Details
-
Type:
Bug
-
Status: Resolved
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: 13.5.0, 13.5.1, 13.5.2, 14.1.0, 14.1.1, 5.5.1, 6.0.0, 6.0.0.1, 6.0.0.2, 6.0.0.3, 6.0.0.4, 6.0.0.5, 5.5.2
-
Component/s: debug logging, SAML
-
Labels:
-
Sprint:AM Sustaining Sprint 59, AM Sustaining Sprint 60
-
Story Points:1
-
Needs backport:No
-
Support Ticket IDs:
-
Verified Version/s:
-
Needs QA verification:No
-
Functional tests:No
-
Are the reproduction steps defined?:Yes and I used the same an in the description
Description
Bug description
When having a SAML2 federation and especially having mutliple instances, when the SP authenticate to IDP and the response lands back onto a different SP instance from the original instamce, without SAML2 failover (and definitely the request is not sticky back to the original SP instance), then we get some exceptions like
ERROR: SAML2Utils.verifyResponse:InResponseTo attribute in Response is invalid: s238be86c72f2c10936e05a4e38a62353d91e18905, SAML2 failover is enabled
libSAML2:10/29/2018 03:41:38:189 PM GMT: Thread[http-nio-33280-exec-27,5,main]: TransactionId[f5c42388-eefe-4834-95e9-8b66f73febd8-27059047]
ERROR: spAssertionConsumer.jsp: SSO failed.
com.sun.identity.saml2.common.SAML2Exception: Response's InResponseTo attribute is not valid.
at com.sun.identity.saml2.common.SAML2Utils.verifyResponse(SAML2Utils.java:346)
There is nothing wrong here BUT when debugging the issue is that the line
SAML2Utils.verifyResponse:InResponseTo attribute in Response is invalid: ...., SAML2 failover is enabled printed in SAML2Utils.verifyResponse(SAML2Utils.java:346)
As the error supposed to be SAML2 failover is NOT enabled.
How to reproduce the issue
Details steps outlining how to recreate the issue (remove this text)
- Two or more SP and one IDP
- Make sure the SP does not enable SAML2 failover
- Perform a SP SSO and when IDP response via POST that this lands on another SP
- (alternatively i believe 1 SP can also be used but when the request goes to IDP, restart SP) and then proceed with IDP so that the request lands back on SP with no cache or information of the original SP request.
Expected behaviour
SAML2 failover is NOT enabled. should be printed. So that everyone knows that they DID not enable SAML2 faiover which is required for multiple cluster.
Current behaviour
SAML2 failover is enabled. printed wrong for SAML2Utils,java:346
Work around
Code analysis
SAML2Utils.java
if (SAML2FailoverUtils.isSAML2FailoverEnabled()) { .... } else { // THIS IS INSIDE NO FAILOVER enabled !!!! but it still mis logged. debug.error(method + "InResponseTo attribute in Response" + " is invalid: " + inRespToResp + ", SAML2 failover is enabled"); }