Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-12417

IdP initiated SSO fails

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Not a defect
    • Affects Version/s: 6.0.0
    • Fix Version/s: None
    • Component/s: None
    • Labels:
    • Target Version/s:

      Description

      Bug description

      IdP initiated SSO fails in master build (February 1st, 2018).

      How to reproduce the issue

      1. Deploy two AM instances, each using host level cookies (e.g. idp.amtest2.com and sp.amtest2.com) and using SSL in tomcat.  (https://idp.amtest2.com:9443/access, https://sp.amtest2.com:7443/access).
      2. Note that keystore was setup to include CA cert and certs for both idp and sp and then the keystore was copied to each server (so both AM instances had visibility of all certs).  Also added ca cert to JDK cacerts truststore.
      3. In IdP, create a hosted IdP, circle of trust test_idp, using test signing cert, and mapping mail attribute to mail.
      4. In SP, create a hosted SP.
      5. In IdP create a remote SP and in SP create a remote IdP.  Note that the metadata urls need to be http versions of the paths to the metadata in order to enable creation to succeed.
      6. In SP, set Auto federation to true and set attribute as mail attribute.
      7. In hosted and remote SP definitions, change ACS service endpoints from Consumer to AuthConsumer.
      8. In IdP create a user, e.g. testuser1 and set a mail attribute.
      9. In SP create a SAML authentication module, referencing the IdP's https url.  Create a chain, e.g. saml2Chain, adding above authentication module as required.
      10. Perform an SP initiated SSO using url https://sp.amtest2.com:743/acess?service=saml2Chain.  Verify that this is successful, user is directed to profile page at SP.
      11. Perform an IdP initiated SSO, using https://idp.amtest2.com:9443/access/saml2/jsp/idpSSOInit.jsp?metaAlias=/idp&spEntityID=https://sp.amtest2.com:7443/access.
      Expected behaviour
      IdP initated SSO should allow user to authenticate and then show SSO successful message.
      Current behaviour
      After user authenticates, the following error message is displayed at the SP:
      exception
      
      javax.servlet.ServletException: AMSetupFilter.doFilter
      com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:141)
      org.forgerock.openam.audit.context.AuditContextFilter.doFilter(AuditContextFilter.java:46)
      
      root cause
      org.apache.jasper.JasperException: An exception occurred processing JSP page /saml2/jsp/saml2AuthAssertionConsumer.jsp at line 29
      
      26:
      27:    Portions Copyrighted 2012-2016 ForgeRock AS.
      28: --%><%@page import="org.forgerock.openam.authentication.modules.saml2.SAML2Proxy,
      29: java.io.PrintWriter" %><% SAML2Proxy.processSamlResponse(request, response, new PrintWriter(out, true)); %>
      
      Stacktrace:
      org.apache.jasper.servlet.JspServletWrapper.handleJspException(JspServletWrapper.java:580)
      org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:472)
      org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:395)
      org.apache.jasper.servlet.JspServlet.service(JspServlet.java:339)
      javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
      org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
      org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:36)
      org.forgerock.openam.headers.SetHeadersFilter.doFilter(SetHeadersFilter.java:80)
      com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:111)
      org.forgerock.openam.audit.context.AuditContextFilter.doFilter(AuditContextFilter.java:46)
      root cause
      java.lang.IllegalStateException: Request not valid!
      org.forgerock.openam.authentication.modules.saml2.SAML2Proxy.getUrlWithKey(SAML2Proxy.java:232)
      org.forgerock.openam.authentication.modules.saml2.SAML2Proxy.getUrl(SAML2Proxy.java:218)
      org.forgerock.openam.authentication.modules.saml2.SAML2Proxy.processSamlResponse(SAML2Proxy.java:126)
      org.apache.jsp.saml2.jsp.saml2AuthAssertionConsumer_jsp._jspService(saml2AuthAssertionConsumer_jsp.java:84)
      org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
      javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
      org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:439)
      org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:395)
      org.apache.jasper.servlet.JspServlet.service(JspServlet.java:339)
      javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
      org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
      org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:36)
      org.forgerock.openam.headers.SetHeadersFilter.doFilter(SetHeadersFilter.java:80)
      com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:111)
      org.forgerock.openam.audit.context.AuditContextFilter.doFilter(AuditContextFilter.java:46)

      Work around

      None.  Same configuration and test scenario above provides the expected result on 5.5.1.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              lawrence.yarham Lawrence Yarham
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: