IBM Security Access Manager for Enterprise Single Sign-On, Version 8.2

Limitations

See the following sections for the IBM® Security Access Manager for Enterprise Single Sign-On 8.2 limitations:

Limitations in the Enterprise Directory support

Unable to start the WebSphere® Application Server if the WebSphere Application Server Administrator user name exists in one of the configured repositories.
Users can configure only one LDAP server in the IMS Server, or configure one or multiple AD servers in the IMS Server.
If you want to add an Active Directory child domain, you must configure a new repository.
When you edit a repository, the password field is cleared. You must enter the password again to update the repository.
When you create the lookup user in the Enterprise Directory, do not change the password and configure the password setting to "password never expires".

Biometrics is not supported.
Vasco OTP is not supported.
When you deploy and activate the virtual appliance, if you do not accept any of the license agreements, the virtual appliance shuts down. If you restart the virtual appliance, the language settings and license agreements previously configured and accepted are not displayed.
When activating the virtual appliance, choose a static network configuration. Do not use the Dynamic Host Configuration Protocol (DHCP) network protocol.

You cannot change your AccessAgent password if you log on using your fingerprint as the only authentication factor.
For fingerprint deployments with DigitalPersona readers, the fingerprint reader might not be ready at EnGINA. The fingerprint reader is not ready if the light on the reader does not flash. A fingerprint is not detected until the light flashes.
Logging on using a fingerprint does not work with the Terminal Server if the IBM Security Access Manager for Enterprise Single Sign-On password is not synchronized with the Active Directory password.
Only one fingerprint reader can be active at a time. To switch to another connected fingerprint reader, disconnect the active fingerprint reader. The other fingerprint reader is automatically connected.

Second factor support is limited to those devices that have 64-bit SDKs and drivers.
Active RFID card is not supported.
Single sign-on to 64-bit Java™ application is not supported.
If you enabled the transparent screen lock by using a registered RFID card, your computer screen is locked. If you use an unregistered RFID card to unlock the screen:
- You are not redirected to the user registration page.
- The computer screen is unlocked.

Transparent screen lock is not supported on Microsoft Windows 7.
Microsoft Windows Vista and Windows 7 do not support the mechanisms that block and unblock user input during single sign-on. Input from the user during the single sign-on can interfere in the authentication process.

The validity of the smart card authentication certificate is only checked when AccessAgent is able to communicate with the IMS Server.

If there is no AccessAgent session running on the client, the AccessAgent instance in a Citrix/Terminal Server session operates in standard mode.
Lightweight mode AccessAgent is not enabled when logging on through a console.

You cannot create an AccessProfile in AccessStudio for Mozilla Firefox, version 10. You must create an AccessProfile for Microsoft Internet Explorer first then deploy that AccessProfile in Mozilla Firefox, version 10.
When creating AccessProfiles, combining mouse triggers and mouse actions together, prevents the action from running. For example: If you use a right mouse button is clicked trigger with a menu is clicked action in response to the trigger, the action does not run. As the mouse button is already clicked, the menu is clicked action does not run.
When creating AccessProfiles, pressing Enter with the Key is pressed on a window (for any "key") trigger does not fire the trigger.
Pressing the Alt key together with another key, fires the Cursor moves on Window trigger. For example Alt + F.

Smart card login in Windows and desktop logon UI mode are not supported.
PIN injection to Windows GINA for certificate-based authentication is not supported.
The DNIe certificate store must not be enabled. When the DNIe certificate store is not enabled, other applications such as Microsoft Internet Explorer cannot perform SSL client authentication with the DNIe smart card.
Failed login attempts because of wrong PIN entry are not recorded in the audit log even when the user has a cached smart card lock.
On Microsoft Windows Vista or Windows 7, Fast User Switching that is triggered by inserting a different smart card does not work. Manually click Switch User to trigger Fast User Switching.
The IBM Security Access Manager for Enterprise Single Sign-On user name is not visible in the AccessAgent PIN prompt screen. The user name is not visible even when IBM Security Access Manager for Enterprise Single Sign-On is configured to automatically map the User Principal Name in the smart card certificate to the IBM Security Access Manager for Enterprise Single Sign-On user name.
If Tivoli® Directory Server is used, automatic mapping of smart card certificate to enterprise user name is not supported.

Some Windows user configuration settings like screensaver configuration must be configured from the default account desktop for it to be effective.

The rst.xml file for getting, setting, or deleting user credentials can contain only one wst:RequestSecurityToken node. If you use multiple wst:RequestSecurityToken nodes in your request, the request is accepted without any errors. However, only the last wst:RequestSecurityToken node gets a response.

Automatic logon to AccessAdmin is not supported for Mozilla Firefox web browser.

Tivoli Common Reporting tool versions 1.1 and 1.2 do not support 64-bit operating systems.
Tivoli Common Reporting tool does not support bidirectional languages.
Windows panel does not support bidirectional languages. For example: the filename order in the AccessStudio Save As panel is not displayed in a right-align order.