Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-11350

SAML2 IDPEntry XML element contains content violates SAML2 XML schema

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 11.0.3, 12.0.4, 13.5.0, 14.0.0, 14.1.0
    • Fix Version/s: 13.5.2, 14.1.1, 14.5.0
    • Component/s: None
    • Labels:
    • Sprint:
      AM Sustaining Sprint 40
    • Story Points:
      2
    • Support Ticket IDs:

      Description

       
      When the SP generates a uthnRequest has the following generated

      <samlp:AuthnRequest  xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
      ID="s27f96c6d5808b27ee8413ae782a23caeaaa0b220d" Version="2.0" IssueInstant="2017-06-30T04:36:37Z" Destination="http://idpproxy.example.com:38080/openam/SSORedirect/metaAlias/proxyidp" ForceAuthn="false" IsPassive="false" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="http://sp.forgerock.org:28080/openam/Consumer/metaAlias/sp">
      <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">SPURL</saml:Issuer>
      <samlp:NameIDPolicy  xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" SPNameQualifier="SPURL" AllowCreate="true"></samlp:NameIDPolicy>
      <samlp:RequestedAuthnContext xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Comparison="exact"><saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef></samlp:RequestedAuthnContext>
      <samlp:Scoping xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ProxyCount="2">
      <samlp:IDPList  xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
      <samlp:IDPEntry xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ProviderID="IDPURL">
      </samlp:IDPEntry>
      </samlp:IDPList>
      </samlp:Scoping>
      </samlp:AuthnRequest>
      

      PROBLEM
      The problem is that IDPEntry by XMLSchema should not have any content and if this is validated thru a validator it fails. On a recipient IDP where XML validation is enforced (like XML gateway), this is causing failure.

      <samlp:IDPEntry xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ProviderID="IDPURL">
      </samlp:IDPEntry>
      

      Contrast this with NameIDPolicy that does not have any Newline. and is generating the correct content.

      Cause:
      The issue s is in openam-federation-library/src/main/java/com/sun/identity/saml2/protocol/impl/IDPEntryImpl.java line 229 generating NEWLINE. The similar toString code in NameIDPolicyImpl.java does not generate the newline.

      Testing
      Run an SP Authn and capture it's SAMLRequest payload and decode the SAML2 Authn payload. XML validated this to make sure there is XML schema compliant to saml-schema-protocol-2.0.xsd

       

        Attachments

          Activity

            People

            • Assignee:
              chee-weng.chea C-Weng C
              Reporter:
              chee-weng.chea C-Weng C
            • Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: