Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-13339

Custom Admin can't view SAML or configuration tab

    XMLWordPrintable

Details

    • Bug
    • Status: Open
    • Major
    • Resolution: Unresolved
    • 14.5.0, 6.0.0
    • None
    • SAML, XUI
    • None
    • OpenAM 5.5
    • Rank:
      1|hzwal3:
    • 0
    • No
    • None

    Description

      Bug description

      Custom Administrator or new user with all the admin rights can't view a realm/sub-realm Saml configuration. It states "Forbidden". Furthermore, SAML interface shows classic view

      How to reproduce the issue

      • Create sub-realm, e.g. subscribers
      • In the sub-realm, delete the embedded datatore.  Add an external user store, e.g. OpenDJ instance.
      • In this datastore and realm, create a user e.g. testAdminUser1
      • Create a group e.g. TestAdminGroup1.  Grant Read and write to all realm and policy properties privilege to this group and add the above user to the group.
      • Logout and login as TestAdminUser1.
      • The first page seen is the realms page listing just the sub-realm.  Click on this.  Then click Applications -> SAML.  A page that looks like the classic UI realm dashboard appears (matching the screenshot the customer supplies), rather than the existing JATO page that shows Circle of Trusts at the top.
      • On this page, click the Configuration tab.  I think this takes the user to the global configuration, so that makes sense that they are not authorized to view this.  The issue is that its included on the previous page.
      Expected behaviour
      Able to configure Federation Pages
      Current behaviour
      No access to Federation configuration in subrealm

      Work around

       

      • As a non-builtin admin user, you can retrieve that SP config via REST, adjust its entity ID etc. and PUT it back as a new SP successfully.
      • As a temp workaround, making my custom admin user the super user via com.sun.identity.authentication.super.user also resolves the issue. Subsequently, the same issue occurs for amadmin, as expected.

      Code analysis

       

      Attachments

        Activity

          People

            Unassigned Unassigned
            jobby.thomas Jobby Thomas
            Votes:
            1 Vote for this issue
            Watchers:
            13 Start watching this issue

            Dates

              Created:
              Updated: