Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-10673

SAML2 authentication module fails to redirect to IDP after failing DeviceID match module

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 13.5.0, 14.0.0, 14.1.1, 14.5.1
    • Fix Version/s: 13.5.2, 6.0.0, 5.5.2
    • Component/s: authentication, XUI
    • Labels:
    • Sprint:
      AM Sustaining Sprint 35, AM Sustaining Sprint 36, AM Sustaining Sprint 37, AM Sustaining Sprint 38, AM Sustaining Sprint 39, AM Sustaining Sprint 40, AM Sustaining Sprint 41, AM Sustaining Sprint 42, AM Sustaining Sprint 45
    • Story Points:
      5
    • Needs backport:
      Yes
    • Support Ticket IDs:
    • Verified Version/s:
    • Needs QA verification:
      Yes
    • Functional tests:
      No
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description

      Description

      The SAML2 authentication module fails to send the authentication request when placed after the DeviceID Match module in a chain. Disabling XUI fixes it.

      amAuthSAML2:02/20/2017 11:00:41:463 AM GMT: Thread[http-bio-28080-exec-4,5,main]: TransactionId[303a9429-d7d1-4108-8585-d6d0404f8821-302]
      ERROR: SAML2 :: handleReturnFromRedirect() : Unable to perform local linking - response data key not found
      amLoginModule:02/20/2017 11:00:41:463 AM GMT: Thread[http-bio-28080-exec-4,5,main]: TransactionId[303a9429-d7d1-4108-8585-d6d0404f8821-302]
      substituteHeader : state=4, header=Unable to link local user to remote user.
      
      amAuth:02/20/2017 11:00:41:469 AM GMT: Thread[http-bio-28080-exec-4,5,main]: TransactionId[303a9429-d7d1-4108-8585-d6d0404f8821-302]
      LOGINFAILED MessageAuthLoginException....
      amAuth:02/20/2017 11:00:41:469 AM GMT: Thread[http-bio-28080-exec-4,5,main]: TransactionId[303a9429-d7d1-4108-8585-d6d0404f8821-302]
      Exception 
      com.sun.identity.authentication.spi.MessageLoginException: Unable to link local user to remote user.
              at com.sun.identity.authentication.spi.AMLoginModule.login(AMLoginModule.java:1179)
              at sun.reflect.GeneratedMethodAccessor49.invoke(Unknown Source)
              at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
              at java.lang.reflect.Method.invoke(Method.java:606)
              at com.sun.identity.authentication.jaas.LoginContext.invoke(LoginContext.java:217)
              at com.sun.identity.authentication.jaas.LoginContext.login(LoginContext.java:125)
              at com.sun.identity.authentication.service.AMLoginContext.runLogin(AMLoginContext.java:565)
              at com.sun.identity.authentication.server.AuthContextLocal.submitRequirements(AuthContextLocal.java:617)
              at org.forgerock.openam.core.rest.authn.core.wrappers.AuthContextLocalWrapper.submitRequirements(AuthContextLocalWrapper.java:115)
              at org.forgerock.openam.core.rest.authn.core.LoginProcess.next(LoginProcess.java:173)
      
      amAuthREST:02/20/2017 11:00:41:523 AM GMT: Thread[http-bio-28080-exec-4,5,main]: TransactionId[303a9429-d7d1-4108-8585-d6d0404f8821-302]
      AuthenticationService.authenticate() :: Rest Authentication Exception
      org.forgerock.openam.core.rest.authn.exceptions.RestAuthErrorCodeException: Unable to link local user to remote user.
              at org.forgerock.openam.core.rest.authn.RestAuthenticationHandler.processAuthentication(RestAuthenticationHandler.java:297)
              at org.forgerock.openam.core.rest.authn.RestAuthenticationHandler.processAuthentication(RestAuthenticationHandler.java:263)
              at org.forgerock.openam.core.rest.authn.RestAuthenticationHandler.authenticate(RestAuthenticationHandler.java:167)
              at org.forgerock.openam.core.rest.authn.RestAuthenticationHandler.continueAuthentication(RestAuthenticationHandler.java:114)
              at org.forgerock.openam.core.rest.authn.http.AuthenticationServiceV1.authenticate(AuthenticationServiceV1.java:145)
              at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
              at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
      

      Create a chain:

      DataStore Requisite
      DeviceID Match Sufficient
      SAML2 Requisite
      DeviceID Save Required

      Authenticate to DataStore, fail DeviceID Match, see an error on the XUI when expected to be sent to the IDP.

      A SAML request is generated (Federation logs) but never sent.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                adam.heath Adam Heath
                Reporter:
                joe.starling Joe Starling
              • Votes:
                3 Vote for this issue
                Watchers:
                8 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: