Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-12914

OpenDj Password Policy preventing SamL dynamic user in being created

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Blocker
    • Resolution: Duplicate
    • Affects Version/s: 5.5.1
    • Fix Version/s: None
    • Labels:
      None
    • Environment:
      AM 5.5.1
      OpenDj
    • Support Ticket IDs:

      Description

      OpenAM is acting as an SP, and client need to dynamically provision accounts if they don't exist from an incoming SAML assertion. Client have set up the hosted SP according to this guide: https://backstage.forgerock.com/docs/am/5.5/saml2-guide/#auto-federation
      Where Client want to map users based off the mail attribute ("email" in the incoming SAML assertion).
      However, client receive an error when a user attempts to federate (and the user is sent back to the openam login screen):
      SPACSUtils.processResponse : error code=-1
      com.sun.identity.plugin.session.SessionException: Login failed with unknown reason.

      Furthermore, client is using password policy from Open DJ

      Upon troubleshooting and trying 2-3 tests
      when creating a SAML Dynamic User with the password policy(following the rules of the policy); it fails
      it gives the following error in the authentication logs

      amAuth:04/13/2018 12:44:02:275 PM EDT: Thread[default task-1,5,main]: TransactionId[]
      Creating user entry: 
      amAuth:04/13/2018 12:44:02:275 PM EDT: Thread[default task-1,5,main]: TransactionId[]
      aliasList : null
      amAuth:04/13/2018 12:44:02:275 PM EDT: Thread[default task-1,5,main]: TransactionId[]
      userCreationAttributes is : {EEEmployeeId=[], EECaseId=[], sn=[Masek], mail=[, givenName=[]}
      amAuth:04/13/2018 12:44:02:288 PM EDT: Thread[default task-1,5,main]: TransactionId[]
      ERROR: Cannot create user profile for: 
      amAuth:04/13/2018 12:44:02:288 PM EDT: Thread[default task-1,5,main]: TransactionId[]
      Stack trace: 
      Message:Plug-in org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo encountered an ldap exception 19: The password value for attribute userPassword was found to be unacceptable: The provided password did not contain characters from at least 3 of the following character sets or ranges: '~!@#$%^&*()-_=+[]{}|;:,.<>/?', '0123456789', 'ABCDEFGHIJKLMNOPQRSTUVWXYZ', 'abcdefghijklmnopqrstuvwxyz'
      
       at org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo.handleErrorResult(DJLDAPv3Repo.java:2508)
       at org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo.create(DJLDAPv3Repo.java:688)
       at com.sun.identity.idm.server.IdServicesImpl.create(IdServicesImpl.java:427)
       at com.sun.identity.idm.AMIdentityRepository.createIdentity(AMIdentityRepository.java:463)
       at com.sun.identity.authentication.service.LoginState.createUserIdentity(LoginState.java:5448)
       at com.sun.identity.authentication.service.LoginState.createUserProfile(LoginState.java:1925)
       at com.sun.identity.authentication.service.LoginState.getCreateUserProfile(LoginState.java:2553)
       at com.sun.identity.authentication.service.LoginState.searchUserProfile(LoginState.java:2394)
       at com.sun.identity.authentication.service.AMLoginContext.runLogin(AMLoginContext.java:553)
       at com.sun.identity.authentication.server.AuthContextLocal.submitRequirements(AuthContextLocal.java:586)
       at com.sun.identity.authentication.AuthContext.submitRequirements(AuthContext.java:1235)
       at com.sun.identity.authentication.AuthContext.submitRequirements(AuthContext.java:1221)
       at com.sun.identity.plugin.session.impl.FMSessionProvider.createSession(FMSessionProvider.java:245)
       at com.sun.identity.saml2.profile.SPACSUtils.processResponse(SPACSUtils.java:1220)
       at org.apache.jsp.saml2.jsp.spAssertionConsumer_jsp._jspService(spAssertionConsumer_jsp.java:317)
       at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
       at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:433)
       at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:402)
       at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:346)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
       at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
       at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
       at io.undertow.websockets.jsr.JsrWebSocketFilter.doFilter(JsrWebSocketFilter.java:130)
       at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
       at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
       at org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:36)
       at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
       at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
       at org.forgerock.openam.headers.SetHeadersFilter.doFilter(SetHeadersFilter.java:80)
       at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
       at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
       at com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:111)
       at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
       at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
       at org.forgerock.openam.audit.context.AuditContextFilter.doFilter(Audit
      

      in federation logs

      libSAML2:04/13/2018 12:44:02:292 PM EDT: Thread[default task-1,5,main]: TransactionId[]
      ERROR: spAssertionConsumer.jsp: SSO failed.
      com.sun.identity.saml2.common.SAML2Exception: Login failed with unknown reason.
       at com.sun.identity.saml2.profile.SPACSUtils.processResponse(SPACSUtils.java:1241)
       at org.apache.jsp.saml2.jsp.spAssertionConsumer_jsp._jspService(spAssertionConsumer_jsp.java:317)
       at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
       at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:433)
       at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:402)
       at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:346)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
       at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
       at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
       at io.undertow.websockets.jsr.JsrWebSocketFilter.doFilter(JsrWebSocketFilter.java:130)
       at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
       at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
       at org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:36)
      

      ldrepo

      DJLDAPv3Repo:04/13/2018 12:44:02:284 PM EDT: Thread[default task-1,5,main]: TransactionId[]
      ERROR: Unable to add a new entry:  attrMap: {givenName=[], cn=[], objectclass=[iplanet-am-managed-person, inetuser, sunFederationManagerDataStore, sunFMSAML2NameIdentifier, inetorgperson, devicePrintProfilesContainer, sunIdentityServerLibertyPPService, pushDeviceProfilesContainer, iPlanetPreferences, iplanet-am-user-service, forgerock-am-dashboard-service, organizationalperson, top, EEOC, kbaInfoContainer, oathDeviceProfilesContainer, person, sunAMAuthAccountLockout, iplanet-am-auth-configuration-service], sn=[Masek], inetuserstatus=[Active], EECaseId=[5], uid=[], EEEmployeeId=[], mail=[], userpassword=xxx...}
      org.forgerock.opendj.ldap.ConstraintViolationException: Constraint Violation: The password value for attribute userPassword was found to be unacceptable: The provided password did not contain characters from at least 3 of the following character sets or ranges: '~!@#$%^&*()-_=+[]{}|;:,.<>/?', '0123456789', 'ABCDEFGHIJKLMNOPQRSTUVWXYZ', 'abcdefghijklmnopqrstuvwxyz'
       at org.forgerock.opendj.ldap.LdapException.newLdapException(LdapException.java:190)
       at org.forgerock.opendj.ldap.LdapClientImpl$Exchange.onNext(LdapClientImpl.java:640)
       at org.forgerock.opendj.ldap.LdapClientImpl$Exchange.onNext(LdapClientImpl.java:554)
       at org.forgerock.opendj.ldap.DemultiplexerImpl$DemultiplexedStream.tryOnNextFastPath(DemultiplexerImpl.java:432)
       at org.forgerock.opendj.ldap.DemultiplexerImpl$DemultiplexedStream.onNextAndOptionallyComplete(DemultiplexerImpl.java:392)
       at org.forgerock.opendj.ldap.DemultiplexerImpl.onNext(DemultiplexerImpl.java:162)
       at io.reactivex.internal.operators.flowable.FlowableDoFinally$DoFinallySubscriber.onNext(FlowableDoFinally.java:85)
       at io.reactivex.internal.operators.flowable.FlowableDoOnEach$DoOnEachSubscriber.onNext(FlowableDoOnEach.java:91)
       at io.reactivex.internal.operators.flowable.FlowableOnErrorNext$OnErrorNextSubscriber.onNext(FlowableOnErrorNext.java:69)
       at io.reactivex.internal.operators.flowable.FlowableFilter$FilterSubscriber.tryOnNext(FlowableFilter.java:74)
       at io.reactivex.internal.operators.flowable.FlowableFilter$FilterSubscriber.onNext(FlowableFilter.java:52)
       at io.reactivex.internal.operators.flowable.FlowableDoOnEach$DoOnEachConditionalSubscriber.onNext(FlowableDoOnEach.java:208)
       at org.forgerock.opendj.grizzly.GrizzlyLdapSocketFilter$GrizzlyReader.handleRead(GrizzlyLdapSocketFilter.java:201)
       at org.forgerock.opendj.grizzly.GrizzlyLdapSocketFilter.handleRead(GrizzlyLdapSocketFilter.java:102)
       at org.glassfish.grizzly.filterchain.ExecutorResolver$9.execute(ExecutorResolver.java:119)
       at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeFilter(DefaultFilterChain.java:284)
       at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeChainPart(DefaultFilterChain.java:201)
       at org.glassfish.grizzly.filterchain.DefaultFilterChain.execute(DefaultFilterChain.java:133)
       at org.glassfish.grizzly.filterchain.DefaultFilterChain.process(DefaultFilterChain.java:112)
       at org.glassfish.grizzly.ProcessorExecutor.execute(ProcessorExecutor.java:77)
       at org.glassfish.grizzly.nio.transport.TCPNIOTransport.fireIOEvent(TCPNIOTransport.java:539)
       at org.glassfish.grizzly.strategies.AbstractIOStrategy.fireIOEvent(AbstractIOStrategy.java:112)
       at org.glassfish.grizzly.strategies.SameThreadIOStrategy.executeIoEvent(SameThreadIOStrategy.java:103)
       at org.glassfish.grizzly.strategies.AbstractIOStrategy.executeIoEvent(AbstractIOStrategy.java:89)
       at org.glassfish.grizzly.nio.SelectorRunner.iterateKeyEvents(SelectorRunner.java:415)
       at org.glassfish.grizzly.nio.SelectorRunner.iterateKeys(SelectorRunner.java:384)
       at org.glassfish.grizzly.nio.SelectorRunner.doSelect(SelectorRunner.java:348)
       at org.glassfish.grizzly.nio.SelectorRunner.run(SelectorRunner.java:279)
       at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:593)
       at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.run(AbstractThreadPool.java:573)
       at java.lang.Thread.run(Thread.java:745)
      amIdm:04/13/2018 12:44:02:287 PM EDT: Thread[default task-1,5,main]: TransactionId[]
      ERROR: IdServicesImpl.create: Create: Fatal Exception
      Message:Plug-in org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo encountered an ldap exception 19: The password value for attribute userPassword was found to be unacceptable: The provided password did not contain characters from at least 3 of the following character sets or ranges: '~!@#$%^&*()-_=+[]{}|;:,.<>/?', '0123456789', 'ABCDEFGHIJKLMNOPQRSTUVWXYZ', 'abcdefghijklmnopqrstuvwxyz'
      
       at org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo.handleErrorResult(DJLDAPv3Repo.java:2508)
       at org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo.create(DJLDAPv3Repo.java:688)
       at com.sun.identity.idm.server.IdServicesImpl.create(IdServicesImpl.java:427)
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                jobby.thomas Jobby Thomas
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: