Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-15896

WS-Federation relying party initiated passive request - stuck at Account Realm selection

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 13.0.0, 13.5.0, 13.5.1, 13.5.2, 14.0.0, 14.1.0, 14.1.1, 14.5.0, 14.5.1, 5.5.1, 6.0.0, 6.0.0.1, 6.0.0.2, 6.0.0.3, 6.0.0.4, 6.0.0.5, 6.0.0.6, 6.5.0, 6.5.0.1, 6.5.1, 6.5.0.2, 6.5.2, 14.1.1.1, 14.1.1.2, 14.1.1.3, 14.1.1.4, 14.1.1.5, 14.1.2.2, 6.0.0.7, 14.1.2.3, 14.1.2.4, 6.5.2.1, 6.5.2.2, 14.1.2.11, 14.1.2.5
    • Fix Version/s: 6.0.1, 6.5.3, 7.0.0, 5.5.2
    • Component/s: WS Federation
    • Labels:
    • Sprint:
      AM Sustaining Sprint 72
    • Story Points:
      3
    • Support Ticket IDs:
    • Needs QA verification:
      No
    • Functional tests:
      No
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description, Yes but I used my own steps. (If so, please add them in a new comment)

      Description

      Bug description

      If WS-Federation entities are configured in sub-realm, relying party passive request is stuck on Account Realm Select

      How to reproduce the issue

      1. Configure AM 1 as WS-Federation issuing party in sub-realm X
      2. Configure AM 2 as WS-Federation relying part in sub-realm A
      3. Build trust between AM 1 and AM 2
      4. Perform relying part passive request (e.g. http://am2.test.xyz:8080/am/WSFederationServlet/metaAlias/A/wsfed-sp?wa=wsignin1.0&whr=wsfed-idp&wreply=http%3A%2F%2Flocalhost%3A8080
      Expected behaviour
      Authentication page of AM 1, acting as issuing party, should be shown.
      
      Current behaviour
      Account Realm Selection page of AM 2, acting as relying party, is shown                                                                 
      

       

      Code analysis

      (master branch)

      com.sun.identity.wsfederation.servlet.RPSigninRequest.java
      ...
      
          public void process() throws WSFederationException, IOException
          {
      ...
              String idpEntityId = null;
              if (idpIssuerName != null && idpIssuerName.length() > 0)
              {
                  // Got the issuer name from the cookie/UA string - let's see if 
                  // we know the entity ID
                  idpEntityId = 
                      metaManager.getEntityByTokenIssuerName(null, 
                      idpIssuerName);
              }

      needs to be changed to

              String idpEntityId = null;
              if (idpIssuerName != null && idpIssuerName.length() > 0)
              {
                  // Got the issuer name from the cookie/UA string - let's see if 
                  // we know the entity ID
                  idpEntityId = 
                      metaManager.getEntityByTokenIssuerName(sprealm, 
                      idpIssuerName);
              }
      

      and

      com.sun.identity.wsfederation.servlet.RPSigninRequest.java
      ...
      
          public void process() throws WSFederationException, IOException
          {
      ...
              FederationElement idp = null;
              if ( idpEntityId != null )
              {
                  idp = metaManager.getEntityDescriptor(null,
                      idpEntityId);
              }
      

      needs to be changed to

              FederationElement idp = null;
              if ( idpEntityId != null )
              {
                  idp = metaManager.getEntityDescriptor(sprealm,
                      idpEntityId);
              }
      

        Attachments

          Activity

            People

            • Assignee:
              lawrence.yarham Lawrence Yarham
              Reporter:
              bthalmayr Bernhard Thalmayr
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: