[OPENAM-13892] Erroneous "Response's InResponseTo attribute is not valid error "SAML2 failover is enabled" when it is not - ForgeRock JIRA

XML

Word

Printable

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 13.5.0, 13.5.1, 13.5.2, 14.1.0, 14.1.1, 5.5.1, 6.0.0, 6.0.0.1, 6.0.0.2, 6.0.0.3, 6.0.0.4, 6.0.0.5, 5.5.2
Fix Version/s: 6.0.0.7, 6.5.1, 6.0.1, 7.0.0
Component/s: debug logging, SAML
Labels:
- EDISON

Target Version/s:

6.0.0.7, 6.5.1, 7.0.0
Rank:
1|hzx1z3:

Sprint:
AM Sustaining Sprint 59, AM Sustaining Sprint 60
Story Points:
1
Needs backport:

No

Support Ticket IDs:

Verified Version/s:

6.0.0.7
Needs QA verification:

No
Functional tests:

No
Are the reproduction steps defined?:

Yes and I used the same an in the description

Description

Bug description

When having a SAML2 federation and especially having mutliple instances, when the SP authenticate to IDP and the response lands back onto a different SP instance from the original instamce, without SAML2 failover (and definitely the request is not sticky back to the original SP instance), then we get some exceptions like

 ERROR: SAML2Utils.verifyResponse:InResponseTo attribute in Response is invalid: s238be86c72f2c10936e05a4e38a62353d91e18905, SAML2 failover is enabled
libSAML2:10/29/2018 03:41:38:189 PM GMT: Thread[http-nio-33280-exec-27,5,main]: TransactionId[f5c42388-eefe-4834-95e9-8b66f73febd8-27059047]
ERROR: spAssertionConsumer.jsp: SSO failed.

com.sun.identity.saml2.common.SAML2Exception: Response's InResponseTo attribute is not valid.
 at com.sun.identity.saml2.common.SAML2Utils.verifyResponse(SAML2Utils.java:346)

There is nothing wrong here BUT when debugging the issue is that the line

 SAML2Utils.verifyResponse:InResponseTo attribute in Response is invalid: ...., SAML2 failover is enabled

printed in SAML2Utils.verifyResponse(SAML2Utils.java:346)

As the error supposed to be SAML2 failover is NOT enabled.

How to reproduce the issue

Details steps outlining how to recreate the issue (remove this text)

Two or more SP and one IDP
Make sure the SP does not enable SAML2 failover
Perform a SP SSO and when IDP response via POST that this lands on another SP
(alternatively i believe 1 SP can also be used but when the request goes to IDP, restart SP) and then proceed with IDP so that the request lands back on SP with no cache or information of the original SP request.

Expected behaviour

SAML2 failover is NOT enabled. should be printed. So that everyone knows
that they DID not enable SAML2 faiover which is required for multiple cluster.

Current behaviour

SAML2 failover is enabled. printed wrong for SAML2Utils,java:346

Work around

Code analysis

SAML2Utils.java

 if (SAML2FailoverUtils.isSAML2FailoverEnabled()) {
....
} else {
      // THIS IS INSIDE NO FAILOVER enabled !!!! but it still mis logged.
     debug.error(method + "InResponseTo attribute in Response"
                              + " is invalid: " + inRespToResp + ", SAML2 failover is enabled");
}

Attachments

Activity

People

Assignee:: Joe Starling

Reporter:: C-Weng C

QA Assignee:: Filip Kubáň [X] (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 2018-10-31 6:27 AM

Updated:: 2019-04-26 2:02 PM

Resolved:: 2019-03-07 1:58 PM