[OPENAM-1068] In case of session upgrade the SAML IDPCache can lose the ssotoken sessionindex mapping - ForgeRock JIRA

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 12.0.3, 13.0.0
Fix Version/s: 12.0.3, 13.0.0
Component/s: SAML
Labels:

Sprint:
Sustaining Sprint 10, Sustaining Sprint 11

Support Ticket IDs:

Description

1) Login using SP initiated SSO (using default ldapService == DataStore REQ)
2) Login using regular UI with different service (Login?service=test == LDAP REQ)
3) Try to repeat 1)

The IDP session is null error message occurs, because in 2) a new ssotoken is issued, and that will cause the IDPCache to lose the original sessionindex<->ssotoken mapping, and the new session will not be mapped to the sessionindex.

Workarounds:

openam.auth.destroy_session_after_upgrade=false
custom SessionPropertyUpgrader implementation not copying the SAML index -> could cause problems, if the SAML application sends further requests (like isPassive=true)

Attachments

Issue Links

is related to

OPENAM-4169 SFO breaks SAML2 functionality in a load-balanced IDP scenario when a server is restarted or goes offline

Resolved

Activity

People

Assignee:

Peter Major [X] (Inactive)

Reporter:

Peter Major [X] (Inactive)

QA Assignee:

Nemanja Lukic

Votes:

3 Vote for this issue

Watchers:

6 Start watching this issue

Dates

Created:

21/Jan/12 5:40 AM

Updated:

24/Jul/18 4:12 PM

Resolved:

07/Sep/15 3:01 PM

Time Tracking

Estimated:

Remaining:

Logged:

11h