Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-16617

SuccessURL session property is set to gotoURL in authentication tree



    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 6.0.0,,,, 6.5.1, 6.5.2,,, 7.0.0, 6.5.3, 7.0.1
    • 6.0.1, 6.5.4, 7.1.0
    • authentication, trees
    • No
    • Yes
    • Yes
    • Yes and I used the same an in the description


      Bug description

      There is a deviation in behavior from authentication chains to tree. When using SAML2 SP redirect, normally the generated URL to AM will have AM appended with a "goto=<SAMLURL_with_someid>". Now the issue is that this gotoURL is store in the Session properties "successURL".

      Before this, in authentication modules, the gotoURL will not end up to this value and normally uses the profile values (like /openam/console). Howver with AuthTree, this priperty will end up with the gotoURL

      This is very impactful for SAML2 type request where if one later goes back to IDP with any goto and issue ("AM_URL/am/UI/Login") this goes to the original old SP SAML2 request (which is long invalid).

      How to reproduce the issue

      To make it simple w/o SAML, you can see this

      1. Create a default auth service to use a Tree (say Example)
      2. Login with ?goto=<someURL"
      3. Now access AMURL as "AMURL/UI/Lgin"
      4. You can inspect the Session Token properties from CTS (to see the successURL property value have the gotoURL value"
      Expected behaviour
      The successURL should be disjoint from the gotoURL (or at least possible to be different)
      Current behaviour
      The successURL property is set to the gotoURL. If one acccess AM with any GOTO url it redirect to this "successURL"

      Work around

      There is no workaround possible. DO not use tree and continue to use a Auth Chain

      Code analysis

      The tree node confuses SuccessURL and GotoURL and set teh SuccessURL property to the final value the tree goes to.

      In the original auth chain, the successURL is always the user profile unless this is explicit changed. Anyway the gotoURL is still disjoint from the property value.
      In fact the "successURL" property is actually more correct to say the URL to follow if already authenticated.




            chee-weng.chea C-Weng C
            chee-weng.chea C-Weng C
            1 Vote for this issue
            11 Start watching this issue