Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-13942

SAML2 Circle of Trust - REST Update doesn't update the metadata of the provider

    XMLWordPrintable

    Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 5.5.1, 6.0.0, 6.5.0, 6.0.0.7, 6.5.2
    • 7.0.0
    • rest, SAML
    • Rank:
      1|hzx3xb:

      Description

      Bug description

      When updating the COT using REST API doesn't update the "cotlist" attribute in Entity's Provider extended metadata.

      When using the Console or ssoadm, "cotlist" is updated.

      How to reproduce the issue

      1. Review remote SP metadata before import:
        <Attribute name=\"cotlist\">\n            
        <Value>spcot</Value>\n                
        </Attribute>\n
        
      2. Register the remote SP in the IDP without assigning it to an IDP COT
      3. Now assign it into the IDP COT using the following update command:
        curl -X PUT --header 'iPlanetDirectoryPro: {admintoken}' --header 'Content-Type: application/json' --header 'Accept: application/json' -d '{ \ 
           "status": "active", \ 
             "trustedProviders": [ \ 
             "http://idp.example.net:48080/openam|saml2", \ 
             "SP1|saml2" \ 
           ] \ 
         }' 'http://idp.example.net:48080/openam/json/realm-config/federation/circlesoftrust/idpcot'
        
      4. Observe the COT in the console, it includes the new (remote) SP
      5. Attempt a SPSSOInit, it fails with "Issuer in request is not valid" 500 error (in some cases, it fails with the 2nd attemtp)
      6. Review SP's extended metadata and see the cotlist attribute:
        <Attribute name=\"cotlist\">\n            
        <Value>spcot</Value>\n                
        </Attribute>\n
        
      7. Using the console, remove the SP from the COT, save, and then add it back in.
      8. Review the SP's extended metadata and see the cotlist attribute:
        <Attribute name=\"cotlist\">\n            
        <Value>spcot</Value>\n            
        <Value>*idpcot*</Value>\n        
        </Attribute>\n
        
      Expected behaviour
      cotlist should be updated
      
      Current behaviour
      cotlist is not updated
      

      Work around

      • Use the console
      • Use ssoadm. For example:
        ./ssoadm add-cot-member  -u amAdmin  -f /opt/tmp/ampassword.txt -y SP1 -e / -c saml2 -t idpcot
        
        Entity, SP1 was added to the circle of trust, idpcot, in realm /.
      • or Update the remote SP's extended metadata cotlist attribute before importing to the IDP

      Code analysis

      Exception when performing the SPSSOInit:

      Federation Log
      libSAML2:11/08/2018 11:09:29:775 AM GMT: Thread[http-nio-48080-exec-5,5,main]: TransactionId[2da1cfb1-3904-4f55-9da2-bc6997c94c0a-2000]
      SAML2Utils.decodeFromRedirect: Return value:
      <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
      ID="s26e111aabbe7d2f7c9dccd99e47f1f8cbfe0a7431" Version="2.0" IssueInstant="2018-11-08T11:09:29Z" Destination="http://idp.example.net:48080/openam/SSORedirect/metaAlias/idp" ForceAuthn="false" IsPassive="false" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="http://sp.example.com:38080/openam/Consumer/metaAlias/sp">
      <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">SP1</saml:Issuer>
      <samlp:NameIDPolicy xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" SPNameQualifier="SP1" AllowCreate="true"></samlp:NameIDPolicy>
      <samlp:RequestedAuthnContext xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Comparison="exact"><saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef></samlp:RequestedAuthnContext>
      </samlp:AuthnRequest>
      libSAML2:11/08/2018 11:09:29:775 AM GMT: Thread[http-nio-48080-exec-5,5,main]: TransactionId[2da1cfb1-3904-4f55-9da2-bc6997c94c0a-2000]
      SAML2MetaCache.getEntityConfig: cacheKey = ///http://idp.example.net:48080/openam, found = true
      libSAML2:11/08/2018 11:09:29:775 AM GMT: Thread[http-nio-48080-exec-5,5,main]: TransactionId[2da1cfb1-3904-4f55-9da2-bc6997c94c0a-2000]
      SAML2MetaManager.getEntityConfig: got entity config from SAML2MetaCache: http://idp.example.net:48080/openam
      libSAML2:11/08/2018 11:09:29:775 AM GMT: Thread[http-nio-48080-exec-5,5,main]: TransactionId[2da1cfb1-3904-4f55-9da2-bc6997c94c0a-2000]
      SAML2MetaCache.getEntityConfig: cacheKey = ///http://idp.example.net:48080/openam, found = true
      libSAML2:11/08/2018 11:09:29:776 AM GMT: Thread[http-nio-48080-exec-5,5,main]: TransactionId[2da1cfb1-3904-4f55-9da2-bc6997c94c0a-2000]
      SAML2MetaManager.getEntityConfig: got entity config from SAML2MetaCache: http://idp.example.net:48080/openam
      libSAML2:11/08/2018 11:09:29:776 AM GMT: Thread[http-nio-48080-exec-5,5,main]: TransactionId[2da1cfb1-3904-4f55-9da2-bc6997c94c0a-2000]
      WARNING: UtilProxySAMLAuthenticator.authenticate: Issuer in Request is not valid.
      libSAML2:11/08/2018 11:09:29:777 AM GMT: Thread[http-nio-48080-exec-5,5,main]: TransactionId[2da1cfb1-3904-4f55-9da2-bc6997c94c0a-2000]
      Invoking IDP adapter preSendFailureResponse hook
      libSAML:11/08/2018 11:09:29:788 AM GMT: Thread[http-nio-48080-exec-5,5,main]: TransactionId[2da1cfb1-3904-4f55-9da2-bc6997c94c0a-2000]
      SAMLServiceManager.init: Constructing a new instance of SAMLServiceManager
      libPlugins:11/08/2018 11:09:29:796 AM GMT: Thread[http-nio-48080-exec-5,5,main]: TransactionId[2da1cfb1-3904-4f55-9da2-bc6997c94c0a-2000]
      ConfigurationInstanceImpl.getConfiguration: componentName = SAML1, realm = null, configName = null
      libSAML:11/08/2018 11:09:29:797 AM GMT: Thread[http-nio-48080-exec-5,5,main]: TransactionId[2da1cfb1-3904-4f55-9da2-bc6997c94c0a-2000]
      SAMLServiceManager: No POST to targets found
      libSAML:11/08/2018 11:09:29:797 AM GMT: Thread[http-nio-48080-exec-5,5,main]: TransactionId[2da1cfb1-3904-4f55-9da2-bc6997c94c0a-2000]
      SAMLSMangr: add instanceID: http://idp.example.net:48080/openam, serverURL=http://idp.example.net:48080/openam, legacy serverURL=http://idp.example.net:48080, isthissite=true
      libSAML:11/08/2018 11:09:29:797 AM GMT: Thread[http-nio-48080-exec-5,5,main]: TransactionId[2da1cfb1-3904-4f55-9da2-bc6997c94c0a-2000]
      SAMLServiceManager: No entry in partner url config!
      libSAML:11/08/2018 11:09:29:800 AM GMT: Thread[http-nio-48080-exec-5,5,main]: TransactionId[2da1cfb1-3904-4f55-9da2-bc6997c94c0a-2000]
      SAMLUtils.sendError: error page/saml2/jsp/saml2error.jsp
      

      Looks similar sort of thing with OPENAM-12486
      Linked to AME-15492

        Attachments

          Issue Links

            Activity

              People

              peter.major Peter Major [X] (Inactive)
              anastasios.kampas Anastasios Kampas
              Votes:
              1 Vote for this issue
              Watchers:
              8 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: