[OPENAM-4264] IDPAccountMapper.getNameID() does not receive the SP Entity ID if there is no SPNameQualifier in the SAML request Created: 30/Jul/14 Updated: 09/Dec/14 Resolved: 27/Aug/14
|Fix Version/s:||10.0.3, 11.0.3, 12.0.0|
|Remaining Estimate:||Not Specified|
|Time Spent:||Not Specified|
|Original Estimate:||Not Specified|
The IDPAccountMapper interface states that the getNameId() method receives the entityID of the remote provider as a parameter.
However, in my tests, this entityID can be empty or null.
It is null if the SAML2 Authentication Request did not contain a NameIDPolicy.
It is empty if the SAML2 Authentication Request contained a NameIDPolicy but no SPNameQualifier.
It only has a value if the authentication request contained a NameIDPolicy with a SPNameQualifier.
This behavior is enforced in IDPSSOUtil.getSubject() and can easily be checked from the source code.
That is a major issue for anyone who wants to generate a custom NameID depending on the requesting Service Provider.
I believe the easy fix is to use the recipientEntityID as a backup if no SPNameQualifier is provided.
|Comment by Peter Major [ 27/Aug/14 ]|
Fixed with R10276 R10277 and R10279