Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-14164

IdP Proxy - IDP AuthnContext Key & Value are not invoked during local login

    Details

    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 13.5.2, 5.5.1, 6.0.0, 6.5.0
    • Fix Version/s: None
    • Component/s: SAML
    • Labels:
    • Target Version/s:
    • Support Ticket IDs:

      Description

      Bug description

      When the Assertion is sent by the IDP to the Proxying IDP, the IDP AuthnContext is not being checked.

      How to reproduce the issue

      1. Setup an IDP-Proxy env (SP, IDP-Proxy, IDP)
      2. At the IDP-side of the Proxy, add Key=Service and Value = a new chain (e.g using the HTTP basic module) ,or Key=AuthLevel and value = HTTP basic module auth level
      3. Leave the ContextRef as default (PasswordProtectedTransport)
      4. Start an SP-Init SSO
      5. After the authentication on the IDP, the HTTP-basic chain is not invoked at the IDP-Proxy, instead, the default org-auth-chain is used.

      Based on the SP > IDP-side of the Proxy relationship, the AuthnRequest included 

      <samlp:RequestedAuthnContext xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Comparison="exact" > <saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef> </samlp:RequestedAuthnContext>
      

      However, the IDP AuthnContext "Key" and "Value" not invoked. The actual AuthContextClassRef is invoked.

      Expected behaviour
      Local login on the Proxy should be based on IDP-side AuthnContext configuration
      Current behaviour
      Default org-auth-chain is invoked
      

       Code analysis

      Federation logs at the Proxy

      libSAML2:01/21/2019 05:10:01:671 PM GMT: Thread[http-nio-18080-exec-1,5,main]: TransactionId[87cc2330-c6c7-4561-a6c5-1c4e232d7f72-22351]
      spAssertionConsumer.jsp:need local login!!
      libSAML2:01/21/2019 05:10:01:671 PM GMT: Thread[http-nio-18080-exec-1,5,main]: TransactionId[87cc2330-c6c7-4561-a6c5-1c4e232d7f72-22351]
      SAML2MetaCache.getEntityConfig: cacheKey = ///http://proxy.example.info:18080/openam, found = true
      libSAML2:01/21/2019 05:10:01:671 PM GMT: Thread[http-nio-18080-exec-1,5,main]: TransactionId[87cc2330-c6c7-4561-a6c5-1c4e232d7f72-22351]
      SAML2MetaManager.getEntityConfig: got entity config from SAML2MetaCache: http://proxy.example.info:18080/openam
      libSAML2:01/21/2019 05:10:01:678 PM GMT: Thread[http-nio-18080-exec-1,5,main]: TransactionId[87cc2330-c6c7-4561-a6c5-1c4e232d7f72-22351]
      SPACSUtils:prepareForLocalLogin: localLoginUrl = http://proxy.example.info:18080/openam/UI/Login?realm=/
      libSAML2:01/21/2019 05:10:01:679 PM GMT: Thread[http-nio-18080-exec-1,5,main]: TransactionId[87cc2330-c6c7-4561-a6c5-1c4e232d7f72-22351]
      spAssertionConsumer.jsp: local login url=http://proxy.example.info:18080/openam/UI/Login?realm=/&goto=http://proxy.example.info:18080/openam/Consumer/metaAlias/proxysp?resID%3Ds25e468642f53dedf2686c2175767fda8bbc2d63ae
      

      Looks like the issue is with

       public static String prepareForLocalLogin(String realm, String hostEntityId, SAML2MetaManager sm,
                  ResponseInfo respInfo, String requestURI) {
              String localLoginUrl = getAttributeValueFromSPSSOConfig(realm, hostEntityId, sm, SAML2Constants.LOCAL_AUTH_URL);
              if (StringUtils.isEmpty(localLoginUrl)) {
                  // get it from request
                  try {
                      int index = requestURI.indexOf("Consumer/metaAlias");
                      if (index != -1) {
                          localLoginUrl = requestURI.substring(0, index) + "UI/Login?realm=" + realm;
                      }
                  } catch (IndexOutOfBoundsException e) {
                      localLoginUrl = null;
                  }
                  if (StringUtils.isEmpty(localLoginUrl)) {
                      // shouldn't be here, but in case
                      localLoginUrl =
                              SystemConfigurationUtil.getProperty(SAMLConstants.SERVER_PROTOCOL)
                                      + "://"
                                      + SystemConfigurationUtil.getProperty(SAMLConstants.SERVER_HOST)
                                      + SystemConfigurationUtil.getProperty(SAMLConstants.SERVER_PORT)
                                      + "/UI/Login?realm="
                                      + realm;
                  }
              }
      
              respInfo.setIsLocalLogin(true);
              synchronized (SPCache.responseHash) {
                  SPCache.responseHash.put(respInfo.getResponse().getID(), respInfo);
              }
              SAML2Utils.debug.message("SPACSUtils:prepareForLocalLogin: localLoginUrl = {}", localLoginUrl);
      
              return localLoginUrl;
          }
      

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              anastasios.kampas Tasos Kampas
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated: