Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-12866

Subsequent idpSSOInit calls after the first will fail if custom IDPAdapter forces auth step up


    • Target Version/s:
    • Sprint:
      AM Sustaining Sprint 50, AM Sustaining Sprint 51
    • Story Points:
    • Needs backport:
    • Support Ticket IDs:
    • Needs QA verification:
    • Functional tests:
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description


      Bug description

      Calling IDP SSO endpoint more than once to init federation to more than 1 SP causes the IDP SSO calls to fail after the first successful IDP SSO with: Status 400 - Error processing AuthnRequest. IDP Session is NULL.

      How to reproduce the issue

      Details steps outlining how to recreate the issue (remove this text)

      1. Setup 1 IDP and 2 SPs (or 2 Fedlets)
      2. Create a custom IDPAdapter that steps up auth on the 2nd idpSSOInit call
      3. Call IDPSSOInit to SP1 http://host1.example.com/openam/saml2/jsp/idpSSOInit.jsp?spEntityID=SP1&metaAlias=/idp&binding=HTTP-POST
      4. Call IDPSSOInit to SP2 http://host1.example.com/openam/saml2/jsp/idpSSOInit.jsp?spEntityID=SP2&metaAlias=/idp&binding=HTTP-POST

      The first will succeed. The second will fail.

      When reproducing the issue, I did the following:

      1) Installed AM 5.5.x

      2) Created a realm called "SAMLtest"

      3) In realm SAMLtest I:

          3a) Created a hosted IDP named FedletIDP.

          3b) Created 2 Fedlets named host7Fedlet and host8Fedlet

          3c) Created a new Auth Chain called "testChain" that had the LDAP module as required.

          3d) Changed the Auth Level for the LDAP auth module from 0 to 1

          3e) In the FedletIDP advanced tab, set DP Adapter Class: to com.sun.identity.saml2.plugins.StepUpIDPAdapter

      4) Created the Adapter in the OpenAM 5.5.x source at : openam-federation/openam-federation-library/src/main/java/com/sun/identity/saml2/plugins/StepUpIDPAdapter.java

      5) modified the pom file (openam-federation/openam-federation-library/pom.xml) to add the openam-core artifactId by adding:


      in the <dependencies> section.

      6) Compiled and deployed the war file

      7) Test with:





      Expected behaviour
      Both idpSSOInit calls should succeed.
      Current behaviour
      The first idpSSOInit call succeeds, the second fails

      Work around


      Code analysis


      at the end we have:

                  try {
                      //We set the sessionIndex to a dummy value so that IDPSessionListener won't try to clear out the caches
                      //for the still valid sessionIndex.
                      oldSSOToken.setProperty(SAML2Constants.IDP_SESSION_INDEX, "dummy");
                  } catch (SSOException ssoe) {
                      debug.error("Failed to set IDP Session Index for old session", ssoe);

      but token has already been stored in FMSessionNotification, so when the session is deleted, the original sessionIndex (stored in FMSessionNotification) is used and the session is removed from the cache.


          Issue Links



              • Assignee:
                sfraser Sam Fraser
                sfraser Sam Fraser
              • Votes:
                1 Vote for this issue
                4 Start watching this issue


                • Created: