Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-14112

Using client-based sessions when acting as SP can lead to an out-of-date client-based session cookie


    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 14.0.0, 14.5.0, 5.5.1, 6.0.0, 6.5.0
    • Fix Version/s: 6.5.1, 6.0.1, 7.0.0
    • Component/s: SAML, session
    • Labels:
    • Target Version/s:
    • Sprint:
      AM Sustaining Sprint 58
    • Story Points:
    • Needs backport:
    • Support Ticket IDs:
    • Needs QA verification:
    • Functional tests:
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description


      Bug description

      When using AM as a SAML2 SP, any attributes provided by the IDP in the Assertion that are in the SP attribute mapping end up in the session are lost when using client-based sessions (stateless).

      How to reproduce the issue

      • Configure IDP to provide at least one attribute in the Assertion generated by the IDP.
      • Setup AM as a SP and use default attribute map or something specific, key is that IDP supplied attributes end up in the user's SSO session as a result of a successful authentication.
      • Trigger either SP or IDP initiated authentication.
      • Once authenticated, take the SSO token provided by the SP and use it in a getSessionInfo REST call to check the values in the session, making sure that the additional session properties are listed in the Session Property Whitelist Service for the realm to make them readable.
      Expected behaviour
      All attributes provided in the Assertion from the IDP end up as session properties when using client-based sessions.
      Current behaviour
      Only those attributes that are in the session when it is first created are available.

      Work around


      Code analysis

      This method is called during com.sun.identity.saml2.profile.SPACSUtils#processResponse and sets the cookie based on the session ID at the time which is fine for stateful sessions but not when dealing with client-based sessions.
      The cookie should only be set at the end of the processing to ensure it is the most up-to date value.


          Issue Links



              • Assignee:
                markdr Mark de Reeper
                markdr Mark de Reeper
              • Votes:
                0 Vote for this issue
                5 Start watching this issue


                • Created: