Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-14164

IdP Proxy - IDP AuthnContext Key & Value are not invoked during local login


    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 13.5.2, 5.5.1, 6.0.0, 6.5.0
    • Fix Version/s: None
    • Component/s: SAML
    • Labels:
    • Target Version/s:
    • Support Ticket IDs:


      Bug description

      When the Assertion is sent by the IDP to the Proxying IDP, the IDP AuthnContext is not being checked.

      How to reproduce the issue

      1. Setup an IDP-Proxy env (SP, IDP-Proxy, IDP)
      2. At the IDP-side of the Proxy, add Key=Service and Value = a new chain (e.g using the HTTP basic module) ,or Key=AuthLevel and value = HTTP basic module auth level
      3. Leave the ContextRef as default (PasswordProtectedTransport)
      4. Start an SP-Init SSO
      5. After the authentication on the IDP, the HTTP-basic chain is not invoked at the IDP-Proxy, instead, the default org-auth-chain is used.

      Based on the SP > IDP-side of the Proxy relationship, the AuthnRequest included 

      <samlp:RequestedAuthnContext xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Comparison="exact" > <saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef> </samlp:RequestedAuthnContext>

      However, the IDP AuthnContext "Key" and "Value" not invoked. The actual AuthContextClassRef is invoked.

      Expected behaviour
      Local login on the Proxy should be based on IDP-side AuthnContext configuration
      Current behaviour
      Default org-auth-chain is invoked

       Code analysis

      Federation logs at the Proxy

      libSAML2:01/21/2019 05:10:01:671 PM GMT: Thread[http-nio-18080-exec-1,5,main]: TransactionId[87cc2330-c6c7-4561-a6c5-1c4e232d7f72-22351]
      spAssertionConsumer.jsp:need local login!!
      libSAML2:01/21/2019 05:10:01:671 PM GMT: Thread[http-nio-18080-exec-1,5,main]: TransactionId[87cc2330-c6c7-4561-a6c5-1c4e232d7f72-22351]
      SAML2MetaCache.getEntityConfig: cacheKey = ///http://proxy.example.info:18080/openam, found = true
      libSAML2:01/21/2019 05:10:01:671 PM GMT: Thread[http-nio-18080-exec-1,5,main]: TransactionId[87cc2330-c6c7-4561-a6c5-1c4e232d7f72-22351]
      SAML2MetaManager.getEntityConfig: got entity config from SAML2MetaCache: http://proxy.example.info:18080/openam
      libSAML2:01/21/2019 05:10:01:678 PM GMT: Thread[http-nio-18080-exec-1,5,main]: TransactionId[87cc2330-c6c7-4561-a6c5-1c4e232d7f72-22351]
      SPACSUtils:prepareForLocalLogin: localLoginUrl = http://proxy.example.info:18080/openam/UI/Login?realm=/
      libSAML2:01/21/2019 05:10:01:679 PM GMT: Thread[http-nio-18080-exec-1,5,main]: TransactionId[87cc2330-c6c7-4561-a6c5-1c4e232d7f72-22351]
      spAssertionConsumer.jsp: local login url=http://proxy.example.info:18080/openam/UI/Login?realm=/&goto=http://proxy.example.info:18080/openam/Consumer/metaAlias/proxysp?resID%3Ds25e468642f53dedf2686c2175767fda8bbc2d63ae

      Looks like the issue is with

       public static String prepareForLocalLogin(String realm, String hostEntityId, SAML2MetaManager sm,
                  ResponseInfo respInfo, String requestURI) {
              String localLoginUrl = getAttributeValueFromSPSSOConfig(realm, hostEntityId, sm, SAML2Constants.LOCAL_AUTH_URL);
              if (StringUtils.isEmpty(localLoginUrl)) {
                  // get it from request
                  try {
                      int index = requestURI.indexOf("Consumer/metaAlias");
                      if (index != -1) {
                          localLoginUrl = requestURI.substring(0, index) + "UI/Login?realm=" + realm;
                  } catch (IndexOutOfBoundsException e) {
                      localLoginUrl = null;
                  if (StringUtils.isEmpty(localLoginUrl)) {
                      // shouldn't be here, but in case
                      localLoginUrl =
                                      + "://"
                                      + SystemConfigurationUtil.getProperty(SAMLConstants.SERVER_HOST)
                                      + SystemConfigurationUtil.getProperty(SAMLConstants.SERVER_PORT)
                                      + "/UI/Login?realm="
                                      + realm;
              synchronized (SPCache.responseHash) {
                  SPCache.responseHash.put(respInfo.getResponse().getID(), respInfo);
              SAML2Utils.debug.message("SPACSUtils:prepareForLocalLogin: localLoginUrl = {}", localLoginUrl);
              return localLoginUrl;




            • Assignee:
              anastasios.kampas Tasos Kampas
            • Votes:
              0 Vote for this issue
              3 Start watching this issue


              • Created: