Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-16009

Windows Desktop SSO node full adoption and compliance with tree node specifications

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 6.5.0, 6.5.1, 6.5.2, 6.5.2.1, 6.5.2.2, 6.5.2.3
    • Fix Version/s: 7.0.0, 6.5.3
    • Component/s: authentication, trees
    • Labels:
    • Environment:
      Node for AM where end users can login to AM without password using Kerberos tickets and the SPENGO protocol with Windows Servers.
    • Target Version/s:
    • Rank:
      1|i0068f:
    • Sprint:
      AM Sustaining Sprint 73
    • Story Points:
      5
    • Needs backport:
      Yes
    • Support Ticket IDs:
    • Needs QA verification:
      Yes
    • Functional tests:
      Yes
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description

      Description

      The Windows Desktop SSO node is set up exactly like a Windows Desktop SSO module. So I set up both means of authentication in a test environment.

      With the following setup:
      Service Principal
      Key Tab File Path
      Kerberos realm
      Kerberos Server Name
      Trusted Kerberos realms
      Return principal with domain name
      Lookup user in realm
      is initiator

      The Following set up is done for the realm:
      Realms > [realm] > Authentication > Settings > Trees > Enable whitelisting

      If I use the chain (with Windows Desktop SSO module) the authentication works
      If I use the tree (with the Windows Desktop SSO node) the authentication receives a 401.

      The error points at the white listing validation:
      AuthTrees.validateWhitelistToken(AuthTrees.java:327)

      this is the code:

      try {
      String state = null;

      if (authId != null)

      { state = authIdHelper.getWhitelistClaim(authId); }

      if (!sessionServiceProvider.get().isWhitelisted(authSession, state))

      { throw FailureProcessTreeResult. _authFailureException_ (null, null); }

      } catch (RestAuthException | SessionException e)

      { throw FailureProcessTreeResult. _authFailureException_ (null, e); }

      Therefore the failure is due to a check of a key value pair which is communicated with the JWT in the AuthId.

      Therefore the issue is that the node does not support the authentication phase and therefore does not receive a authId JWT and therefore cannot receive and process a whitelist status to return.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              chee-weng.chea C-Weng C
              Reporter:
              gery.ducatel Gery Ducatel
              Votes:
              0 Vote for this issue
              Watchers:
              11 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - 40h
                  40h
                  Remaining:
                  Remaining Estimate - 40h
                  40h
                  Logged:
                  Time Spent - Not Specified
                  Not Specified