Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-13255

DefaultIDPAccountMapper does not append domain value for UPN

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 12.0.0, 12.0.1, 12.0.2, 12.0.3, 12.0.4, 13.0.0, 13.5.0, 13.5.1, 13.5.2, 14.0.0, 14.1.0, 14.1.1, 14.5.0, 14.5.1, 5.5.1, 6.0.0, 6.0.0.1, 6.0.0.2
    • Fix Version/s: 13.5.3, 6.5.0, 6.0.1, 5.5.2
    • Component/s: WS Federation
    • Labels:
    • Environment:
      Oracle JDK 1.8.0_151-b12
      Apache Tomcat/8.0.48
      OpenAM 13.5.1
    • Sprint:
      AM Sustaining Sprint 53, AM Sustaining Sprint 54
    • Story Points:
      2
    • Support Ticket IDs:

      Description

      Bug description

      The domain value from either 'Domain Attribute' or 'UPN Domain' is not appended if UPN is configured as Name Id Format and 'Name Includes Domain' is unchecked.

      How to reproduce the issue

      1. Configure OpenAM
      2. Configure hosted WS-Federation 'IdP'
      3. Import remote WS-Federation 'SP'
      4. Set 'test.xyz' as value for 'UPN Domain' in hosted WS-Fed IdP config.
      5. Make sure 'Name Includes Domain' is unchecked
      6. Perform WS-Fed SSO
      Expected behaviour
      UPN should include the domain set for 'UPN Domain'
      
      Current behaviour
      UPN does not include configured domain
      

      Code analysis (AM master)

      com.sun.identity.wsfederation.plugins.DefaultIDPAccountMapper.java
      ...
          public NameIdentifier getNameID(
              Object session,
              String realm,
              String hostEntityID,
              String remoteEntityID
          ) throws WSFederationException {
      ...
              if ( nameIdFormat.equals(WSFederationConstants.NAMED_CLAIM_TYPES[
                  WSFederationConstants.NAMED_CLAIM_UPN]) && ! nameIncludesDomain) {
                  // Need to get a domain from somewhere and append it to name2
                  // Try user profile first
                  String domainAttribute = 
      ...
      

      the if-clause needs to be changed to

              if ( nameIdFormat.equals(WSFederationConstants.NAMED_CLAIM_DISPLAY_NAMES[
                  WSFederationConstants.NAMED_CLAIM_UPN]) && ! nameIncludesDomain) {
      

        Attachments

          Activity

            People

            • Assignee:
              lawrence.yarham Lawrence Yarham
              Reporter:
              bthalmayr Bernhard Thalmayr
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: