Affects Version/s: 5.5.1, 6.0.0, 126.96.36.199, 6.5.0, 7.0.0
When performing a SAML SP initiated SLO in a multi-protocol SLO, IDP returns error 500. Web container logs indicate '_java.lang.IllegalStateException: Cannot forward after response has been committed' for idpSingleLogoutRedirect.jsp.
This is a duplicate of
OPENAM-11225 in terms of symptoms, but failing at a different place within the jsp.
Setup 4 AM instances, 7.0.0 snapshot, running in tomcat, accessed over http:
- IdP: idp.amtest2.com:9080 (cookie domain of idp.amtest2.com), port ranges of 59xxx
- SAML SP 1: sp.amtest2.com (sp.amtest2.com), port ranges of 57xxx
- SAML SP 2: sp.amtest2.com (openam2.amtest2.com), port ranges of 54xxx
- WS-Fed SP: openam.amtest2.com (openam.amtest2.com), port ranges of 50xxx
SAML SSO configuration:
- In IdP, created a hosted IdP in top level realm, cot test_idp, signing key test and attribute mapping of mail -> mail.
- In SAML SP: created a hosted SP in top level realm, cot test_sp.
- In SAML SP, created a remote IdP, using metadata url of http://idp.amtest2.com:9080/access/saml2/jsp/exportmetadata.jsp.
- in SAML IdP, created a remote SP, using attribute mapping of mail -> mail, using metadata url of: http://sp.amtest2.com:7080/access/saml2/jsp/exportmetadata.jsp.
- in SAML SP, edited hosted SP and set auto federation enabled, and attribute to be mail. Set top level realm, Authentication settings -> User profile to be dynamic.
- in IdP, for top level realm user demo, edited this and set an email address of email@example.com.
- Verified that an SP initiated SAML SSO succeeded: http://sp.amtest2.com:7080/access/saml2/jsp/spSSOInit.jsp?idpEntityID=http://idp.amtest2.com:9080/access&metaAlias=/sp . I was redirected to IdP, logged in as demo user and then saw 'Single sign-on succeeded' on SP.
- Repeated steps 2 to 7 for the second SP, openam2.amtest2.com.
- On WS-Fed SP, in Admin console, navigated to top level realm, Federation and Legacy view. Clicked New Entity, chose WS-Fed and then set /wsfedsp as the Entity Identifier and wsfedsp as the Service Provider -> Meta alias. Clicked create. Edited the resulting entity and set SP -> Attribute mapper to be *=.* Unchecked Assertion signed. Created COT test_sp and added the entity to this.
- On IdP, repeated above to create WS-Fed entity of /wsfedidp as the Entity Identifier and wsfedidp as the Identity Provider -> Meta Alias. Added this to the existing test_idp COT.
- Installed ssoadm AM-SSOAdminTools-188.8.131.52.zip and configured to communicate with WS-Fed SP instance.
- Repeated the above step to install ssoadm and configure to communicate with the IdP instance.
- Using ssoadm, exported the existing wsfedsp entity from the WS-Fed SP: access/bin/ssoadm export-entity -u amadmin -f /opt/ssoadm_5.5.1/passwd.txt -v -e / -y /wsfedsp -c wsfed -m /tmp/SP_standard.xml -x /tmp/SP_extended.xml.
- Edited the extended metadata file exported, to change 'hosted="true"' to 'hosted="false"'. Also changed the COT name from test_sp to test_idp.
- Using ssoadm for the IdP instance, repeated the above to export the WS-Fed IdP metadata: access/bin/ssoadm export-entity -u amadmin -f /opt/ssoadm_5.5.1/passwd.txt -v -e / -y /wsfedidp -c wsfed -m /tmp/IdP_standard.xml -x /tmp/IdP_extended.xml.
- From ssoadm instance for WS-Fed SP, imported metadata for remote WS-Fed IdP (ssoadm 184.108.40.206 or later is needed for this to succeed): access/bin/ssoadm import-entity -u amadmin -f /opt/ssoadm_5.5.1/passwd.txt -v -e / -t test_sp -c wsfed -m /tmp/IdP_standard.xml -x /tmp/IdP_extended.xml
- From ssoadm instance for IdP, import the remote WS-Fed entities: access/bin/ssoadm import-entity -u amadmin -f /opt/ssoadm_5.5.1/passwd.txt -v -e / -t test_idp -c wsfed -m /tmp/SP_standard.xml -x /tmp/SP_extended.xml
- Tested WS-Fed SP initiated SSO: http://openam.amtest2.com:8080/access/WSFederationServlet/metaAlias/wsfedsp?goto=http://openam.amtest2.com:8080/access
- Perform a WS-Fed SSO: http://openam.amtest2.com:8080/access/WSFederationServlet/metaAlias/wsfedsp?goto=http://openam.amtest2.com:8080/access
- In separate tab, same browser (so same session can be shared), perform SAML SSO: http://sp.amtest2.com:7080/access/saml2/jsp/spSSOInit.jsp?idpEntityID=http://idp.amtest2.com:9080/access&metaAlias=/sp
- In a third tab, perform SAML SSO from second SP: http://openam2.amtest2.com:4080/access/saml2/jsp/spSSOInit.jsp?idpEntityID=http://idp.amtest2.com:9080/access&metaAlias=/sp
- Then in browser tab for first SAML SP above, perform SP initiated SLO: http://sp.amtest2.com:7080/access/saml2/jsp/spSingleLogoutInit.jsp?metaAlias=/sp&idpEntityID=http%3A%2F%2Fidp.amtest2.com%3A9080%2Faccess
Similar fix as for
OPENAM-11225 looks to be required to only perform the sendRedirect calls if the response has not already been committed: