Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-14858

When NameIDPolicy does not contain `Format=..`, remoteEntityID is passed as null

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 5.5.1, 6.0.0
    • Fix Version/s: 6.0.1, 6.5.3, 7.0.0, 5.5.2
    • Component/s: SAML
    • Labels:
    • Sprint:
      AM Sustaining Sprint 68
    • Story Points:
      3
    • Needs backport:
      Yes
    • Support Ticket IDs:
    • Needs QA verification:
      No
    • Functional tests:
      No
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description, Yes but I used my own steps. (If so, please add them in a new comment)

      Description

      You can reproduce just by producing any SAML AuthN request with:
      <samlp:NameIDPolicy AllowCreate="true"/>

      Implementing something like the below (where they address the NameID issue) works as a workaround:
      https://david-codes.hatanian.com/2014/08/05/openam-and-saml2-federation-returning.html

      Wherein:

       if (nameIDValue == null) {
                          nameIDValue = SAML2Utils.createNameIdentifier();
                      }
      

      It is a common scenario where many different SPs require the same nameId format but have different values in return (based on what was being sent before Forgerock-AM was implemented or what they get from their feed files, etc). Feel free to shutdown if not feasible.

        Attachments

          Activity

            People

            • Assignee:
              lawrence.yarham Lawrence Yarham
              Reporter:
              jeremy.cocks Jeremy Cocks
            • Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: