Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-15722

SAML2 IdP federation endpoint does not set amlbcookie when using host-based cookies


    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 6.5.2
    • Fix Version/s: 6.0.1, 5.5.2, 7.0.0, 6.5.3
    • Component/s: None
    • Labels:
    • Sprint:
      AM Sustaining Sprint 72
    • Story Points:
    • Needs backport:
    • Support Ticket IDs:
    • Needs QA verification:
    • Functional tests:
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description, Yes but I used my own steps. (If so, please add them in a new comment)


      Bug description

      Environment is a cluster of AMs configured as IdPs. Cookies are host based (cookie domain setting is empty). When a SAML2 request reaches AM at the IdP login endpoint, such as .../am/SSORedirect/metaAlias/idp?... AM does not set the amlbcookie. amlbcookie is only set later on by the authentication service.

      Note that if AM uses domain-based cookies, the amlbcookie is set when accessing .../am/SSORedirect/metaAlias/idp?... as expected.

      As far as I can see in the code, it looks like it should not have a huge impact as AM will use forward and not redirect in such scenario so there shouldn't normally be wrong routing. However at the very least there is an inconsistency in behaviour that we should either rectify or document.

      I have attached a SAML trace with domain cookie (where it works) and another with host based cookie (where it does not work)

      How to reproduce the issue

      1. Configure a SAML2 SP
      2. Configure two SAML2 IdP fronted by a load balancer (you need two IdP or the amlbcookie will not be set anyway as no LB is needed) and in a site.
      3. Configure the IdPs to have host-based cookies: In the console: CONFIGURE > GLOBAL SERVICES > Platform > Cookie Domains > Remove all the values > Save Changes
      4. Restart both IdPs 
      5. Start a SAML trace
      6. Perform the SP-initiated SAML2 flow
      7. Stop the trace
      Expected behaviour
      The response to the first HTTP request to the IdP shows Set-Cookie for the amlbcookie such as:
      GET http://lb.example.net:8080/am/SSORedirect/metaAlias/idp?SAMLRequest=nVRLj9owE....
      HTTP/1.1 302 Found
      Server: Apache-Coyote/1.1
      X-Frame-Options: SAMEORIGIN
      Set-Cookie: JSESSIONID=965CC720B12E4C753DA399430ED6A772; Path=/am; HttpOnly
      Current behaviour
      The amlbcookie is not set.




            • Assignee:
              lawrence.yarham Lawrence Yarham
              nathalie.hoet Nathalie Hoet
            • Votes:
              0 Vote for this issue
              5 Start watching this issue


              • Created: