Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-12314

WIndowsSSO / Kerberos module does have user principal mapping and mixed case userPrincipal

    Details

    • Type: Improvement
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 11.0.3, 12.0.1, 12.0.3, 12.0.4, 13.0.0, 13.5.0, 13.5.1, 14.1.0, 14.1.1, 14.5.0, 5.5.1
    • Fix Version/s: None
    • Component/s: authentication
    • Labels:
      None
    • Target Version/s:
    • Support Ticket IDs:

      Description

      The Windows SSO authenticate and return the user principal as was given in the Kerberos ticket. There is option to return this value as user@REALM or user (extracting the name from the kerberos GSS ticket)

      However the issue is that one may authenticate to Kerberos in mixed case and so the userPrincipal taken from the ticket may be USER or user (depending what is done on the kerberos environment (or one kinit)).

      Here's a sample kerberos Java debug

      >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
      MemoryCache: add 1515730131/841129/C2F0C52699F5BC010EBBBEBC842DEC44/WinGUEST@WINDOM.INTERNAL.FORGEROCK.COM to WinGUEST@WINDOM.INTERNAL.FORGEROCK.COM|HTTP/test.internal.forgerock.com@WINDOM.INTERNAL.FORGEROCK.COM
      >>> KrbApReq: authenticate succeed.
      Krb5Context setting peerSeqNumber to: 770718134
      >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
      Krb5Context setting mySeqNumber to: 635859571
      

      where the actual AD UPN or sAMAAccountName is "winguest" but the kinit is done to create the following TGT

      It would be good to have the WSSO module canonize of either a known field. Although there is a setting to check for the user is in the profile, the UserPrincipal set by WSSO module in the above case is WinGUEST and there is no use name remapping or treatment.

      This feature is more like what Hadoop's Kerberos where it has in user name mapping.

      WHY is THIS IMPORTANT
      When WSSO is used as part of an OIDC, a wrong UserPrincipal may be used due to wrong case and mixed case. which causes issues in OPENAM-10886
      OAuth introspect endpoint returns user_id and sub with mixed case
      and also similar to OPENAM-12135
      "OIDC token generated with datastore module takes case from request rather than from the datastore"

      Workaround
      Create a custom WSSO module or

      if OIDC see OPENAM-7878 Add functionality to modify the sub at the module level to override the clientID setting

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                chee-weng.chea C-Weng C
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated: