Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-11636

IdP-Proxy - proxyidpfinder.jsp is not triggered when 'Use IDP Finder' is enabled for remote SP entity


    • Type: Bug
    • Status: In Progress
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 10.0.0, 10.0.1, 10.1.0-Xpress, 10.0.2, 11.0.0, 11.0.1, 11.0.2, 11.0.3, 12.0.0, 12.0.1, 12.0.2, 12.0.3, 12.0.4, 13.0.0, 13.5.0, 13.5.1, 14.0.0, 14.1.0, 14.1.1
    • Fix Version/s: None
    • Component/s: SAML
    • Labels:
    • Environment:
      Mac OS X - 10.11.6
      Java 1.8.0_111-b14
      Apache Tomcat/8.5.4
      OpenAM 13.5.0
    • Target Version/s:
    • Sprint:
      AM Sustaining Sprint 52, AM Sustaining Sprint 53, AM Sustaining Sprint 54, AM Sustaining Sprint 55, AM Sustaining Sprint 56
    • Story Points:
    • Support Ticket IDs:


      Bug description

      proxyidpfinder.jsp is not triggered when enabling Use IDP Finder for a specific remote SP entity

      How to reproduce the issue

      1. configure AM as IdP-Proxy
      2. configure 'com.sun.identity.saml2.plugins.SAML2IDPProxyFRImpl' as the IDP Finder implementation class at the IdP-Proxy
      3. configure 'proxyidpfinder.jsp' as the IdP Finder JSP at the IdP-Proxy
      4. configure remote SP and IdP entities
      5. set "Proxy all requests" for the remote SP entity
      6. configure IdP list for the remote SP entity
      7. enable 'Use IDP Finder' for the remote SP entity
      8. perform SP-initiated SSO
      Expected behaviour
      IdP list should be shown to allow selection of an IdP
      Current behaviour
      SAML AuthnRequest is proxied to the first IdP in the IdP list

      Work around

      enable 'Enable Proxy IDP Finder for all SPs:' at the IdP-Proxy

      Code analysis

      public static String IDP_FINDER_ENABLED_IN_SP = "idpFinderEnabled"
      public List getPreferredIDP(
                  AuthnRequest authnRequest,
                  String hostProviderID,
                  String realm,
                  HttpServletRequest request,
                  HttpServletResponse response) throws SAML2Exception {
                  String idpFinderEnabled = SPSSOFederate.getParameter(spConfigAttrsMap,
                  if (!isIntroductionForProxyingEnabled && !isIdPFinderEnabled
                          && !isIdpFinderForAllSPsEnabled) {
                      debugMessage(methodName, " idpFinder wil use the static list of the SP");

      The name of the attribute related to AM console setting 'Use IDP Finder'' is useIDPFinder and not idpFinderEnabled

      excerpt from extended SP metadata
              <Attribute name="useIDPFinder">




            • Assignee:
              sfraser Sam Fraser
              bthalmayr Bernhard Thalmayr
            • Votes:
              1 Vote for this issue
              4 Start watching this issue


              • Created: