Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-10869

SAML2 Authentication module return "Unable to link local user to remote user" ambiguous.


    • Sprint:
      AM Sustaining Sprint 38, AM Sustaining Sprint 39, AM Sustaining Sprint 40, AM Sustaining Sprint 41, AM Sustaining Sprint 42, AM Sustaining Sprint 72, AM Sustaining Sprint 73
    • Story Points:
    • Support Ticket IDs:
    • Functional tests:
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description, Yes but I used my own steps. (If so, please add them in a new comment)


      Problem statement
      When using SAML2 Authentication module (Integrated mode) without a linking authentication chain but with auto-federation to auto-federation and the SP realm set to ignored-profile. Now if the authentication to the IDP works and if the user mapped, the whole SAML2 flow succeed.
      Now, since we do not have a linking chain and rely on the remote IDP auto-federation, if this login we are done.

      The problem is that if we do not enter anything on the IDP and instead restart the AUTH URL (or do a back button) the misleading error "Unable to link local user to remote user" is return (with a "Unable to login").

      Filing this as a UI experience improvement and the error should be improved or maybe some way to detect that if the SAML2 auth flow did not start. This issue does not seem to happen with Classic legacy UI.

      On SP:

      • Setup a subrealm /sub (on SP)
      • Set Ignore Profile (on SP)
      • Create a Hosted SP (as required for an integrated mode per docs)
        o update the ACS url to [AuthConsumer]
        o Set Auto-federation to "uid" attribute
        o SP Attribute mapping (=)
      • On /sub realm create a SAML2 Authentication Module (saml2)
        o No linking account
        o Use NameID Format transient
      • Create a auth chain "saml2" to use the "saml2" Auth module
      • Add the Organization Authenticaion to the chain saml2

      On IDP

      • Create a new user idpuser (not found on SP)
      • Expose attribute uid

      OK case (current still working as expected):
      Now if you access #login/&realm=sub, this will authentication to IDP, enter idpuser
      and this woul d authentication the flow

      Problem case:
      Now clear all browser cookie, and redo the above, when authenticating to "#login/&realm=sub" the browser redirect to the IDP for login, instead of typing
      say the user did a "back button" or reissue the same URL (to restart authentication) from another window or something, they will get "Unable to link local user to remote user"

      • Concerns: The error is a bit ambiguous. Although the outcome is that it ends up on "Unable to login page" which may be correct, the error message is not clear.
      • Expected: Instead "Unable to link local user to remote user" when the user did not even start the SAML2 flow (or at an inappropriate stage), a more appropriate error like "Authentication failed" may be better.

      Probable Cause: When the SAML2 is started and if there is some residual cookie, The SAML2 auth module "handleReturnRedirect" seems to look for some "key" attribute. On the case when the is no callback or the auth did not really start, it would seems that instead of going to try the local link (and fails), it should be more appropriate to handle this case of fail early and give a more better error.


          Issue Links



              • Assignee:
                lawrence.yarham Lawrence Yarham
                chee-weng.chea C-Weng C
              • Votes:
                1 Vote for this issue
                9 Start watching this issue


                • Created: