Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-11638

IdP-Proxy - proxyidpfinder.jsp fails due to failing MetaAlias determination

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Duplicate
    • Affects Version/s: 10.0.0, 10.0.1, 10.1.0-Xpress, 10.0.2, 11.0.0, 11.0.1, 11.0.2, 11.0.3, 12.0.0, 12.0.1, 12.0.2, 12.0.3, 12.0.4, 13.0.0, 13.5.0, 13.5.1, 14.0.0, 14.1.0, 14.1.1
    • Fix Version/s: None
    • Component/s: SAML
    • Labels:
    • Environment:
      Mac OS X - 10.11.6
      Java 1.8.0_111-b14
      Apache Tomcat/8.5.4
      OpenAM 13.5.0
    • Support Ticket IDs:

      Description

      Bug description

      an error occurs if the default IdP Proxy finder implementation is being used

      How to reproduce the issue

      1. configure AM as IdP-Proxy
      2. configure 'com.sun.identity.saml2.plugins.SAML2IDPProxyFRImpl' as the IDP Finder implementation class at the IdP-Proxy
      3. configure 'proxyidpfinder.jsp' as the IdP Finder JSP at the IdP-Proxy
      4. set 'Enable Proxy IDP Finder for all SPs' at the IdP-Proxy (due to OPENAM-11636)
      5. configure remote SP and IdP entities
      6. set "Proxy all requests" for the remote SP entity
      7. configure IdP list for the remote SP entity
      8. perform SP-initiated SSO
      Expected behaviour
      IdP list should be shown to allow selection of an IdP
      
      Current behaviour
      HTTP 404 error occurs due to OPENAM-10194
      

      Work around

      Code analysis

      proxyidpfinder.jsp
      ...
              <%
                  }
      
                  relayState = (String) hts.getAttribute("_RELAYSTATE_");
                  if (relayState == null || relayState.isEmpty() ||
                          !SAML2Utils.isRelayStateURLValid(request, relayState, SAML2Constants.IDP_ROLE)) {
              %>
                  <jsp:forward page="<%= errorURL %>" />
              <%
      ...
      
      com.sun.identity.saml2.common.SAML2Utils.java
      ...
          public static boolean isRelayStateURLValid(HttpServletRequest request, String relayState, String role) {
              String metaAlias = SAML2MetaUtils.getMetaAliasByUri(request.getRequestURI());
              if (metaAlias == null) {
                  //try to acquire the metaAlias from request parameter
                  metaAlias = request.getParameter(SAML2MetaManager.NAME_META_ALIAS_IN_URI);
              }
              return isRelayStateURLValid(metaAlias, relayState, role);
          }
      ...
      

      In the performed use case the debugger shows

      /openam/proxyidpfinder.jsp
      

      for

      request.getRequestURI()
      

      in the above mentioned method isRelayStateURLValid

      excerpt from Federation debug log
      libSAML2:08/29/2017 04:34:57:419 PM CEST: Thread[http-nio-9191-exec-5,5,main]: TransactionId[25cca6f4-029d-416e-9903-ab2439855549-498]
      SAML2Utils.isRelayStateURLValid(): relayState http://idpproxy.pm.xyz:9191/openam/SSORedirect/metaAlias/proxyidp?SAMLRequest=jVLRbqMwEPwV5HdwIOkFrJAqbVRdpN4VBdqHvm1h0%2FoEts9rouS%2B%2FgxJe72XqK%2FrGc%2FszC6uD10b7NGS1CpncTRhAapaN1K95uyxugtTdr1cEHRtYsSqd29qi797JBd4oiJxeslZb5XQQJKEgg5JuFqUqx%2F3IokmwljtdK1bFqyI0DovdasV9R3aEu1e1vi4vc%2FZm3NGcA7GRAasU2iT6HD8I9JpOh2mfNDiZfnAgrU3IBW40fSZJxvjhQ7HyHQjLYuzmGuD3s9A2mIjLdaOd%2Bhg1UogPsI9jQV32tY4bpezHbSELNiscwYJIM5njfw1Ta6yb9PZC2awS9PXHcZZ2ngQFUAk9%2FiPRtTjRpED5XKWTOJ5OEnDJKvimUhSMZtHaRY%2Fs6A4Z3Ij1SnrSwG%2BnEAkvldVERYPZcWCp%2FfOPICdGxKjuv1czeWP4b0Ptvxa%2BkN4DThY8M%2BCHwfy0yts1oVuZX0cQu3AXTYwTGQT7kaocBYUSVSO8eVZ4f%2BjW%2F4F&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=TxhzOr1wbzKLPxWE%2BtavTOKUuXbdwzgH7CIdBc7CocgI5epTaro59Bj%2F9CEcuNQ6ogA3w%2FkqMOwU3hBx6ExTQ1tbpGAZtWbcAmB5%2FaEp0%2Fxs3FIM%2FJYBg5q3xFsFsddMS%2B9n8E0mGkdPW7hKzMi5Yq58FT%2BSkIeeO3QGh7XqY%2FdZt7HF42M1W4iZ8zB7VusodPOsuxhT2vWseM7eo%2BFhCY0KHeZDrhIMBpounGdnh9Dyj%2FjCiNOQ%2BXUvHOq%2FSP9TW%2Bs60BSfjDAibXGl9O1b2yscnpbRDjo%2BBamgs9H46o9BZk2LZu74HiJ9h0XVHSJ%2F15wafGO%2BoP2ywJ7PEF76%2FA%3D%3D&requestID=s28fe9bc1fdc3e7a19fd957d48674fe50452e6e84c for role IDPRole was valid? false
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                bthalmayr Bernhard Thalmayr
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: