Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-15860

IdP Init SAML SSO results in two set-cookie: amlbcookie headers in SP Consumer response



    • Bug
    • Status: Open
    • Major
    • Resolution: Unresolved
    • 6.5.2,, 7.0.0
    • None
    • SAML


      Bug description

      When performing an IdP initiated SAML SSO flow, the first request to the SP (Consumer endpoint) results in the setting of two identical amlbcookie cookies in the response.

      Prior to changes for OPENAM-15724 this was only reproducible in a site, where there were at least 2 servers in the SP's site.

      How to reproduce the issue

      1. Setup two servers, e.g. idp.amtest2.com:9080/access and sp.amtest2.com:7080/access, using embedded config and user store, and cookie domains of idp.amtest2.com, and sp.amtest2.com
      1. On IdP, Configured Hosted IdP on idp, attr of mail -> mail.
      1. On SP, created hosted SP.
      1. Using metadata url of http://sp.amtest2.com:7080/access/saml2/jsp/exportmetadata.jsp created remote SP on IdP, set mail -> mail.
      1. Using metadata url of http://idp.amtest2.com:9080/access/saml2/jsp/exportmetadata.jsp on SP created remote IdP.
      1. On Idp, added email address of demo@amtest2.com for demo user.
      1. Opened browser and developer tools so that network requests are visible.  Cleared browser cookies.
      2. Performed IdP init SSO: http://idp.amtest2.com:9080/access/idpssoinit?metaAlias=/idp&spEntityID=http://sp.amtest2.com:7080/access
      3. After authenticating, (if first time for this user then at both IdP and then SP) see successfully signed in text in browser.
      Expected behaviour
      Request to http://sp.amtest2.com:7080/access/Consumer/metaAlias/sp?SAMLart=... should result in only a single set-cookie: amblcookie... header.
      Current behaviour
      Request to above results in two amlbcookie headers being set.  This has no functional impact however.

      Work around


      Code analysis

      With the changes included for OPENAM-15724, spAssertionConsumer.jsp adds the cookie to the response if this is not already present in the request.  Without the changes for OPENAM-15724, the cookie is only set if the server is in a site and there is at least one other server included in the site.

      SPACSUtils.processResponse subsequently calls applyCookies, which also adds the load balancer cookie (irrespective of whether included in the request or already present in the response).




            Unassigned Unassigned
            lawrence.yarham Lawrence Yarham
            0 Vote for this issue
            2 Start watching this issue