Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-16286

Policy evaluation authn to service condition authn fails with session upgrade failure

    XMLWordPrintable

    Details

    • Bug
    • Status: Open
    • Major
    • Resolution: Unresolved
    • 6.5.2.3
    • None
    • authentication, web agents
    • Rank:
      1|i012gn:

      Description

      Description:

      If not using realm dns aliases and having a web-agent in a sub-realm, when a policy condition is defined, Authentication use service, the session upgrade fails if the authentication service is defined in the same sub-realm.

      After authentication the user is shown a red error message indicating that the session upgrade failed because the existing session was from a different realm.

      Steps to reproduce:

      1. Deployed am, embedded config and user store.  Server url: http://openam.amtest2.com:8080/access.  Cookie domain of amtest2.com
      2. Setup apache, so that url http://web.amtest2.com:80/test1/index.html results in viewing an html page.
      3. Created a sub-realm, subscribers.
      4. In AM, subscribers realm, created profile: web-agent-01, Agent url: http://web.amtest2.com:80, Server URL: http://openam.amtest2.com:8080/access, Password: secret
      5. Then installed web agent /opt/webagents_5_6_2_1
      6. Created file /opt/web_agents/5_6_2_1/passwd.txt with value inside of secret.
      7. Changed permission on the file to be 400.
      8. agentadmin —i.  Configuration file: /etc/httpd/conf/httpd.conf, Change ownership: yes, Existing OpenSSOAgentBootstrap.properties file: <Hit return to ignore>, OpenAM Server url: http://openam.amtest2.com:8080/access, Agent URL: http://web.amtest2.com:80, Agent profile name: web-agent-01, Agent realm: /subscribers, Path to a file that contains password to be used: /opt/web_agents_5_6_2_1/passwd.txt
      9. In AM console, created a policy set TestApplication01.
      10. Then created a policy, TestPolicy01 allowing access to http://web.amtest2.com:80/test1/. for user demo for GET and POST requests.
      11. Edited web agent profile to have OpenAM Services, Application: TestApplication01
      12. Tested login via web browser to http://web.amtest2.com:80/test1/index.html.  Verified that after login, user was navigated to test application page.
      13. In sub-realm, created a new chain subscribersChain, containing DataStore module.
      14. Then added a policy condition, authenticate with service and specified subscribersChain.
      15. In browser, refreshed page (not sure if need to re-login, otherwise can clear browser cookies).  Second authentication prompt is shown.  Login again as the same user.

      Expected behaviour:

      User is redirected to protected application after successfully completing second authentication.

      Current behaviour:

      After second authentication, user is shown red error message indicating the the session upgrade failed because the existing session was from a different realm.  This is because the original session was created at the top level realm (see OPENAM-16285).

      Workarounds:

      1. Define the authentication service in the top level realm.
      2. Use a dns alias for the subrealm, e.g. subscribers.amtest2.com, then use this for the AM URL when creating the web agent profile and when performing agentadmin --i (or change the agent.conf com.sun.identity.agents.config.naming.url property after installation to reflect the dns alias).

        Attachments

          Issue Links

            Activity

              People

              Unassigned Unassigned
              lawrence.yarham Lawrence Yarham
              Votes:
              1 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated: