Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-14279

IdP-Proxy does not relay SAMLAuthnRequest when AuthenticationContext is not marked as supported

    Details

    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 6.5.0
    • Fix Version/s: None
    • Component/s: SAML
    • Labels:
    • Environment:
      Oracle JDK 1.8.0_151
      Apache Tomcat 9.0.8
      AM 6.5.0
    • Target Version/s:
    • Support Ticket IDs:

      Description

      Bug description

      SAML AuthnRequest from downstream SP is not relayed to upstream IdP when non-supported AuthContext is sent in SAML AuthnRequest

      How to reproduce the issue

      1. Configure some SP (e.g. AM)
      2. Configure some IdP (e.g. AM)
      3. Configure AM as IdP-Proxy (e.g. as mentioned in https://wikis.forgerock.org/confluence/display/openam/SAMLv2+IDP+Proxy+Part+1.+Setting+up+a+simple+Proxy+scenario#SAMLv2IDPProxyPart1.SettingupasimpleProxyscenario-Step3:ConfiguringtheIdentityProviderProxy(machineb))
        Don't use IdP-Finder, but set 'proxy all requests' for SP
      4. Perform SP-intiated SSO specifying non default authentication context class reference, e.g.

      http://sp.test1.xyz:8082/am/saml2/jsp/spSSOInit.jsp?metaAlias=/sp&idpEntityID=idp-proxy&NameIDFormat=transient&AuthnContextClassRef=urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Aac%3Aclasses%3AX509

      Expected behaviour
      SAML AuthnRequest should be relayed no matter which Authentication Context Class Reference is configured on an IdP-Proxy. An IdP-Proxy does not perform any authentication so it should ignore this configuration
      
      Current behaviour
      SAML error response 
      
      <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                      ID="s2e8df6faf8533721316259bbd54a30382cfe9cd89"
                      InResponseTo="s26705b7d4babdf77b4c77cf607ad8d7321ffcf0e0"
                      Version="2.0"
                      IssueInstant="2019-01-21T11:17:26Z"
                      > <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">idp-proxy</saml:Issuer> <samlp:Status xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"> <samlp:StatusCode xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                                Value="urn:oasis:names:tc:SAML:2.0:status:Requester"
                                > <samlp:StatusCode xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                                    Value="urn:oasis:names:tc:SAML:2.0:status:NoAuthnContext"
                                    /> </samlp:StatusCode> </samlp:Status> </samlp:Response>
      
      is sent from IdP-Proxy to SP.
      

      Work around

      Mark all authentication context class references as supported on the IdP entity at the IdP-Proxy

      AM console: Realm --> Applications -> Federation -> Entity Providers -> "IdP-Proxy entity" -> IdP -> Assertion Content -> Authentication Context

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              bthalmayr Bernhard Thalmayr
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: