Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-15562

SAML2 crosstalk fails when Accept-Language header is missing from the original request


    • Target Version/s:


      Bug description

      When SAML performs a crosstalk for an SSO or an SLO request, it attempts to replay the Accept-Language header, however the code does not seem to handle the case when the header is missing from the request. This results in failed crosstalk request, and can potentially result in the infamous IDP session is NULL error message.

      How to reproduce the issue

      • Set up 2 hosted IdPs in a site, and 2 separate SPs
      • perform SP initiated SSO with the first SP
      • perform SP initiated SSO with the second SP, but make sure that the request will hit a different IdP instance than the previous step did. (use amlbcookie based LB routing, and change the amlbcookie value in the browser for the LB's domain)
      Expected behaviour

      Authentication should succeed, because AM performs a crosstalk request to the first request.

      Current behaviour

      SAML SSO fails with IDP session is NULL error message.

      Work around

      Enable SAML2 failover.




            • Assignee:
              peter.major Peter Major [X] (Inactive)
              peter.major Peter Major [X] (Inactive)
            • Votes:
              0 Vote for this issue
              3 Start watching this issue


              • Created: