Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-11474

Custom IDP Attribute mappers may cause failures after upgrade

    Details

    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 13.5.1, 14.0.0, 14.1.0
    • Fix Version/s: None
    • Component/s: None
    • Support Ticket IDs:

      Description

      Bug description

      After upgrading from 13.5.0 -> 13.5.1 and likely 14.0 it is possible that user extended libraries from DefaultLibraryIDPAttribytMappers. The reason is some of the internal of the these classes changed and in fact the it possible that

      1) Old implemenation fails to run
      2) Or old Implmentation behaves badly as the old isDynamicalOrIgnoredProfile(realm) is gone and replaced with isIgnoredProfile(Object session, String realm). And depending on which implementation was extended, it os possible that the default value of "true" is returned and hence "profile" data is ignored (ie: User attributes are not mapped in SAML).

      May need to document or release note this or put by the old interface to 13.5.1/14.0.0 for old code

      How to reproduce the issue

      1. Extend a custom adapter from DefaultLibraryIDPAttributeMapper with no implementation, So then there is no profile data for this

      public class DummyAttributeMapper extends DefaultLibraryIDPAttributeMapper
      {
      
          public DummyAttributeMapper() {
          }
      
          protected boolean isDynamicalOrIgnoredProfile(String realm) {
              return SAML2PluginsUtils.isDynamicalOrIgnoredProfile(realm);
          }
      }
      

      2. Create a SAML federation (one IDP and SP)

      3. Create some profile mapping from IDP (say uid. and mail)

      4. Enable Federation debug. Do a SAML federation can check the SAML
      payload that the attribute is sent to SP

      5. Now change the IDP Attribute mapper to the DummyAttributeMapper
      Restart and repeat to federation login. Observe that you may have no attributes from profile and the Federation logs have

      DefaultLibraryIDPAttributeMapper.getAttributes: mail string value map was empty or null.
      libSAML2:08/03/2017 01:27:59:661 PM SGT: Thread[http-nio-8080-exec-10,5,main]: TransactionId[0b3fb264-00f0-4692-b0d6-c5f1b60a7c7b-269]
      DefaultLibraryIDPAttributeMapper.getAttributes: User profile does not have value for mail, checking SSOToken.
      
      Expected behaviour

      All the SAML attributes is sent in the Authn response.

      Current behaviour

      User profile attributes is missing.

      Work around

      Revisit all the old code that implements or extends from the SAML DefaultLibraryIDPAttributeMapper. and change code.
      You may want to extend from DefaultIDPAttributeMapper instead if possible

      Code analysis

      Due to OPENAM-9143

        Attachments

          Activity

            People

            • Assignee:
              jonthomas Jonathan Thomas
              Reporter:
              chee-weng.chea C-Weng C
            • Votes:
              1 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

              • Created:
                Updated: