Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-12770

Some SAML assertions are not deserialized from SAML2 Token.

    Details

    • Sprint:
      AM Sustaining Sprint 51
    • Story Points:
      5
    • Needs backport:
      Yes
    • Support Ticket IDs:
    • Needs QA verification:
      Yes
    • Functional tests:
      No
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description

      Description

      Bug description

      It seems when we save SAML artifact like Asserions, AuthnStatement to the CTS store, we serialize this into JSON. and later deserialize this back. Unfortunately some of these does not have the round trip complete. Example is the SubjectLocality element. (Some others may b e needed to be corrected to make this complete)

      TransactionId[b639cd46-bfea-441c-aa57-ee1023423f5f-22780538]
      Exception
      javax.security.auth.login.LoginException: java.lang.IllegalStateException: Failed to deserailise SAML2ResponseData
              at org.forgerock.openam.cts.utils.JSONSerialisation.deserialise(JSONSerialisation.java:84)
              at org.forgerock.openam.cts.adapters.SAMLAdapter.fromToken(SAMLAdapter.java:111)
              at org.forgerock.openam.cts.adapters.SAMLAdapter.fromToken(SAMLAdapter.java:29)
              at org.forgerock.openam.cts.impl.SAML2CTSPersistentStore.retrieveSAML2Token(SAML2CTSPersistentStore.java:79)
              at com.sun.identity.saml2.common.SAML2FailoverUtils.retrieveSAML2Token(SAML2FailoverUtils.java:72)
              at org.forgerock.openam.authentication.modules.saml2.SAML2.handleReturnFromRedirect(SAML2.java:323)
              at org.forgerock.openam.authentication.modules.saml2.SAML2.process(SAML2.java:186)
              at com.sun.identity.authentication.spi.AMLoginModule.wrapProcess(AMLoginModule.java:1061)
              at com.sun.identity.authentication.spi.AMLoginModule.login(AMLoginModule.java:1251)
              at sun.reflect.GeneratedMethodAccessor148.invoke(Unknown Source)
              at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      ....
      .....
      Caused by: com.fasterxml.jackson.databind.JsonMappingException: Can not construct instance of com.sun.identity.saml2.assertion.SubjectLocality: abstract types either need to be mapped to concrete types, have custom deserializer, or contain additional type information
      

      How to reproduce the issue

      The above is from AM14

      1. OpenAM SP contacting a Shibboleth IDP that returns SubjectLocality and using OpenAM SAML2 Authentication Module
      2. OpenAM using SAML2 Auth Module with SAML2 Failover enabled.

      Unit test on JSONSerialization on AuthnStatement with SubjectLocality existence will cause the same issues.

      Expected behaviour
      Assertion with AuthnStatement with SubjectLocality should not cause issues
      
      Current behaviour
      SAML2 Auth module cannot work.
      

      Work around

      • IDP side not to sent SubjectLocality.
      • Disable AM SAML2 Failover (and hope everything is sticky to the same AM)

      Code analysis

      SubjectLocality.java
      Need to implement import 
      
      com.fasterxml.jackson.databind.annotation.JsonDeserialize;
      import com.sun.identity.saml2.assertion.impl.SubjectLocalityImpl;
      
      and
       
      @JsonDeserialize(as=SubjectLocalityImpl.class)
      
      like the rest 
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                chee-weng.chea C-Weng C
                Reporter:
                chee-weng.chea C-Weng C
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: