Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-16161

"same site patch" breaks SAML2 integrated mode on Apache Tomcat 7

    XMLWordPrintable

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 6.5.2.1, 6.5.2.2, 6.5.2.3
    • 5.5.3, 6.0.1, 6.5.3
    • SAML
    • Oracle JDK 1.8.0_201
      Apache Tomcat/7.0.103
      AM 6.5.2.1
      AM "same site patch"
      Apache http server as HTTP reverse proxy
    • Rank:
      1|i010jo:
    • AM Sustaining Sprint 74, AM Sustaining Sprint 76, AM Sustaining Sprint 77, AM Sustaining Sprint 78
    • 3
    • No
    • Yes and I used the same an in the description, Yes but I used my own steps. (If so, please add them in a new comment)
    • 0
    • Future
    • None

    Description

      Bug description

      SAML2 integrated mode fails on Apache Tomcat 7 when "same site patch" is applied

      How to reproduce the issue

      1. Configure 3 name-based virtual hosts on Apache http server
      2. Configure SSL/TLS on Apache http server
      3. Use AJP to proxy to upstream Apache Tomcat 7
      4. Create 3 realms in AM, test-idp-saml, test-sp-saml, idbroker and assign the FQDNs appropriately as DNS alias
      5. In realm test-idp-saml create a hosted IdP
      6. In realm test-sp-saml create a hosted SP
      7. In realm idbroker create a hosted IdP and hosted SP
      8. Configure the hosted IdP of realm idbroker as remote IdP in realm _test-sp-saml
      9. Configure the hosted SP of realm idbroker as remote SP in realm test-idp-saml
      10. Configure the hosted IdP of realm test-idp-saml as remote IdP in realm idbroker
      11. Configure the hosted SP of realm test-sp-saml as remote SP in realm idbroker
      12. Configure SAML2 integrated mode in realm test-sp-saml and realm idbroker
      13. Use NameID format 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient' in the SAML2 authentication modules in realm test-sp-saml and idbroker
      14. Use "SAML chain" as default chain for realm-based authentication in realm test-sp-saml and idbroker
      15. Apply "same site patch" and configure "secure cookies"
      16. Trigger authentication in realm test-sp-saml via FQDN 1
      17. Authenticate in realm test-idp-saml via FQDN 3
      Expected behaviour
      Authentication in realm test-sp-saml via FQDN 1 should succeed
      
      Current behaviour
      Profile page of 'transient user' in FQDN 2 is shown.
      

      The same use case works when Apache Tomcat 9.0.8 is used as deployment container.
      The same use case works when the 'same site patch' is not applied.

      Workaround
      Enable 'cookie encoding'

      Attachments

        Issue Links

          Activity

            People

              lawrence.yarham Lawrence Yarham
              bthalmayr Bernhard Thalmayr
              Votes:
              1 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: