Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-12195

Every type of error SAML2 Status Code sent by an IdP ends up as SSOFailed in saml2error.jsp

    Details

    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 5.5.1
    • Fix Version/s: None
    • Component/s: SAML
    • Labels:
    • Target Version/s:
    • Support Ticket IDs:

      Description

      Bug description

      In SAML2 flow, IDPs can send Status code responses to the SP with information on why the federation failed. OpenAM (as SP) will deal with those by redirecting the flow to saml2error.jsp with a unique error "SSOFailed".  It should be possible to make the detailed information available to saml2error.jsp.

      How to reproduce the issue

      http://sp.example.com:38080/openam/saml2/jsp/spSSOInit.jsp?idpEntityID=http%3A%2F%2Fidp.example.net%3A28080%2Fopenam&metaAlias=/sp
      • In a SAML tracer get the SAML Request and find the ID and issue instant:
      <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="s2459480328c664189c1b06959c5de1304d4cfbb84" Version="2.0" IssueInstant="2017-12-08T13:49:55Z"
      <skip>
      • Use the SAMLResponse template below, using the ID as value in the InResponseTo below and adapting the IssueInstant as well:
      <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
      ID="s282e5153cd31936c874b2933ac350078b08bb2bea"
      InResponseTo="s2459480328c664189c1b06959c5de1304d4cfbb84"
      Version="2.0"
      IssueInstant="2017-12-08T13:49:55Z"
      >
      <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://proxy.example.info:48080/openam</saml:Issuer>
      <samlp:Status>
      <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder">
      <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:AuthnFailed"/>
      </samlp:StatusCode>
      </samlp:Status>
      </samlp:Response>
      
      • Base64 Encode the SAMLResponse
      PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiCklEPSJzMjgyZTUxNTNjZDMxOTM2Yzg3NGIyOTMzYWMzNTAwNzhiMDhiYjJiZWEiCkluUmVzcG9uc2VUbz0iczI0NTk0ODAzMjhjNjY0MTg5YzFiMDY5NTljNWRlMTMwNGQ0Y2ZiYjg0IgpWZXJzaW9uPSIyLjAiCklzc3VlSW5zdGFudD0iMjAxNy0xMi0wOFQxMzo0OTo1NVoiCj4KPHNhbWw6SXNzdWVyIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iPmh0dHA6Ly9wcm94eS5leGFtcGxlLmluZm86NDgwODAvb3BlbmFtPC9zYW1sOklzc3Vlcj4KPHNhbWxwOlN0YXR1cz4KPHNhbWxwOlN0YXR1c0NvZGUgVmFsdWU9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpzdGF0dXM6UmVzcG9uZGVyIj4KPHNhbWxwOlN0YXR1c0NvZGUgVmFsdWU9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpzdGF0dXM6QXV0aG5GYWlsZWQiLz4KPC9zYW1scDpTdGF0dXNDb2RlPgo8L3NhbWxwOlN0YXR1cz4KPC9zYW1scDpSZXNwb25zZT4=
      • URL Encode the above:
      PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiCklEPSJzMjgyZTUxNTNjZDMxOTM2Yzg3NGIyOTMzYWMzNTAwNzhiMDhiYjJiZWEiCkluUmVzcG9uc2VUbz0iczI0NTk0ODAzMjhjNjY0MTg5YzFiMDY5NTljNWRlMTMwNGQ0Y2ZiYjg0IgpWZXJzaW9uPSIyLjAiCklzc3VlSW5zdGFudD0iMjAxNy0xMi0wOFQxMzo0OTo1NVoiCj4KPHNhbWw6SXNzdWVyIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iPmh0dHA6Ly9wcm94eS5leGFtcGxlLmluZm86NDgwODAvb3BlbmFtPC9zYW1sOklzc3Vlcj4KPHNhbWxwOlN0YXR1cz4KPHNhbWxwOlN0YXR1c0NvZGUgVmFsdWU9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpzdGF0dXM6UmVzcG9uZGVyIj4KPHNhbWxwOlN0YXR1c0NvZGUgVmFsdWU9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpzdGF0dXM6QXV0aG5GYWlsZWQiLz4KPC9zYW1scDpTdGF0dXNDb2RlPgo8L3NhbWxwOlN0YXR1cz4KPC9zYW1scDpSZXNwb25zZT4%3D
      • Use it as parameter in the following curl command:
      curl -X POST 'http://sp.example.com:38080/openam/Consumer/metaAlias/sp'  --data "SAMLResponse=PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiCklEPSJzMjgyZTUxNTNjZDMxOTM2Yzg3NGIyOTMzYWMzNTAwNzhiMDhiYjJiZWEiCkluUmVzcG9uc2VUbz0iczI0NTk0ODAzMjhjNjY0MTg5YzFiMDY5NTljNWRlMTMwNGQ0Y2ZiYjg0IgpWZXJzaW9uPSIyLjAiCklzc3VlSW5zdGFudD0iMjAxNy0xMi0wOFQxMzo0OTo1NVoiCj4KPHNhbWw6SXNzdWVyIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iPmh0dHA6Ly9wcm94eS5leGFtcGxlLmluZm86NDgwODAvb3BlbmFtPC9zYW1sOklzc3Vlcj4KPHNhbWxwOlN0YXR1cz4KPHNhbWxwOlN0YXR1c0NvZGUgVmFsdWU9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpzdGF0dXM6UmVzcG9uZGVyIj4KPHNhbWxwOlN0YXR1c0NvZGUgVmFsdWU9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpzdGF0dXM6QXV0aG5GYWlsZWQiLz4KPC9zYW1scDpTdGF0dXNDb2RlPgo8L3NhbWxwOlN0YXR1cz4KPC9zYW1scDpSZXNwb25zZT4%3D"  -v -L
      Expected behaviour
      The response gives a detailed error message, or the error message is made available to saml2error.jsp
      Current behaviour
      The response is a generic "Single Sign On failed". saml2error.jsp receives the same error code each time.

       

       

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                nathalie.hoet Nathalie Hoet
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated: