Limitations of the SAML implementation

Limitations of the SAML implementation are described. These limitations refer to functions that are currently implemented and supported by WebSphere® Application Server Version 8.0 and later.

• The WSTrustClient API supports issue and validate operations, but does not support the cancel and renew operations.
• WebSphere Application Server with SAML does not support propagating a SAML token in the response message from a web services provider to a web services client.
• When consuming EncryptedAssertions, KeyName and X509Data types (including X509IssuerSerial, X509SubjectName, X509Certificate, and X509SKI) are supported in the KeyInfo element. Anything that requires a KeyIdentifier, such as Thumbprint or X509SubjectKeyIdentifier, is not supported.
• RSAKeyValue is supported for the KeyInfo element in a Signature. However, the X.509 certificate is not available when using RSAKeyValue. When the X.509 certificate is not available to the runtime, the signer of the SAML Assertion cannot be checked against a truststore. If you want to receive SAML Assertions that use RSAKeyValue you cannot configure the runtime to use a truststore.