Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-11474

Custom IDP Attribute mappers may cause failures after upgrade



    • Bug
    • Status: Open
    • Major
    • Resolution: Unresolved
    • 13.5.1, 14.0.0, 14.1.0, 5.5.1, 6.0.0,,,,,, 6.5.0,,,, 6.5.1,, 6.5.2,,,, 5.5.2, 7.0.0, 6.5.3, 7.1.0, 7.0.1, 7.0.2
    • None
    • documentation, SAML, samples
    • Rank:


      Bug description

      After upgrading from 13.5.0 -> 13.5.1 and likely 14.0 it is possible that user extended libraries from DefaultLibraryIDPAttribytMappers. The reason is some of the internal of the these classes changed and in fact the it possible that

      1) Old implemenation fails to run
      2) Or old Implmentation behaves badly as the old isDynamicalOrIgnoredProfile(realm) is gone and replaced with isIgnoredProfile(Object session, String realm). And depending on which implementation was extended, it os possible that the default value of "true" is returned and hence "profile" data is ignored (ie: User attributes are not mapped in SAML).

      May need to document or release note this or put by the old interface to 13.5.1/14.0.0 for old code

      How to reproduce the issue

      1. Extend a custom adapter from DefaultLibraryIDPAttributeMapper with no implementation, So then there is no profile data for this

      public class DummyAttributeMapper extends DefaultLibraryIDPAttributeMapper
          public DummyAttributeMapper() {
          protected boolean isDynamicalOrIgnoredProfile(String realm) {
              return SAML2PluginsUtils.isDynamicalOrIgnoredProfile(realm);

      2. Create a SAML federation (one IDP and SP)

      3. Create some profile mapping from IDP (say uid. and mail)

      4. Enable Federation debug. Do a SAML federation can check the SAML
      payload that the attribute is sent to SP

      5. Now change the IDP Attribute mapper to the DummyAttributeMapper
      Restart and repeat to federation login. Observe that you may have no attributes from profile and the Federation logs have

      DefaultLibraryIDPAttributeMapper.getAttributes: mail string value map was empty or null.
      libSAML2:08/03/2017 01:27:59:661 PM SGT: Thread[http-nio-8080-exec-10,5,main]: TransactionId[0b3fb264-00f0-4692-b0d6-c5f1b60a7c7b-269]
      DefaultLibraryIDPAttributeMapper.getAttributes: User profile does not have value for mail, checking SSOToken.
      Expected behaviour

      All the SAML attributes is sent in the Authn response.

      Current behaviour

      User profile attributes is missing.

      Work around

      Revisit all the old code that implements or extends from the SAML DefaultLibraryIDPAttributeMapper. and change code.
      You may want to extend from DefaultIDPAttributeMapper instead if possible (but you need to use OpenFM.jar as DefaultLibraryIDPAttributeMapper happens to be there (if 6.x)


      otherwise if using openam-federation-library, for your custom modules if you start fresh to implement

          protected boolean isDynamicalOrIgnoredProfile(String realm) {

      Code analysis

      Due to OPENAM-9143


      Side note

      Should DefaultLibraryIDPAttributeMapper be relocated under openam-federation-library




            Unassigned Unassigned
            chee-weng.chea C-Weng C
            2 Vote for this issue
            9 Start watching this issue