Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-1427

[RFE] support read-only datastore using non-transient NameID during SAML2 federation

    Details

    • Type: New Feature
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 10.0.0
    • Fix Version/s: 10.1.0-Xpress
    • Component/s: SAML
    • Labels:
      None
    • Sprint:
      Sprint 3

      Description

      Currently, setting the user data store to "ignore" and attempting to use X509SubjectName NameIDs for SAML2 AuthN fails with the following traceback:

      ERROR: IdRepoDataStoreProvider.getAttribute(1): IdRepo exception
      Message:Plug-in com.sun.identity.idm.plugins.ldapv3.LDAPv3Repo encountered an ldap exception. LDAP Error 32: The entry specified in the request does not exist.

      at com.sun.identity.idm.plugins.ldapv3.LDAPv3Repo.handleLDAPException(LDAPv3Repo.java:6117)
      at com.sun.identity.idm.plugins.ldapv3.LDAPv3Repo.getAttributes(LDAPv3Repo.java:2376)
      at com.sun.identity.idm.plugins.ldapv3.LDAPv3Repo.getAttributes(LDAPv3Repo.java:2211)
      at com.sun.identity.idm.server.IdServicesImpl.getAttributes(IdServicesImpl.java:683)
      at com.sun.identity.idm.server.IdCachedServicesImpl.getAttributes(IdCachedServicesImpl.java:397)
      at com.sun.identity.idm.AMIdentity.getAttribute(AMIdentity.java:470)
      at com.sun.identity.plugin.datastore.impl.IdRepoDataStoreProvider.getAttribute(IdRepoDataStoreProvider.java:117)
      at com.sun.identity.saml2.common.AccountUtils.getAccountFederation(AccountUtils.java:100)
      at com.sun.identity.saml2.profile.IDPSSOUtil.getSubject(IDPSSOUtil.java:1432)
      at com.sun.identity.saml2.profile.IDPSSOUtil.getAssertion(IDPSSOUtil.java:870)
      at com.sun.identity.saml2.profile.IDPSSOUtil.getResponse(IDPSSOUtil.java:692)
      at com.sun.identity.saml2.profile.IDPSSOUtil.sendResponseToACS(IDPSSOUtil.java:379)
      at com.sun.identity.saml2.profile.IDPSSOFederate.doSSOFederate(IDPSSOFederate.java:997)
      at com.sun.identity.saml2.profile.IDPSSOFederate.doSSOFederate(IDPSSOFederate.java:124)
      at org.apache.jsp.saml2.jsp.idpSSOFederate_jsp._jspService(idpSSOFederate_jsp.java:112)
      at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
      at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:377)
      at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:313)
      at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:260)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
      at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:646)
      at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:436)
      at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:374)
      at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:302)
      at com.sun.identity.authentication.UI.LoginViewBean.forwardTo(LoginViewBean.java:632)
      at com.iplanet.jato.ApplicationServletBase.dispatchRequest(ApplicationServletBase.java:981)
      at com.iplanet.jato.ApplicationServletBase.processRequest(ApplicationServletBase.java:615)
      at com.iplanet.jato.ApplicationServletBase.doGet(ApplicationServletBase.java:459)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:617)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
      at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:646)
      at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:436)
      at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:374)
      at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:302)
      at com.sun.identity.saml2.profile.IDPSSOFederate.redirectAuthentication(IDPSSOFederate.java:1266)
      at com.sun.identity.saml2.profile.IDPSSOFederate.doSSOFederate(IDPSSOFederate.java:584)
      at com.sun.identity.saml2.profile.IDPSSOFederate.doSSOFederate(IDPSSOFederate.java:124)
      at org.apache.jsp.saml2.jsp.idpSSOFederate_jsp._jspService(idpSSOFederate_jsp.java:112)
      at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
      at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:377)
      at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:313)
      at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:260)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
      at org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:44)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
      at com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:95)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
      at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
      at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
      at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
      at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
      at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:555)
      at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
      at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
      at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:190)
      at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:291)
      at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:769)
      at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:698)
      at org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:891)
      at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:690)
      at java.lang.Thread.run(Thread.java:662)
      [...]
      ERROR: AccountUtils.readAccountFederationInfo: DataStoreProviderException
      com.sun.identity.plugin.datastore.DataStoreProviderException: Plug-in com.sun.identity.idm.plugins.ldapv3.LDAPv3Repo encountered an ldap exception. LDAP Error 32: The entry specified in the request does not exist.
      [...]
      ERROR: IDPSSOFederate.doSSOFederate: Unable to do sso or federation.
      com.sun.identity.saml2.common.SAML2Exception: Plug-in com.sun.identity.idm.plugins.ldapv3.LDAPv3Repo encountered an ldap exception. LDAP Error 32: The entry specified in the request does not exist.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                markdr Mark de Reeper
                Reporter:
                roysjosh roysjosh
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: