Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-4264

IDPAccountMapper.getNameID() does not receive the SP Entity ID if there is no SPNameQualifier in the SAML request

    Details

      Description

      The IDPAccountMapper interface states that the getNameId() method receives the entityID of the remote provider as a parameter.

      However, in my tests, this entityID can be empty or null.

      It is null if the SAML2 Authentication Request did not contain a NameIDPolicy.

      It is empty if the SAML2 Authentication Request contained a NameIDPolicy but no SPNameQualifier.

      It only has a value if the authentication request contained a NameIDPolicy with a SPNameQualifier.

      This behavior is enforced in IDPSSOUtil.getSubject() and can easily be checked from the source code.

      That is a major issue for anyone who wants to generate a custom NameID depending on the requesting Service Provider.

      I believe the easy fix is to use the recipientEntityID as a backup if no SPNameQualifier is provided.

        Attachments

          Activity

            People

            • Assignee:
              peter.major Peter Major
              Reporter:
              david.hatanian@revevol.eu david.hatanian@revevol.eu
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: