Affects Version/s: 11.0.0, 11.0.1, 11.0.2, 11.0.3, 12.0.0, 12.0.1, 12.0.2, 12.0.3, 12.0.4, 13.0.0, 13.5.0, 13.5.1, 14.0.0, 14.1.0, 14.1.1, 14.5.0, 14.5.1
Fix Version/s: None
Environment:Mac OS X 10.11.6
java version "1.7.0_76"
Java(TM) SE Runtime Environment (build 1.7.0_76-b13)
Java HotSpot(TM) 64-Bit Server VM (build 24.76-b04, mixed mode)
Apache Tomcat 8
Signature validation of the SAML assertion fails because the certificate used to validate the signature is cached based on the entityID and role, but not based on the realm.
Details steps outlining how to recreate the issue (remove this text)
- Configure OpenAM instance 1 to be used as SP
- Created hosted SP in default realm
- Create sub-realm ‘test’
- Created hosted SP in sub-realm ‘test’
- Configure OpenAM instance 2 to be used as IdP
- Created two key pairs ‘idp1’ and ‘idp2’ in the default keystore of the 'IdP'
- Restart OpenAM deployment container
- Created hosted IdP in default realm using key pair ‘idp1’
- Created hosted IdP in default sub-realm 'test' using key pair ‘idp1’
- Configured the remote SP/IdP entities in the realms of IdP and SP
- Perform SP-initiated SSO with SP in sub-realm 'test'; use 'frontchannel bindings' and NameID Format 'transient'
- Restart browser, logout or remove the SSO tracking cookies for OpenAM
- Perform SP-initiated SSO with SP in default realm; use 'frontchannel bindings' and NameID Format 'transient'
Use unique EntityIDs in all realms
As the method KeyUtil.getVerificationCerts(....) is used in different use-cases as well other bugs could be most likely.