SAML 2 service provider in Identity Server, you can now update the Identity Server with the SAML2 changes alone. Previously, you were forced to update the entire configuration, which sometimes caused the service provider to be temporarily unavailable.
For more information, see Minimizing Service Interruption of SAML 2.0 Service Providers in the NetIQ Access Manager 4.4 Administration Guide.
You can now force users to provide additional authentication to get authenticated to the SAML 2 services. This is used when a secure data is getting exchanged. The step up authentication provides additional security to the services. Identity Server acts as a service provider and can prompt for additional authentication when a request is sent for accessing SAML 2 services.
For more information about using step up authentication, see Selecting a User Identification Method for Liberty or SAML 2.0 in the NetIQ Access Manager 4.4 Administration Guide.
You can now define the SAML2 ATTRIBUTE CONSUMING INDEX value globally. If this value is not set in SAML 2 > Options, the value specified in the global option is considered. You can specify the default index value globally.
For more information about this option, see Configuring Identity Server Global Options in the NetIQ Access Manager 4.4 Administration Guide.
In addition to the existing classes, this release provides a new OAuth claims-based Advanced Authentication Generic Class for integrating Access Manager with Advanced Authentication. This mechanism provides more secure and trusted communication.
For more information, see NetIQ Advanced Authentication in the NetIQ Access Manager 4.4 Administration Guide.
Access Manager 4.4 supports WebSocket. The WebSocket protocol is an extension to the HTTP 1.1 protocol to enable two-way communication between a client and a server. Access Manager automatically enables a WebSocket connection when it detects an application that supports WebSocket. Access Manager 4.4 upgrades Apache 2.2 to 2.4 to support WebSocket.
For more information, see WebSocket Support in the NetIQ Access Manager 4.4 Administration Guide.
Users can now authenticate by using an identity provider contract from a list of identity providers and save the selection.
For more information, see Configuring IDP Select Class in the NetIQ Access Manager 4.4 Administration Guide.
This release includes the following risk-based authentication enhancements:
Geo-Velocity Tracker Rule: Using this rule, you can check user’s current time and location compared to the time and location of the last login. The last login details are taken from the history database. If the time between the last successful login and the current login attempt is less than the shortest possible travel time, you can configure the following actions:
Prompt for an additional authentication
Deny access
This helps in preventing man-in-the-middle, brute force, and DDoS attacks. For more information, see Risk-based Authentication in the NetIQ Access Manager 4.4 Administration Guide.
Ability to Select Multiple Methods and Classes for Additional Authentication: In a risk policy, now you can select multiple classes and methods to configure additional authentication.
For more information, see Configuring Risk Levels in the NetIQ Access Manager 4.4 Administration Guide.
Enhancements in the Device Fingerprint Rule: The device fingerprint now supports the following two new capabilities:
Ask user consent before registering the device.
Send email notification when a user tries to access from an unknown device.
For more information, see Device Fingerprinting in the NetIQ Access Manager 4.4 Administration Guide.
In a risk-based authentication, now you can configure to send emails to users’ registered email IDs when a user logs in from an unknown device for the first time. You can use this feature through the Device Fingerprint rule.
For information about how to configure the email server, see Email Server Configuration in the NetIQ Access Manager 4.4 Administration Guide. For information about the Device Fingerprint rule, see Device Fingerprinting in the NetIQ Access Manager 4.4 Administration Guide.
Access Manager now enables you to configure mutual authentication to succeed only when a user submits an X.509 user certificate issued by the specified CA. This restriction does not restrict the certificates available on the client side. This restriction is applicable only during processing or validating certificates.
For more information, see Restricting the X.509 Authentication to a Specific Certificate Authority in the NetIQ Access Manager 4.4 Administration Guide.
Access Manager now supports deleting an exported configuration in the Code Promotion page by using Delete.
You can now retrieve an attribute from a REST Web service.
For creating data source, attribute source, and virtual attribute for REST Web Server, see User Attribute Retrieval and Transformation in the NetIQ Access Manager 4.4 Administration Guide.
When you add a datasource for LDAP, you can now specify multiple search context and LDAP replicas. The Administration Console interface is enhanced to support this functionality.
For more information about the data source for LDAP, see Creating a Data Source in the NetIQ Access Manager 4.4 Administration Guide.
In addition to the existing supported platforms, this release supports installation of Access Manager components on RHEL 7.4.
NOTE:For more information about system requirements, see System Requirements in the NetIQ Access Manager 4.4 Installation and Upgrade Guide.
This release adds support for the following dependent components:
eDirectory 9.0.3.1
Java 1.8.0_141
Apache 2.4.27
OpenSSL 1.0.2k
Tomcat 8.0.45
iManager 3.0.3.2
For accessing Access Gateway and Identity Server: This release adds support for the latest versions of the following browsers:
Edge
Internet Explorer
Chrome
Firefox
Safari
For accessing User Portal and Administration Console: This release adds support for the following versions of the browsers:
Chrome 60.0.3112.101
Firefox 54.0.1
Internet Explorer 11.0.9600.18738 Update Versions 11.0.44 (KB4025252)
Edge 38.14393.0.0/ EdgeHTML 14.14393
Access Manager 4.4 includes software fixes for the following components:
The following issues are fixed in Administration Console:
The Identity Server cluster is not displayed in Administration Console because the certificates get deleted from the trust store. Hence, you must re-configure the Identity Server cluster. (Bug 1051781)
After conditions are defined for an authorization policy, you cannot edit the condition or use the Copy Condition and Copy Group options. (Bug 1023708)
The following issues are fixed in Identity Server:
Issue: The fallback login page is not rendered properly after a Kerberos method authentication failure. (Bug 1003919)
Fix: The fallback login page now renders properly and retains customization as well. You no longer need to follow the configuration steps mentioned in TID.
When Access Manager acts as a service provider, user provisioning fails to update user attributes if you have specified the user store that has multiple replicas. (Bug 1011790)
When you set the global setting NAGGlobalOptions AllowMSWebDavMiniRedir=on for accessing MS Office documents, Internet Explorer does not launch the document post authentication. Users can edit the document after authentication, but Access Manager will not open the document in read mode within a browser. (Bug 907592)
When specifying user attributes for the OAuth scope, you cannot add virtual attributes in the attribute set. (Bug 1010987)
Issue: When you register a client application by selecting Client Type as Web Based, Access Manager does not allow HTTP URI in Redirect URIs. (Bug 1035206)
Fix: With this release, Access Manager allows registering web-based client applications with either HTTP or HTTPS redirect URIs. It is recommended to use HTTPS for the redirect URI.
The following issues are fixed in Access Gateway:
Issue: You can set noURLNormalize=on at global level only when you set NAGGlobalOptions noURLNormalize=on. This disables URL normalization for all proxy services. (Bug 897709)
Fix: A new option is added at the proxy level, NAGHostOptions noURLNormalize=on/off. The priority level is as follows:
Path
Proxy
Global
For more information, see Configuring Advanced Options for a Domain-Based and Path-Based Multi-Homing Proxy Service in the NetIQ Access Manager 4.4 Administration Guide.
In an Access Gateway cluster, if the data is parked in one of the Access Gateways and ESP requests are sent on another Access Gateway, then after authentication data is not restored. (Bug 1036669)
After purchasing Access Manager 4.4, log in to the NetIQ Downloads page and follow the link that allows you to download the software.
IMPORTANT:Windows packages KB2919442 and KB2919355 must be installed before installing or upgrading Access Gateway Service on Windows Server 2012. These packages must be installed in the same sequence. You can verify whether these packages are installed by using the following commands:
dism /online /get-packages | findstr KB2919442
dism /online /get-packages | findstr KB2919355
If these packages are installed, you will get a confirmation message. If the packages are not installed, you will not receive any response.
NOTE:In this release of Access manager there were no changes made to Analytics Server. Access Manager and Access Manager Appliance can be used with Analytics Server 4.3.2. Hence, you can find the Analytics Server 4.3.2 binaries with other Access Manager 4.4 components.
The following files are available:
Table 1 Files Available for Access Manager 4.4
|
Filename |
Description |
|---|---|
|
AM_44_AccessManagerService_Linux64.tar.gz |
Contains Identity Server and Administration Console .tar file for Linux. |
|
AM_44_AccessManagerService_Win64.exe |
Contains Identity Server and Administration Console .exe file for Windows Server. |
|
AM_44_AccessGatewayAppliance.iso |
Contains Access Gateway Appliance .iso file. |
|
AM_44_AccessGatewayAppliance.tar.gz |
Contains Access Gateway Appliance .tar file. |
|
AM_44_AccessGatewayService_Win64.exe |
Contains Access Gateway Service .exe file for Windows Server. |
|
AM_44_AccessGatewayService_Linux64.tar.gz |
Contains Access Gateway Service .tar file for Linux. |
|
AM_43_SP2_AnalyticsServerAppliance.iso |
Contains Analytics Server Appliance .iso file. |
|
AM_43_SP2_AnalyticsServerAppliance.tar.gz |
Contains Analytics Server Appliance .tar file. |
The b2cFramework-1.0.zip file contains the B2C Framework login pages. You can download this file from the Developer Documentation page.
For information about the upgrade paths, see Section 4.0, Supported Upgrade Paths. For more information about installing and upgrading, see the NetIQ Access Manager 4.4 Installation and Upgrade Guide.
After upgrading to Access Manager 4.4, verify that the version number of the component is indicated as 4.4.0.0-337. To verify the version number, perform the following steps:
In Administration Console Dashboard, click Troubleshooting > Version.
Verify that the Version field lists 4.4.0.0-337.
To upgrade to Access Manager 4.4, you need to be on one of the following versions of Access Manager:
4.2 Service Pack 2
4.2 Service Pack 3 or 4.2 Service Pack 3 Hotfix 1
4.2 Service Pack 4
4.3 Service Pack 1 or 4.3 Service Pack 1 Hotfix 1
4.3 Service Pack 2
IMPORTANT:If you are using SQL database and you are upgrading to Access Manager 4.4, you must run a utility to re-factor the database. This is to ensure that Access Manager and its associated products use the same naming convention. For more information about this utility and how to run it, see Refactoring SQL Database in the NetIQ Access Manager 4.4 Installation and Upgrade Guide.
For more information about upgrading Access Manager, see Upgrading Access Manager
in the NetIQ Access Manager 4.4 Installation and Upgrade Guide.
NetIQ Corporation strives to ensure our products provide quality solutions for your enterprise software needs. The following issues are currently being researched. If you need further assistance with any issue, please contact Technical Support.
Section 5.4, Single Sign-On to Advanced Authentication Enrollment Page Does Not Work
Section 5.5, Identity Server Install Log File Includes False Entries for Error Messages
Section 5.6, Accessing a Policy that is Created Using REST API May Return Null Pointer Exception
Section 5.7, Issue in Connecting to Self-Signed Certificates from iOS 10.3.1
Section 5.9, (RHEL) Apache Fails to Start After Upgrading or a Fresh Install of Access Manager 4.4
Section 5.11, iOS 10.3 or later Does Not Trust Access Manager CA Root Certificate
Section 5.12, Canceling a Social Authentication User Registration Process Results in Error
Section 5.18, Importing a Connector Does Not Process Attributes With a Remote Namespace
Issue: This issue may occur when you run Administration Console on Windows 7 and Windows 10, 64-bit. Trying to import a connector from the downloaded ZIP file using the latest Chrome browser may not work. (Bug 1053094)
Workaround: Use any other browser instead of Chrome.
Issue: This issue occurs when Identity Server is installed on RHEL 6.9 on ESXi 6.5 with Virtual Machine version 13. If MobileAccess is enabled and an end user tries to log in to User Portal through an iOS device, the RHEL 6.9 server restarts. (Bug 1049504)
Workaround: Upgrade the Virtual Machine version 13 to the latest patches.
Issues: This issue occurs when you create a SAML application using the Applications page and modify it to use a local attribute set. The local attribute set contains an attribute mapping that has a remote namespace configured. If you download the application to a connector, the downloaded connector file does not contain the namespace configuration. (Bug 1052323)
Workaround: When importing the connector using the downloaded file, restore Remote Namespace settings by using the Shared Settings page. (Devices > Identity Server > Shared Settings)
Issue: If you log in using Social authentication, X.509 digital certificates or Kerberos methods, single sign-on to Advanced Authentication enrollment page will not work because the identity injection policy needs password for injection and password is not available with these authentication methods. (Bug 1051498)
Workaround: If the user store is eDirectory, you can configure passwordfetch class to fetch the password. When the password is fetched, it can be used in the identity injection policy.
Issue: During Identity Server installation, all installer messages indicate everything is fine. Identity Server gets installed successfully. However, the log file might include entries for false issues. (Bug 1041712)
Example of false issues:
Loader Failed:for ebassl_cli,error ebassl_cli: cannot open shared object file: No such file or directory,errno 2 Loader Failed:for spmclnt,error spmclnt: cannot open shared object file: No such file or directory,errno 2 Tree=null, IPAddress=X.X.X.X, Port=0, ServerDN=null, User=cn=namadmin.o=novell Error: -5984 at com.novell.security.japi.pki.NPKIAPI.createContext (NPKIAPI.java:1769) at com.novell.security.japi.pki.NPKIAPI.initialize(NP KIAPI.java:6004)
You can ignore these entries.
Issue: This issue might occur when you create a policy using the addPolicy() (POST) REST API while keeping Administration Console open. Clicking this policy in the Administration Console Dashboard may return a blank page showing Null Pointer Exception. (Bug 1043265)
Workaround: Ensure the following:
While creating a policy using REST API, you are not logged in to Administration Console.
If you need to be logged in to Administration Console while using REST API, use the incognito mode of the browser.
If you were logged in to Administration Console while using REST API, then log out, clear your browser's cache, and re-login to access the policy.
Issues: A certificate validation issue exists in iOS 10.3. This issue may cause difficulty connecting to self-signed certificates in Access Manager. (Bug 1051589)
Workaround: Perform the following actions:
Upgrade iOS to version 10.3.2.
Import self-signed certificate.
Open Settings.
Navigate to General > About.
Select Certificate Trust Settings.
Each root that has been installed through a profile is listed under Enable Full Trust For Root Certificates. You can disable or enable the roots as required.
Issue: Whenever a delegated administrator tries to access Dashboard or any menu on Dashboard, false exceptions and SEVERE level errors are recorded into Administration Console catalina.out. (Bug 1049712)
Ignore these errors. The following is a snippet of catalina.out containing an example of such errors:
INFO: Delegated users denied
Jul 20, 2017 8:24:07 AM com.microfocus.amapi.v1.resources.IDPClustersAPI getIDPClusters
INFO: Forbidden access
com.microfocus.amsvc.v1.sdk.client.ApiException: {"response":{"code":"FORBIDDEN","detail":"Delegated users denied"}}
SEVERE: Forbidden access
com.microfocus.amsvc.v1.sdk.client.ApiException: {"response":{"code":"FORBIDDEN","detail":"Delegated users denied"}}
at com.microfocus.amsvc.v1.sdk.client.ApiClient.invokeAPI(ApiClient.java:446)
Issue: This issue occurs when more than 60 proxy services are configured. RHEL has 128 semaphore arrays by default, which is inadequate for more than 60 proxy services. Apache 2.4 requires a semaphore array for each proxy service. (Bug 1054426)
Workaround: To resolve this issue, you must increase the number of semaphore arrays depending on the number of proxy services you are going to use. Perform the following steps to increase the number of semaphore arrays to the recommended value:
Open the /etc/sysctl.conf file.
Add kernel.sem = 250 256000 100 1024
This creates the following:
Maximum number of arrays = 1024 (number of proxy services x 2)
Maximum semaphores per array = 250
Maximum semaphores system wide = 256000 (Maximum number of arrays x Maximum semaphores per array)
Maximum ops per semop call = 100
Use the sysctl -p command to update the changes.
Start Apache.
Issue: This issue occurs in the Identity server (authorization server) cluster environment. When an authorization code is issued from one node and that goes down, requesting access token using this code from a different node of the cluster results in failure of the request. This happens because the authorization code is stored in the Identity Server’s system memory and it is not shared with other nodes in the cluster. (Bug 1054355)
Workaround: To resolve this issue, you must ensure that all the nodes of Identity Server cluster are functional.
Issue: iOS 10.3 or later does not trust the default CA created in Access Manager. Therefore, default certificates for SSL cannot be trusted in Apps such as MobileAccess or the SDK. (Bug 1055333)
Workaround: Replace the SSL certificates with a certificate signed by another CA that can be trusted or from an already trusted CA.
Issue: In the social registration process, the Cancel button redirects the user to an error page. In this case, a user needs to go to the login page manually for re-registration. (Bug 1049174)
Workaround: None.
Issue: This issue occurs if you create a new Basic SSO application on the Applications UI using the Chrome or Firefox browser (not Internet Explorer). Access the Applications UI on Internet Explorer and edit the description of the previously created Basic SSO application, and save the changes. After saving, the changes are not reflected. (Bug 1055559)
Workaround: Perform the following steps:
Open Internet Explorer.
Go to Internet Options > General > Browsing history > Settings.
Under the Check for newer versions of stored pages option, select Every time I visit the webpage.
Issue: This issue occurs when you use Internet Explorer to access Administration Console. If you create a new Basic SSO application using Internet Explorer, the details are not saved properly. Editing a Basic SSO also does not work. (Bug 1055570)
Workaround: Perform the following steps:
Open Internet Explorer.
Go to Internet Options > General > Browsing history > Settings.
Under the Check for newer versions of stored pages option, select Every time I visit the webpage.
Issue: In the Applications page, when saving a new SAML application with two signing certificates, only one certificate is added to the Trusted Roots store. (Bug 1055774)
Workaround: Import the second certificate from the Administration Console dashboard by clicking Certificates > Trusted Roots > Import.
Issue: In the Applications page, configuring a String type setting of a SAML 2.0 application with a URL that includes a multi-part query string (for example: https://1.2.3.com?a=b&c=d) fails and endless spinner is displayed. (Bug 1054778)
Workaround: Use Connector Studio to change the setting type from String to URL.
Issue: The checks made for duplicate Entity ID and Unique ID is case-insensitive in the Applications page. Whereas the it is case-sensitive in the SAML 2.0 configuration page. (Bug 1053914)
Workaround: Specify values for Unique ID and Entity ID that are unique in characters and case.
Issue: In the Applications page, when importing or exporting a SAML connector, the Remote Namespace and Remote Format for attribute mappings are not preserved. (Bug 1052312)
Workaround: After importing a connector, edit the attribute set using the Shared Settings page to restore Remote Namespace and Remote Format configuration.
Issue: In the Applications page, downloading or importing a SAML application does not preserve the Unique ID setting. (Bug 1044750)
Workaround: When importing the connector, specify a Unique ID if an existing service provider with the same provider ID already exists on the Identity Server cluster.
Issue: Administration Console upgrade fails if the system host entry in Linux is incorrect. You get the following error message:
Upgrading the Novell Access Manager Configuration Store: sed: can't read /tmp/nids_inst_bind_rest.ldif: No such file or directory sed: can't read /tmp/nids_inst_bind_rest.ldif: No such file or directory
Workaround: To workaround this issue, perform the steps mentioned in Administration Console Upgrade Fails in the NetIQ Access Manager 4.4 Installation and Upgrade Guide or TID 7021289.
Issue: If you set the threshold value to more than zero, reCAPCTHA may be skipped by refreshing the browser. [Bug 1000312]
Workaround: To workaround this issue, set the threshold value to zero.
After upgrading Administration Console on a SLES 12 platform, the curl and the zypper commands fail with the DEFAULT_SUSE error. For more information about this issue and how to resolve it, see TID 7021958 and TID 7022106.
Our goal is to provide documentation that meets your needs. If you have suggestions for improvements, please email Documentation-Feedback@netiq.com. We value your input and look forward to hearing from you.
For detailed contact information, see the Support Contact Information website.
For general corporate and product information, see the NetIQ Corporate website.
For interactive conversations with your peers and NetIQ experts, become an active member of our community. The NetIQ online community provides product information, useful links to helpful resources, blogs, and social media channels.
For information about legal notices, trademarks, disclaimers, warranties, export and other use restrictions, U.S. Government rights, patent policy, and FIPS compliance, see https://www.netiq.com/company/legal/.
Copyright © 2017 NetIQ Corporation. All Rights Reserved.