Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-14281

IdP Proxy relays wrong AuthnContextClassRef

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 13.0.0, 13.5.0, 13.5.1, 13.5.2, 14.0.0, 14.1.0, 14.1.1, 14.5.0, 14.5.1, 5.5.1, 6.0.0, 6.0.0.1, 6.0.0.2, 6.0.0.3, 6.0.0.4, 6.0.0.5, 6.0.0.6, 6.5.0, 6.5.0.1
    • Fix Version/s: 6.5.1, 6.5.0.2, 6.0.0.7, 6.0.1, 7.0.0, 5.5.2
    • Component/s: SAML
    • Labels:
    • Environment:
      Oracle JDK 1.8.0_151
      Apache Tomcat 9.0.8
      AM 6.5.0
    • Sprint:
      AM Sustaining Sprint 60
    • Story Points:
      5
    • Needs backport:
      No
    • Support Ticket IDs:
    • Needs QA verification:
      No
    • Functional tests:
      No
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description

      Description

      Bug description

      SAML Authentication Context Class Referenced received from upstream IdP is not relayed to downstream SP

      How to reproduce the issue

      1. Configure some SP (e.g. AM)
      2. Configure some IdP (e.g. AM)
      3. Configure AM as IdP-Proxy (in sub-realm) (e.g. as mentioned in https://wikis.forgerock.org/confluence/display/openam/SAMLv2+IDP+Proxy+Part+1.+Setting+up+a+simple+Proxy+scenario#SAMLv2IDPProxyPart1.SettingupasimpleProxyscenario-Step3:ConfiguringtheIdentityProviderProxy(machineb))
        Don't use IdP-Finder, but set 'proxy all requests' for SP
        add 'X.509' as supported Authenctication Context Class Reference (see OPENAM-14279, OPENAM-14280)
        #Set default AuthContextClassRef to 'Password' of IdP entity at IdP-Proxy
      4. Perform SP-intiated SSO specifying non default authentication context class reference, e.g.http://sp.test1.xyz:8082/am/saml2/jsp/spSSOInit.jsp?metaAlias=/sp&idpEntityID=idp-proxy&NameIDFormat=transient&AuthnContextClassRef=urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Aac%3Aclasses%3AX509
      5. Also make sure that using encrypted assertions between upstream IdP and IdP-Proxy works
      Expected behaviour
      Authentication Context Class Reference received from the upstream should be relayed to the downstream SP otherwise Authentication Context Class Reference checking may fail on the downstream SP
      
      Current behaviour
      IdP-Proxy does not relay Authnetication Context Class Reference received from the upstream IdP to the downstream SP, but replaces it with the configured default Authentication Context Class Reference configured for the IdP part of the IdP-Proxy.
      
      SAML trace
      SAML AuthnRequest sent from SP to IdP-Proxy
      <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                          ID="s2a9c78e75ad7c2fd323e7e5946bcf37b6f9ebdb33"
                          Version="2.0"
                          IssueInstant="2019-01-21T11:59:12Z"
                          Destination="http://proxy.test.xyz:8081/am/SSORedirect/metaAlias/sub1/proxyidp"
                          ForceAuthn="false"
                          IsPassive="false"
                          ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                          AssertionConsumerServiceURL="http://sp.test2.xyz:8082/am/Consumer/metaAlias/sp"
                          >
          <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://sp.test2.xyz:8082/am</saml:Issuer>
          <samlp:NameIDPolicy xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                              Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
                              SPNameQualifier="http://sp.test2.xyz:8082/am"
                              AllowCreate="true"
                              />
          <samlp:RequestedAuthnContext xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                                       Comparison="exact"
                                       >
              <saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:X509</saml:AuthnContextClassRef>
          </samlp:RequestedAuthnContext>
      </samlp:AuthnRequest>
      
      SAML AuthnRequest sent from IdP-Proxy to IdP
      <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                          ID="s2432ff595cfd731ff359970eb685681d031ab3c6a"
                          Version="2.0"
                          IssueInstant="2019-01-21T11:59:12Z"
                          Destination="http://am650.test.xyz:8080/am/SSORedirect/metaAlias/sub1/idp"
                          ForceAuthn="false"
                          IsPassive="false"
                          ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                          AssertionConsumerServiceURL="http://proxy.test.xyz:8081/am/Consumer/metaAlias/sub1/proxysp"
                          >
          <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">idp-proxy</saml:Issuer>
          <samlp:NameIDPolicy xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                              Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
                              SPNameQualifier="idp-proxy"
                              AllowCreate="true"
                              />
          <samlp:RequestedAuthnContext xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                                       Comparison="exact"
                                       >
              <saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:X509</saml:AuthnContextClassRef>
          </samlp:RequestedAuthnContext>
          <samlp:Scoping xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                         ProxyCount="0"
                         >
              <samlp:IDPList xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
                  <samlp:IDPEntry xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                                  ProviderID="http://am650.test.xyz:8080/am"
                                  />
              </samlp:IDPList>
              <samlp:RequesterID xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
      http://sp.test2.xyz:8082/am
      </samlp:RequesterID>
          </samlp:Scoping>
      </samlp:AuthnRequest>
      
      SAML Response sent from IdP to IdP-Proxy
      <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                      ID="s2f0e4a7cf8702fbd2642d8263dfdf480c79d1e464"
                      InResponseTo="s2432ff595cfd731ff359970eb685681d031ab3c6a"
                      Version="2.0"
                      IssueInstant="2019-01-21T11:59:17Z"
                      Destination="http://proxy.test.xyz:8081/am/Consumer/metaAlias/sub1/proxysp"
                      >
          <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://am650.test.xyz:8080/am</saml:Issuer>
          <samlp:Status xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
              <samlp:StatusCode xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                                Value="urn:oasis:names:tc:SAML:2.0:status:Success"
                                />
          </samlp:Status>
          <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                          ID="s25e0bd9d516a5bf1086d57f4d5814d79077963f46"
                          IssueInstant="2019-01-21T11:59:17Z"
                          Version="2.0"
                          >
              <saml:Issuer>http://am650.test.xyz:8080/am</saml:Issuer>
              <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                  <ds:SignedInfo>
                      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                      <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
                      <ds:Reference URI="#s25e0bd9d516a5bf1086d57f4d5814d79077963f46">
                          <ds:Transforms>
                              <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                              <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                          </ds:Transforms>
                          <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                          <ds:DigestValue>Dw0tRXSno9eRRleIld/xJEFhRjyhOVjW3ZIAkc5Au8E=</ds:DigestValue>
                      </ds:Reference>
                  </ds:SignedInfo>
                  <ds:SignatureValue>
      Q4KSp0BspHN6Sy7WNsl6optcTA77aq+HgFNotpLUtQHRIDfNhjVUQbLkWOcf5KOsJ6X+ncyHmo9P
      zvwU4o8T1PeFQagVBb2sAr3hAz5ZfrbbtXN9x7joTnK+bGidHjCnVoI5ci4Tj4qmT1HKpv5GS2kO
      oVhazQIm71ImYW60mayzkQj2YwlF+kSOt9aDBsloj7B/Euo+Xq+TyRQmdDu+zY6HiDoDtDlU2noM
      /VpPEjX/XhP1CF1zP6gvlrrL7jEormQvcBh2SesXw4ZMl+znsn75pSmZkNq6aM9Ppkd17F0b3wR1
      Rq8QJixo+d8O/WYeBcCACKM9xb91qq2gWjI17Q==
      </ds:SignatureValue>
                  <ds:KeyInfo>
                      <ds:X509Data>
                          <ds:X509Certificate>
      MIIDYTCCAkmgAwIBAgIEFt4OQjANBgkqhkiG9w0BAQsFADBhMQswCQYDVQQGEwJVSzEQMA4GA1UE
      CBMHQnJpc3RvbDEQMA4GA1UEBxMHQnJpc3RvbDESMBAGA1UEChMJRm9yZ2VSb2NrMQswCQYDVQQL
      EwJBTTENMAsGA1UEAxMEdGVzdDAeFw0xODA0MDMxNDIwNThaFw0yODAzMzExNDIwNThaMGExCzAJ
      BgNVBAYTAlVLMRAwDgYDVQQIEwdCcmlzdG9sMRAwDgYDVQQHEwdCcmlzdG9sMRIwEAYDVQQKEwlG
      b3JnZVJvY2sxCzAJBgNVBAsTAkFNMQ0wCwYDVQQDEwR0ZXN0MIIBIjANBgkqhkiG9w0BAQEFAAOC
      AQ8AMIIBCgKCAQEAi7t6m4d/02dZ8dOe+DFcuUYiOWueHlNkFwdUfOs06eUETOV6Y9WCXu3D71db
      F0Fhou69ez5c3HAZrSVS2qC1Htw9NkVlLDeED7qwQQMmSr7RFYNQ6BYekAtn/ScFHpq8Tx4BzhcD
      b6P0+PHCo+bkQedxwhbMD412KSM2UAVQaZ+TW+ngdaaVEs1Cgl4b8xxZ9ZuApXZfpddNdgvjBeeY
      QbZnaqU3b0P5YE0s0YvIQqYmTjxh4RyLfkt6s/BS1obWUOC+0ChRWlpWE7QTEVEWJP5yt8hgZ5Me
      cTmBi3yZ/0ts3NsL83413NdbWYh+ChtP696mZbJozflF8jR9pewTbQIDAQABoyEwHzAdBgNVHQ4E
      FgQUDAvAglxsoXuEwI2NT1hFtVww2SUwDQYJKoZIhvcNAQELBQADggEBADiHqUwRlq1xdHP7S387
      vMLOr+/OUgNvDUogeyrpdj5vFve/CBxSFlcoY215eE0xzj2+bQoe5To3s8CWkP9hqB3EdhaRBfCr
      d8Vpvu8xBZcxQzmqwNjmeDrxNpKes717t05fDGgygUM8xIBs29JwRzHzf7e0ByJjn9fvlUjDAGZ7
      emCTN382F2iOeLC2ibVl7dpmsWZTINhQRbmq5L4ztOcjITk5WZnBF439oRRn68fWZVkOv2UqaKbk
      uMjgotNuot+ebHtOchEiwKz8VAK7O3/IgD6rfNBfz+c/WeoPcrfQBR4zfizw/ioR115RSywifzlw
      q5yziqyU04eP4wLr3cM=
      </ds:X509Certificate>
                      </ds:X509Data>
                  </ds:KeyInfo>
              </ds:Signature>
              <saml:Subject>
                  <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
                               NameQualifier="http://am650.test.xyz:8080/am"
                               SPNameQualifier="idp-proxy"
                               >EDku9AMZijBdYyvZgXPklLYk4qFp</saml:NameID>
                  <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                      <saml:SubjectConfirmationData InResponseTo="s2432ff595cfd731ff359970eb685681d031ab3c6a"
                                                    NotOnOrAfter="2019-01-21T12:09:17Z"
                                                    Recipient="http://proxy.test.xyz:8081/am/Consumer/metaAlias/sub1/proxysp"
                                                    />
                  </saml:SubjectConfirmation>
              </saml:Subject>
              <saml:Conditions NotBefore="2019-01-21T11:49:17Z"
                               NotOnOrAfter="2019-01-21T12:09:17Z"
                               >
                  <saml:AudienceRestriction>
                      <saml:Audience>idp-proxy</saml:Audience>
                  </saml:AudienceRestriction>
              </saml:Conditions>
              <saml:AuthnStatement AuthnInstant="2019-01-21T11:59:17Z"
                                   SessionIndex="s266561f77047c81af093b93c5f0a7aa046e2eab01"
                                   >
                  <saml:AuthnContext>
                      <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:X509</saml:AuthnContextClassRef>
                  </saml:AuthnContext>
              </saml:AuthnStatement>
          </saml:Assertion>
      </samlp:Response>
      
      SAML Response sent from IdP-Proxy to SP
      <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                      ID="s23b251ef8d92def9d877d33bc7b550aa4e6cea79f"
                      InResponseTo="s2a9c78e75ad7c2fd323e7e5946bcf37b6f9ebdb33"
                      Version="2.0"
                      IssueInstant="2019-01-21T11:59:18Z"
                      Destination="http://sp.test2.xyz:8082/am/Consumer/metaAlias/sp"
                      >
          <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">idp-proxy</saml:Issuer>
          <samlp:Status xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
              <samlp:StatusCode xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                                Value="urn:oasis:names:tc:SAML:2.0:status:Success"
                                />
          </samlp:Status>
          <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                          ID="s2444627d58434bb92db70507056f2848095e89640"
                          IssueInstant="2019-01-21T11:59:18Z"
                          Version="2.0"
                          >
              <saml:Issuer>idp-proxy</saml:Issuer>
              <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                  <ds:SignedInfo>
                      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                      <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
                      <ds:Reference URI="#s2444627d58434bb92db70507056f2848095e89640">
                          <ds:Transforms>
                              <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                              <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                          </ds:Transforms>
                          <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                          <ds:DigestValue>N8RUkAd6TVGDVWpwxk9ryn72fJ3iXeaNBGJfSmoFUkA=</ds:DigestValue>
                      </ds:Reference>
                  </ds:SignedInfo>
                  <ds:SignatureValue>
      dizAc6xVlAK1a2v4zBR3TONeNj8jN03xRGyXCbzDfekd3teCG+edYj31Km9ZKyaJ3I0evTRlPN9X
      bYTpPuhLer4jC44+lC1YCM3XzCzWZXaE+Rzx0XrFZEQSz6nWnL5D85CZsS29QcHZxrBiHm7prKt+
      jGqtG+tl77aZOrbVq4fFWvlHwbPP+9f/5vFIYRaI6PrtYU5kIemg2yh7O+GiL7vTcGKI8TsZAgIv
      L23zaQ0M8XREYGzoomxKNBjyWN+xMbPw86oBhvAE2CwMbXibiPN84/RhxqD08rUlor8ZUVG8arlz
      5mQCXi1qzZV3LuzlQt+R3HzN9Mz5KArtMfQJgg==
      </ds:SignatureValue>
                  <ds:KeyInfo>
                      <ds:X509Data>
                          <ds:X509Certificate>
      MIIDYTCCAkmgAwIBAgIEFt4OQjANBgkqhkiG9w0BAQsFADBhMQswCQYDVQQGEwJVSzEQMA4GA1UE
      CBMHQnJpc3RvbDEQMA4GA1UEBxMHQnJpc3RvbDESMBAGA1UEChMJRm9yZ2VSb2NrMQswCQYDVQQL
      EwJBTTENMAsGA1UEAxMEdGVzdDAeFw0xODA0MDMxNDIwNThaFw0yODAzMzExNDIwNThaMGExCzAJ
      BgNVBAYTAlVLMRAwDgYDVQQIEwdCcmlzdG9sMRAwDgYDVQQHEwdCcmlzdG9sMRIwEAYDVQQKEwlG
      b3JnZVJvY2sxCzAJBgNVBAsTAkFNMQ0wCwYDVQQDEwR0ZXN0MIIBIjANBgkqhkiG9w0BAQEFAAOC
      AQ8AMIIBCgKCAQEAi7t6m4d/02dZ8dOe+DFcuUYiOWueHlNkFwdUfOs06eUETOV6Y9WCXu3D71db
      F0Fhou69ez5c3HAZrSVS2qC1Htw9NkVlLDeED7qwQQMmSr7RFYNQ6BYekAtn/ScFHpq8Tx4BzhcD
      b6P0+PHCo+bkQedxwhbMD412KSM2UAVQaZ+TW+ngdaaVEs1Cgl4b8xxZ9ZuApXZfpddNdgvjBeeY
      QbZnaqU3b0P5YE0s0YvIQqYmTjxh4RyLfkt6s/BS1obWUOC+0ChRWlpWE7QTEVEWJP5yt8hgZ5Me
      cTmBi3yZ/0ts3NsL83413NdbWYh+ChtP696mZbJozflF8jR9pewTbQIDAQABoyEwHzAdBgNVHQ4E
      FgQUDAvAglxsoXuEwI2NT1hFtVww2SUwDQYJKoZIhvcNAQELBQADggEBADiHqUwRlq1xdHP7S387
      vMLOr+/OUgNvDUogeyrpdj5vFve/CBxSFlcoY215eE0xzj2+bQoe5To3s8CWkP9hqB3EdhaRBfCr
      d8Vpvu8xBZcxQzmqwNjmeDrxNpKes717t05fDGgygUM8xIBs29JwRzHzf7e0ByJjn9fvlUjDAGZ7
      emCTN382F2iOeLC2ibVl7dpmsWZTINhQRbmq5L4ztOcjITk5WZnBF439oRRn68fWZVkOv2UqaKbk
      uMjgotNuot+ebHtOchEiwKz8VAK7O3/IgD6rfNBfz+c/WeoPcrfQBR4zfizw/ioR115RSywifzlw
      q5yziqyU04eP4wLr3cM=
      </ds:X509Certificate>
                      </ds:X509Data>
                  </ds:KeyInfo>
              </ds:Signature>
              <saml:Subject>
                  <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
                               NameQualifier="idp-proxy"
                               SPNameQualifier="http://sp.test2.xyz:8082/am"
                               >f7wXo0ICthrkyO1niXRQhe83T5Lk</saml:NameID>
                  <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                      <saml:SubjectConfirmationData InResponseTo="s2a9c78e75ad7c2fd323e7e5946bcf37b6f9ebdb33"
                                                    NotOnOrAfter="2019-01-21T12:09:18Z"
                                                    Recipient="http://sp.test2.xyz:8082/am/Consumer/metaAlias/sp"
                                                    />
                  </saml:SubjectConfirmation>
              </saml:Subject>
              <saml:Conditions NotBefore="2019-01-21T11:49:18Z"
                               NotOnOrAfter="2019-01-21T12:09:18Z"
                               >
                  <saml:AudienceRestriction>
                      <saml:Audience>http://sp.test2.xyz:8082/am</saml:Audience>
                  </saml:AudienceRestriction>
              </saml:Conditions>
              <saml:AuthnStatement AuthnInstant="2019-01-21T11:59:17Z"
                                   SessionIndex="s2be85f99a63fc8353bc1c9b9837396bd4679ccf01"
                                   >
                  <saml:AuthnContext>
                      <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
                      <saml:AuthenticatingAuthority>http://am650.test.xyz:8080/am</saml:AuthenticatingAuthority>
                  </saml:AuthnContext>
              </saml:AuthnStatement>
          </saml:Assertion>
      </samlp:Response>
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                lawrence.yarham Lawrence Yarham
                Reporter:
                bthalmayr Bernhard Thalmayr
              • Votes:
                0 Vote for this issue
                Watchers:
                6 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: