Affects Version/s: 14.5.0, 5.5.1
Sprint:AM Sustaining Sprint 50, AM Sustaining Sprint 51
Support Ticket IDs:
Needs QA verification:No
Are the reproduction steps defined?:Yes and I used the same an in the description
Calling IDP SSO endpoint more than once to init federation to more than 1 SP causes the IDP SSO calls to fail after the first successful IDP SSO with: Status 400 - Error processing AuthnRequest. IDP Session is NULL.
Details steps outlining how to recreate the issue (remove this text)
- Setup 1 IDP and 2 SPs (or 2 Fedlets)
- Create a custom IDPAdapter that steps up auth on the 2nd idpSSOInit call
- Call IDPSSOInit to SP1 http://host1.example.com/openam/saml2/jsp/idpSSOInit.jsp?spEntityID=SP1&metaAlias=/idp&binding=HTTP-POST
- Call IDPSSOInit to SP2 http://host1.example.com/openam/saml2/jsp/idpSSOInit.jsp?spEntityID=SP2&metaAlias=/idp&binding=HTTP-POST
The first will succeed. The second will fail.
When reproducing the issue, I did the following:
1) Installed AM 5.5.x
2) Created a realm called "SAMLtest"
3) In realm SAMLtest I:
3a) Created a hosted IDP named FedletIDP.
3b) Created 2 Fedlets named host7Fedlet and host8Fedlet
3c) Created a new Auth Chain called "testChain" that had the LDAP module as required.
3d) Changed the Auth Level for the LDAP auth module from 0 to 1
3e) In the FedletIDP advanced tab, set DP Adapter Class: to com.sun.identity.saml2.plugins.StepUpIDPAdapter
4) Created the Adapter in the OpenAM 5.5.x source at : openam-federation/openam-federation-library/src/main/java/com/sun/identity/saml2/plugins/StepUpIDPAdapter.java
5) modified the pom file (openam-federation/openam-federation-library/pom.xml) to add the openam-core artifactId by adding:
in the <dependencies> section.
6) Compiled and deployed the war file
7) Test with:
at the end we have:
but token has already been stored in FMSessionNotification, so when the session is deleted, the original sessionIndex (stored in FMSessionNotification) is used and the session is removed from the cache.