Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-10673

SAML2 authentication module fails to redirect to IDP after failing DeviceID match module

    XMLWordPrintable

    Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 13.5.0, 14.0.0, 14.1.1, 14.5.1
    • 13.5.2, 6.0.0, 5.5.2
    • authentication, XUI
    • AM Sustaining Sprint 35, AM Sustaining Sprint 36, AM Sustaining Sprint 37, AM Sustaining Sprint 38, AM Sustaining Sprint 39, AM Sustaining Sprint 40, AM Sustaining Sprint 41, AM Sustaining Sprint 42, AM Sustaining Sprint 45
    • 5
    • Yes
    • Yes
    • No
    • Yes and I used the same an in the description

      Description

      The SAML2 authentication module fails to send the authentication request when placed after the DeviceID Match module in a chain. Disabling XUI fixes it.

      amAuthSAML2:02/20/2017 11:00:41:463 AM GMT: Thread[http-bio-28080-exec-4,5,main]: TransactionId[303a9429-d7d1-4108-8585-d6d0404f8821-302]
      ERROR: SAML2 :: handleReturnFromRedirect() : Unable to perform local linking - response data key not found
      amLoginModule:02/20/2017 11:00:41:463 AM GMT: Thread[http-bio-28080-exec-4,5,main]: TransactionId[303a9429-d7d1-4108-8585-d6d0404f8821-302]
      substituteHeader : state=4, header=Unable to link local user to remote user.
      
      amAuth:02/20/2017 11:00:41:469 AM GMT: Thread[http-bio-28080-exec-4,5,main]: TransactionId[303a9429-d7d1-4108-8585-d6d0404f8821-302]
      LOGINFAILED MessageAuthLoginException....
      amAuth:02/20/2017 11:00:41:469 AM GMT: Thread[http-bio-28080-exec-4,5,main]: TransactionId[303a9429-d7d1-4108-8585-d6d0404f8821-302]
      Exception 
      com.sun.identity.authentication.spi.MessageLoginException: Unable to link local user to remote user.
              at com.sun.identity.authentication.spi.AMLoginModule.login(AMLoginModule.java:1179)
              at sun.reflect.GeneratedMethodAccessor49.invoke(Unknown Source)
              at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
              at java.lang.reflect.Method.invoke(Method.java:606)
              at com.sun.identity.authentication.jaas.LoginContext.invoke(LoginContext.java:217)
              at com.sun.identity.authentication.jaas.LoginContext.login(LoginContext.java:125)
              at com.sun.identity.authentication.service.AMLoginContext.runLogin(AMLoginContext.java:565)
              at com.sun.identity.authentication.server.AuthContextLocal.submitRequirements(AuthContextLocal.java:617)
              at org.forgerock.openam.core.rest.authn.core.wrappers.AuthContextLocalWrapper.submitRequirements(AuthContextLocalWrapper.java:115)
              at org.forgerock.openam.core.rest.authn.core.LoginProcess.next(LoginProcess.java:173)
      
      amAuthREST:02/20/2017 11:00:41:523 AM GMT: Thread[http-bio-28080-exec-4,5,main]: TransactionId[303a9429-d7d1-4108-8585-d6d0404f8821-302]
      AuthenticationService.authenticate() :: Rest Authentication Exception
      org.forgerock.openam.core.rest.authn.exceptions.RestAuthErrorCodeException: Unable to link local user to remote user.
              at org.forgerock.openam.core.rest.authn.RestAuthenticationHandler.processAuthentication(RestAuthenticationHandler.java:297)
              at org.forgerock.openam.core.rest.authn.RestAuthenticationHandler.processAuthentication(RestAuthenticationHandler.java:263)
              at org.forgerock.openam.core.rest.authn.RestAuthenticationHandler.authenticate(RestAuthenticationHandler.java:167)
              at org.forgerock.openam.core.rest.authn.RestAuthenticationHandler.continueAuthentication(RestAuthenticationHandler.java:114)
              at org.forgerock.openam.core.rest.authn.http.AuthenticationServiceV1.authenticate(AuthenticationServiceV1.java:145)
              at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
              at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
      

      Create a chain:

      DataStore Requisite
      DeviceID Match Sufficient
      SAML2 Requisite
      DeviceID Save Required

      Authenticate to DataStore, fail DeviceID Match, see an error on the XUI when expected to be sent to the IDP.

      A SAML request is generated (Federation logs) but never sent.

        Attachments

          Issue Links

            Activity

              People

              adam.heath Adam Heath
              joe.starling Joe Starling
              Votes:
              3 Vote for this issue
              Watchers:
              8 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: