Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-14581

handling ManageNameID fails if NameID does not include SPNameQualifier

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 13.0.0, 13.5.0, 13.5.1, 13.5.2, 14.0.0, 14.1.0, 14.1.1, 14.5.0, 14.5.1, 5.5.1, 6.0.0, 6.0.0.1, 6.0.0.2, 6.0.0.3, 6.0.0.4, 6.0.0.5, 6.0.0.6, 6.5.0, 6.5.0.1, 7.0.0
    • Fix Version/s: 6.5.2, 6.0.0.7, 6.0.1, 7.0.0, 5.5.2
    • Component/s: SAML
    • Labels:
    • Environment:
      Oracle JDK jdk1.8.0_201
      Apache Tomcat/9.0.8
      AM 7.0.0 (c36edcc20aab37e8bc86e092e0552951ba0cc6a5)
    • Sprint:
      AM Sustaining Sprint 61, AM Sustaining Sprint 62
    • Story Points:
      3
    • Needs backport:
      No
    • Support Ticket IDs:
    • Verified Version/s:
    • Needs QA verification:
      No
    • Functional tests:
      No
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description

      Description

      Bug description

      Producing a ManageNameID response fails if the NameID element of the ManangeNameID request does not include optional attribute SPNameQualifier.

      How to reproduce the issue

      Details steps outlining how to recreate the issue (remove this text)

      1. Configure AM as SAML SP
      2. Configure some IdP
      3. Perform account linking flow
      4. Perform IdP-initiated ManageNameID flow to terminate account linking. NameID in the ManageNameID request must not include SPNameQualifier.
      Expected behaviour
      Account linking should be terminated.
      
      Current behaviour
      ManageNameID request fails
      

      Code analysis

      com.sun.identity.saml2.profile.DoManageNameID.java
      ...
          private static NameIDInfo getNameIDInfo(String userID, String hostEntityID,
              String remoteEntityID, String hostRole, String realm,
              String affiliationID, boolean invalidAffiIDAllowed)
              throws SAML2Exception {
          
              NameIDInfo nameInfo = null;
              if (affiliationID != null) {
                  AffiliationDescriptorType affiDesc =
                      metaManager.getAffiliationDescriptor(realm, affiliationID);
                  if (affiDesc != null) {
                      if (hostRole.equals(SAML2Constants.SP_ROLE)) {
                          if (!affiDesc.getAffiliateMember().contains(hostEntityID)){
                              throw new SAML2Exception(SAML2Utils.bundle.getString(
                                  "spNotAffiliationMember"));
                          }
                          nameInfo = AccountUtils.getAccountFederation(userID,
                              affiliationID, remoteEntityID);
                      } else {
                          if (!affiDesc.getAffiliateMember().contains(
                              remoteEntityID)) {
                              throw new SAML2Exception(SAML2Utils.bundle.getString(
                                  "spNotAffiliationMember"));
                          }
                          nameInfo = AccountUtils.getAccountFederation(userID,
                              hostEntityID, affiliationID);
                      }
                  } else if (invalidAffiIDAllowed) {
                      nameInfo = AccountUtils.getAccountFederation(userID,
                          hostEntityID, remoteEntityID);
                  } else {
                      throw new SAML2Exception(SAML2Utils.bundle.getString(
                          "affiliationNotFound"));
                  }
              } else {
                  nameInfo = AccountUtils.getAccountFederation(userID, hostEntityID,
                      remoteEntityID);
              }
      
              return nameInfo;
          }
      ....
      

      affiliationID is not null when SPNameQualifier ist not set, but empty.

        Attachments

          Activity

            People

            • Assignee:
              lawrence.yarham Lawrence Yarham
              Reporter:
              bthalmayr Bernhard Thalmayr
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: