-
Type:
Bug
-
Status: Resolved
-
Priority:
Major
-
Resolution: Won't Fix
-
Affects Version/s: 6.0.0.7
-
Fix Version/s: None
-
Component/s: session
-
Labels:
-
Rank:1|i017if:
-
Needs backport:No
-
Support Ticket IDs:
-
Needs QA verification:No
-
Functional tests:No
-
Are the reproduction steps defined?:Yes and I used the same an in the description
Bug description
when uniqueSSOToken is enabled and a property value is checked (for example agent is using profile attribute processing), an error occurs in the Policy:
_amPolicy:02/14/2020 11:13:24:920 AM CST: Thread[ajp-nio-1.0.0.0-8009-exec-9,5,main]: TransactionId[00000000-000001-4515-9437-cfdd87200ca8-1378] PolicyRequestHandler.processPolicyRequest(): respAttrs=[departmentNumber] amPolicy:02/14/2020 11:13:24:921 AM CST: Thread[ajp-nio-1.0.0.0-8009-exec-9,5,main]: TransactionId[00000000-000001-4515-9437-cfdd87200ca8-1378] ERROR: PolicyRequestHandler.getResponseAttributeValues: bad sso token com.iplanet.sso.SSOException: Illegal attempt to use a restricted token. at com.iplanet.sso.providers.dpro.SessionSsoToken.getPropertyInternal(SessionSsoToken.java:274) at com.iplanet.sso.providers.dpro.SessionSsoToken.getProperty(SessionSsoToken.java:288) at com.sun.identity.policy.remote.PolicyRequestHandler.getResponseAttributeValues(PolicyRequestHandler.java:478) at com.sun.identity.policy.remote.PolicyRequestHandler.processPolicyRequest(PolicyRequestHandler.java:400) at com.sun.identity.policy.remote.PolicyRequestHandler.processPolicyServiceRequest(PolicyRequestHandler.java:250) at com.sun.identity.policy.remote.PolicyRequestHandler.processRequest(PolicyRequestHandler.java:204) at com.sun.identity.policy.remote.PolicyRequestHandler.process(PolicyRequestHandler.java:141) at com.iplanet.services.comm.server.PLLRequestServlet.handleRequest(PLLRequestServlet.java:202) at com.iplanet.services.comm.server.PLLRequestServlet.doPost(PLLRequestServlet.java:140) at javax.servlet.http.HttpServlet.service(HttpServlet.java:648) at javax.servlet.http.HttpServlet.service(HttpServlet.java:729) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:292)_
How to reproduce the issue
Details steps outlining how to recreate the issue (remove this text)
- Setup Agent w/ Cookie Hijacking which includes enableUniqueSSOTokenCookie
- Setup Policy for said Agent protected resource
- Add profile attribute processing to Agent (such as uid and mail)
- Go to Agent resource
- It will send you to AM to authenticate, and back to the Agent
- Check Policy logs for this error_ERROR: PolicyRequestHandler.getResponseAttributeValues: bad sso token com.iplanet.sso.SSOException: Illegal attempt to use a restricted token._
Expected behaviour
No error , it will allow restricted tokens
Current behaviour
Agent gives 403 error
Workaround
Upgrade the agents to 5.x to make use of REST calls to sessions, instead of the legacy PLL calls.
- duplicates
-
AMAGENTS-2116 Illegal attempt to use a restricted token when configured profile attribute fetching
-
- Resolved
-