Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-11636

IdP-Proxy - proxyidpfinder.jsp is not triggered when 'Use IDP Finder' is enabled for remote SP entity

    Details

    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 10.0.0, 10.0.1, 10.1.0-Xpress, 10.0.2, 11.0.0, 11.0.1, 11.0.2, 11.0.3, 12.0.0, 12.0.1, 12.0.2, 12.0.3, 12.0.4, 13.0.0, 13.5.0, 13.5.1, 14.0.0, 14.1.0, 14.1.1
    • Fix Version/s: None
    • Component/s: SAML
    • Labels:
    • Environment:
      Mac OS X - 10.11.6
      Java 1.8.0_111-b14
      Apache Tomcat/8.5.4
      OpenAM 13.5.0
    • Sprint:
      AM Sustaining Sprint 52
    • Support Ticket IDs:

      Description

      Bug description

      proxyidpfinder.jsp is not triggered when enabling Use IDP Finder for a specific remote SP entity

      How to reproduce the issue

      1. configure AM as IdP-Proxy
      2. configure 'com.sun.identity.saml2.plugins.SAML2IDPProxyFRImpl' as the IDP Finder implementation class at the IdP-Proxy
      3. configure 'proxyidpfinder.jsp' as the IdP Finder JSP at the IdP-Proxy
      4. configure remote SP and IdP entities
      5. set "Proxy all requests" for the remote SP entity
      6. configure IdP list for the remote SP entity
      7. enable 'Use IDP Finder' for the remote SP entity
      8. perform SP-initiated SSO
      Expected behaviour
      IdP list should be shown to allow selection of an IdP
      
      Current behaviour
      SAML AuthnRequest is proxied to the first IdP in the IdP list
      

      Work around

      enable 'Enable Proxy IDP Finder for all SPs:' at the IdP-Proxy

      Code analysis

      com.sun.identity.saml2.plugins.SAML2IDPProxyFRImpl.java
      public static String IDP_FINDER_ENABLED_IN_SP = "idpFinderEnabled"
      ...
      public List getPreferredIDP(
                  AuthnRequest authnRequest,
                  String hostProviderID,
                  String realm,
                  HttpServletRequest request,
                  HttpServletResponse response) throws SAML2Exception {
      ...
                  String idpFinderEnabled = SPSSOFederate.getParameter(spConfigAttrsMap,
                          IDP_FINDER_ENABLED_IN_SP);
      ...
                  if (!isIntroductionForProxyingEnabled && !isIdPFinderEnabled
                          && !isIdpFinderForAllSPsEnabled) {
                      debugMessage(methodName, " idpFinder wil use the static list of the SP");
      ...
      

      The name of the attribute related to AM console setting 'Use IDP Finder'' is useIDPFinder and not idpFinderEnabled

      excerpt from extended SP metadata
              <Attribute name="useIDPFinder">
                  <Value>true</Value>
              </Attribute>
      

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              bthalmayr Bernhard Thalmayr
            • Votes:
              1 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated: