Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-15724

SAML2 entities do not set amlbcookie if there is only one server

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 6.5.2
    • Fix Version/s: 6.0.1, 6.5.3, 7.0.0, 5.5.2
    • Component/s: SAML
    • Labels:
    • Sprint:
      AM Sustaining Sprint 70, AM Sustaining Sprint 71
    • Story Points:
      3
    • Needs backport:
      No
    • Support Ticket IDs:
    • Needs QA verification:
      No
    • Functional tests:
      No
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description, Yes but I used my own steps. (If so, please add them in a new comment)

      Description

      Bug description

      If a unique server is configured, the Federation service does not set amlbcookie when first accessed. That may cause bad routing during the SAML flow and result in errors.

      Note that the amlbcookie is set when there is more then one server in a site, the reasoning being that in the absence of site there is no need to set up LB cookie. However in an environment with autonomous servers, it is possible to have individual values for each server for the amlbcookie and to use them for routing. 

      How to reproduce the issue

      1. Install two separate AM servers. COnfigure one as SP and the other as IdP
      2. Clear cookies from browser
      3. Start a SAML2 trace
      4. Start SAML2 flow (SP initiated)
      5. Stop the SAML trace
      Expected behaviour
      The SAML trace shows that the SP amlbcookie is set on the SP for the sp cookie domain when first accessing the SP and that the IdP amlbcookie is set on the IdP for the IdP cookie domain when first accessing the IDP.
      Current behaviour

      ON accessing the SP for the first time, the amlbcookie is not set:

      GET http://sp.example.com:38080/am/saml2/jsp/spSSOInit.jsp?metaAlias=/sp&idpEntityID=http://idp.example.net:28080/am HTTP/1.1
      Host: sp.example.com:38080
      <SKIP>
      
      HTTP/1.1 302 Found
      Server: Apache-Coyote/1.1
      X-Frame-Options: SAMEORIGIN
      Set-Cookie: JSESSIONID=17987C93240DC7DB9CD99E2CA876590C; Path=/am; HttpOnly
      Location: http:<SKIP>

      On accessing the IdP for the first time, the amlbcookie is not set:

      GET http://idp.example.net:28080/am/SSORedirect/metaAlias/idp?SAMLRequest=nVRbb9owFH<SKIP> HTTP/1.1
      Host: idp.example.net:28080
      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:69.0) Gecko/20100101 Firefox/69.0
      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
      Accept-Language: en-US,en;q=0.5
      Accept-Encoding: gzip, deflate
      Connection: keep-alive
      Upgrade-Insecure-Requests: 1
      
      HTTP/1.1 302 Found
      Server: Apache-Coyote/1.1
      X-Frame-Options: SAMEORIGIN
      Set-Cookie: JSESSIONID=12E0C7991A0F8A71E0743DE25323027D; Path=/am; HttpOnly
      Location: /am/XUI/<SKIP>

      The amlbcookie is only set on the IdP when authentication starts:

      POST http://idp.example.net:28080/am/json/realms/root/authenticate?forward=true&spEntityID=http://sp.example.com:38080/am&goto=/am/SSORedirect/metaAlias/idp?ReqID%3Ds2bb0e6ccd409378aa71a45261f31ca11de7223cab%26index%3Dnull%26acsURL%3Dhttp://sp.example.com:38080/am/Consumer/metaAlias/sp%26spEntityID%3Dhttp://sp.example.com:38080/am%26binding%3Durn:oasis:names:tc:SAML:2.0:bindings:HTTP-<SKIP>
      Cookie: JSESSIONID=12E0C7991A0F8A71E0743DE25323027D
      
      HTTP/1.1 200 OK
      Server: Apache-Coyote/1.1
      X-Frame-Options: SAMEORIGIN
      Set-Cookie: amlbcookie=01; Domain=idp.example.net; Path=/

      and the amlbcookie is only set on the SP at the consumer endpoint:

      POST http://sp.example.com:38080/am/Consumer/metaAlias/sp HTTP/1.1
      <SKIP>
      
      HTTP/1.1 200 OK
      Server: Apache-Coyote/1.1
      X-Frame-Options: SAMEORIGIN
      Set-Cookie: amlbcookie=01; Domain=sp.example.com; Path=/
      iPlanetDirectoryPro=Vz_WWubPc

      In attachment, the relevant SAML trace

      Work around

      Create a dummy server in a site

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                lawrence.yarham Lawrence Yarham
                Reporter:
                nathalie.hoet Nathalie Hoet
              • Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: