Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-15459

When Encrypted Attributes on SP is set only with AutoFederation enabled, the attributes get decryption error



    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 13.5.1, 13.5.2, 5.5.1, 6.0.0,,,,,, 6.5.0,,,, 6.5.1,, 6.5.2,,
    • Fix Version/s: 13.5.3, 6.0.1,, 5.5.2, 7.0.0, 6.5.3
    • Component/s: SAML
    • Labels:
    • Needs backport:
    • Support Ticket IDs:
    • Verified Version/s:
    • Needs QA verification:
    • Functional tests:
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description


      Bug description

      When using using SAML2 federation on SP for just encrypted attributes but not others auto federation fails. The following is seen

      ERROR: FMEncProvider.decrypt: The set of private keys for decryption was empty.
      libSAML2:09/20/2019 02:10:19:231 PM SGT: Thread[http-nio-9080-exec-10,5,main]: TransactionId[19a17ec9-c2c4-4e5c-93b1-c9892f663811-9474]
      ERROR: Decryption error:
      com.sun.identity.saml2.common.SAML2Exception: The private key set was empty.
              at com.sun.identity.saml2.xmlenc.FMEncProvider.decrypt(FMEncProvider.java:366)
              at com.sun.identity.saml2.assertion.impl.EncryptedAttributeImpl.decrypt(EncryptedAttributeImpl.java:122)
              at com.sun.identity.saml2.plugins.DefaultLibrarySPAccountMapper.getAttribute(DefaultLibrarySPAccountMapper.java:317)
              at com.sun.identity.saml2.plugins.DefaultLibrarySPAccountMapper.getAutoFedUser(DefaultLibrarySPAccountMapper.java:205)
              at com.sun.identity.saml2.plugins.DefaultLibrarySPAccountMapper.getIdentity(DefaultLibrarySPAccountMapper.java:122)
              at com.sun.identity.saml2.profile.SPACSUtils.getPrincipalWithoutLogin(SPACSUtils.java:2090)
              at org.forgerock.openam.authentication.modules.saml2.SAML2.handleReturnFromRedirect(SAML2.java:336)
              at org.forgerock.openam.authentication.modules.saml2.SAML2.process(SAML2.java:178)



      How to reproduce the issue

      Details steps outlining how to recreate the issue (remove this text)

      1. Just for simplicity create an IDP and SP. with all the signing and encryption as test
      2. Only set Hosted SP metadata to only want ecrypted Attributes (make sure no NameId encryption is set)
      3. Setup AutoFederation on say "uid"
      4. On Hosted IDP, set the NameId-format unspecified to use uid
      5. Now on SP, create a SAML2 Authn Module to with NameId-format unspecified to this IDP
      Expected behaviour
      Autofederation should work as per Spec <EncryptedAttribute>
      Current behaviour
      AutoFederation fails and SP is prompted to enter username/password.

      Work around

      NameId encryption needs to be set to have the SP code read it Or
      customize/correct the code for DefaultLibrarySPAccountMapper

      Code analysis

              Set<PrivateKey> decryptionKeys = null;
              if (encryptedID != null) {
                  decryptionKeys = KeyUtil.getDecryptionKeys(getSSOConfig(realm, hostEntityID));
                  nameID = encryptedID.decrypt(decryptionKeys);
              } else {
                  nameID = assertion.getSubject().getNameID();
              // Check if this is an auto federation case.
              userID = getAutoFedUser(realm, hostEntityID, assertion, nameID.getValue(), decryptionKeys); // <--- decryptionKeys is NULL 

      Maybe: We must make sure decryptionKeys is fetched . Maybe to avoid cost
      getAutoFed inside if the decryptionKey is null and
      encryptedAttributes is set, it should call the decryption key fetch.
      So contractually to mean if "null" passed, the code can decide how
      it finds it private keys.




            chee-weng.chea C-Weng C
            chee-weng.chea C-Weng C
            0 Vote for this issue
            3 Start watching this issue